Malware Analysis Report

2024-11-16 12:40

Sample ID 240303-x9vrlaeh3t
Target Chernobyl.exe
SHA256 3df8578b571811a77eefdf07069bd4d1ba16af70dba81bcf91d8182171728f74
Tags
bootkit discovery evasion exploit persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3df8578b571811a77eefdf07069bd4d1ba16af70dba81bcf91d8182171728f74

Threat Level: Known bad

The file Chernobyl.exe was found to be: Known bad.

Malicious Activity Summary

bootkit discovery evasion exploit persistence ransomware trojan

Modifies WinLogon for persistence

Contains code to disable Windows Defender

UAC bypass

Disables Task Manager via registry modification

Possible privilege escalation attempt

Disables RegEdit via registry modification

Modifies system executable filetype association

Modifies file permissions

Writes to the Master Boot Record (MBR)

Checks whether UAC is enabled

Modifies WinLogon

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies File Icons

Modifies Control Panel

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

System policy modification

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-03 19:33

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-03 19:33

Reported

2024-03-03 19:35

Platform

win7-20240221-en

Max time kernel

44s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Disables Task Manager via registry modification

evasion

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\kill.ico C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
File opened for modification C:\Windows\System32\wallpaper.jpg C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\cluttscape.exe C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
File opened for modification C:\Windows\cluttscape.exe C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Modifies File Icons

ransomware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\3 = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\4 = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pnffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ratfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pjpegfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B} C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icmfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon\ = "C:\\Windows\\System32\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2040 wrote to memory of 1668 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2040 wrote to memory of 1668 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2040 wrote to memory of 1668 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2068 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1344 wrote to memory of 2472 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1344 wrote to memory of 2472 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1344 wrote to memory of 2472 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2068 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 1380 wrote to memory of 1268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1380 wrote to memory of 1268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1380 wrote to memory of 1268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2068 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2392 wrote to memory of 768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2392 wrote to memory of 768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2392 wrote to memory of 768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 812 wrote to memory of 2296 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 812 wrote to memory of 2296 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 812 wrote to memory of 2296 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2068 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2280 wrote to memory of 2140 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2280 wrote to memory of 2140 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2280 wrote to memory of 2140 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2068 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2276 wrote to memory of 3008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\conhost.exe
PID 2276 wrote to memory of 3008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\conhost.exe
PID 2276 wrote to memory of 3008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\conhost.exe
PID 2068 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\system32\rundll32.exe
PID 2068 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\system32\rundll32.exe
PID 2068 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\system32\rundll32.exe
PID 2068 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe
PID 2932 wrote to memory of 640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2932 wrote to memory of 640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2932 wrote to memory of 640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 936 wrote to memory of 400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\conhost.exe
PID 936 wrote to memory of 400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\conhost.exe
PID 936 wrote to memory of 400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\conhost.exe
PID 2068 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\System32\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe

"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "16458688061760042074-2341047071845534319-10958496752041113015-1457638937920875746"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5287247158089540-5255966621685800757235953891-7194508511379159619-1481195915"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "20049096051025234728-21387343047721224911131857728-1029093376-718586621-326576182"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1025118129-40351548620481363539748882051785045091-248190717-30040193-363024293"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-955187051-539411615-14042259001207550693925546817-1049803682-13763746701915925880"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "10477538151801234206862685643-8902644041290190972-1400448523-1969540054-1758755104"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1380788135-452445478-888798651-128378181517573906669294157851778882532576685743"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "943240922-126595956916461782111933009434-111269411-825314870154178692164020828"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\smss.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\csrss.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\wininit.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\LogonUI.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\smss.exe /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\wininit.exe /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\csrss.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\LogonUI.exe /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\lsass.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\lsass.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\services.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\winlogon.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\winload.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\winload.efi

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\winlogon.exe /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\ntoskrnl.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\services.exe /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\winload.efi /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\winload.exe /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\ntoskrnl.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\smss.exe && icacls C:\Windows\SysWOW64\smss.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\csrss.exe && icacls C:\Windows\SysWOW64\csrss.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\wininit.exe && icacls C:\Windows\SysWOW64\wininit.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\svchost.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\smss.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\csrss.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\LogonUI.exe && icacls C:\Windows\SysWOW64\LogonUI.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\lsass.exe && icacls C:\Windows\SysWOW64\lsass.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\wininit.exe

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\svchost.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\services.exe && icacls C:\Windows\SysWOW64\services.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\LogonUI.exe

C:\Windows\system32\icacls.exe

icacls C:\Windows\SysWOW64\wininit.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winlogon.exe && icacls C:\Windows\SysWOW64\winlogon.exe /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winload.efi && icacls C:\Windows\SysWOW64\winload.efi /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\winload.exe && icacls C:\Windows\SysWOW64\winload.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\lsass.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\services.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\ntoskrnl.exe && icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\winload.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\SysWOW64\svchost.exe && icacls C:\Windows\SysWOW64\svchost.exe /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\winload.efi

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\winlogon.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\ntoskrnl.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\1394bus.sys && icacls C:\Windows\System32\drivers\1394bus.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\icacls.exe

icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\1394ohci.sys && icacls C:\Windows\System32\drivers\1394ohci.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpi.sys && icacls C:\Windows\System32\drivers\acpi.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\SysWOW64\svchost.exe /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\1394bus.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\1394bus.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\1394ohci.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\acpipmi.sys && icacls C:\Windows\System32\drivers\acpipmi.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adp94xx.sys && icacls C:\Windows\System32\drivers\adp94xx.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\1394ohci.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\acpi.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adpahci.sys && icacls C:\Windows\System32\drivers\adpahci.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\adpu320.sys && icacls C:\Windows\System32\drivers\adpu320.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\acpi.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\adp94xx.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\acpipmi.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\adpahci.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afd.sys && icacls C:\Windows\System32\drivers\afd.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\acpipmi.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\agilevpn.sys && icacls C:\Windows\System32\drivers\agilevpn.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\adp94xx.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\adpahci.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\adpu320.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\afd.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\adpu320.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\agilevpn.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\AGP440.sys && icacls C:\Windows\System32\drivers\AGP440.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\afd.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\agilevpn.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\aliide.sys && icacls C:\Windows\System32\drivers\aliide.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\AGP440.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdide.sys && icacls C:\Windows\System32\drivers\amdide.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdk8.sys && icacls C:\Windows\System32\drivers\amdk8.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\AGP440.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdppm.sys && icacls C:\Windows\System32\drivers\amdppm.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\aliide.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdsata.sys && icacls C:\Windows\System32\drivers\amdsata.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdk8.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdide.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\amdk8.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\amdide.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdsbs.sys && icacls C:\Windows\System32\drivers\amdsbs.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdppm.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\aliide.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\amdppm.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\amdxata.sys && icacls C:\Windows\System32\drivers\amdxata.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdsata.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\amdsata.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\appid.sys && icacls C:\Windows\System32\drivers\appid.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\arc.sys && icacls C:\Windows\System32\drivers\arc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdsbs.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\arcsas.sys && icacls C:\Windows\System32\drivers\arcsas.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\asyncmac.sys && icacls C:\Windows\System32\drivers\asyncmac.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\amdxata.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\atapi.sys && icacls C:\Windows\System32\drivers\atapi.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\amdsbs.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\arc.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\appid.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\amdxata.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ataport.sys && icacls C:\Windows\System32\drivers\ataport.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\arc.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\b57nd60a.sys && icacls C:\Windows\System32\drivers\b57nd60a.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\appid.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\arcsas.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\battc.sys && icacls C:\Windows\System32\drivers\battc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\asyncmac.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-47320656-1961580554-551375662-1143936035609843098956902264-484539418-740232667"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\b57nd60a.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\arcsas.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ataport.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\beep.sys && icacls C:\Windows\System32\drivers\beep.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\atapi.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\blbdrive.sys && icacls C:\Windows\System32\drivers\blbdrive.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\asyncmac.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\b57nd60a.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ataport.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\battc.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\atapi.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bowser.sys && icacls C:\Windows\System32\drivers\bowser.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\blbdrive.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\battc.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\beep.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrFiltLo.sys && icacls C:\Windows\System32\drivers\BrFiltLo.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\blbdrive.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrFiltUp.sys && icacls C:\Windows\System32\drivers\BrFiltUp.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\beep.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bridge.sys && icacls C:\Windows\System32\drivers\bridge.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\bowser.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrFiltLo.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrSerId.sys && icacls C:\Windows\System32\drivers\BrSerId.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\BrFiltLo.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrSerWdm.sys && icacls C:\Windows\System32\drivers\BrSerWdm.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\bridge.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\bowser.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrFiltUp.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrUsbMdm.sys && icacls C:\Windows\System32\drivers\BrUsbMdm.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\bridge.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrSerId.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\BrFiltUp.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\BrUsbSer.sys && icacls C:\Windows\System32\drivers\BrUsbSer.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bthmodem.sys && icacls C:\Windows\System32\drivers\bthmodem.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\BrSerId.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrSerWdm.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\bxvbda.sys && icacls C:\Windows\System32\drivers\bxvbda.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-20663756501549713040205383416-1949295970-1847517256656668718-10248136571617888576"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrUsbSer.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cdfs.sys && icacls C:\Windows\System32\drivers\cdfs.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\BrUsbSer.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\BrUsbMdm.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cdrom.sys && icacls C:\Windows\System32\drivers\cdrom.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\BrSerWdm.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\circlass.sys && icacls C:\Windows\System32\drivers\circlass.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\bthmodem.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\BrUsbMdm.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\bxvbda.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\bthmodem.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\cdrom.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Classpnp.sys && icacls C:\Windows\System32\drivers\Classpnp.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\bxvbda.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\cdfs.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\cdrom.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\CmBatt.sys && icacls C:\Windows\System32\drivers\CmBatt.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\circlass.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\circlass.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cmdide.sys && icacls C:\Windows\System32\drivers\cmdide.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\Classpnp.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\cng.sys && icacls C:\Windows\System32\drivers\cng.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\compbatt.sys && icacls C:\Windows\System32\drivers\compbatt.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\cdfs.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\Classpnp.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\CompositeBus.sys && icacls C:\Windows\System32\drivers\CompositeBus.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\crashdmp.sys && icacls C:\Windows\System32\drivers\crashdmp.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\cng.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\CmBatt.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\cmdide.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\cmdide.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\CmBatt.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\crcdisk.sys && icacls C:\Windows\System32\drivers\crcdisk.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\CompositeBus.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\compbatt.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\csc.sys && icacls C:\Windows\System32\drivers\csc.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\CompositeBus.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\cng.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dfsc.sys && icacls C:\Windows\System32\drivers\dfsc.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\compbatt.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\discache.sys && icacls C:\Windows\System32\drivers\discache.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\crcdisk.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\crashdmp.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\crcdisk.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\disk.sys && icacls C:\Windows\System32\drivers\disk.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\csc.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\discache.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\crashdmp.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dfsc.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\csc.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Diskdump.sys && icacls C:\Windows\System32\drivers\Diskdump.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dfsc.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\discache.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dmvsc.sys && icacls C:\Windows\System32\drivers\dmvsc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\disk.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\drmk.sys && icacls C:\Windows\System32\drivers\drmk.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\drmkaud.sys && icacls C:\Windows\System32\drivers\drmkaud.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Dumpata.sys && icacls C:\Windows\System32\drivers\Dumpata.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dmvsc.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\disk.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dmvsc.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dumpfve.sys && icacls C:\Windows\System32\drivers\dumpfve.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\Diskdump.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\drmk.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\Diskdump.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\Dumpata.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\drmkaud.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxapi.sys && icacls C:\Windows\System32\drivers\dxapi.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\drmk.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\Dumpata.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\drmkaud.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxg.sys && icacls C:\Windows\System32\drivers\dxg.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dumpfve.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxgkrnl.sys && icacls C:\Windows\System32\drivers\dxgkrnl.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\dxgmms1.sys && icacls C:\Windows\System32\drivers\dxgmms1.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dumpfve.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dxapi.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dxg.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\elxstor.sys && icacls C:\Windows\System32\drivers\elxstor.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dxgkrnl.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dxapi.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dxg.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\errdev.sys && icacls C:\Windows\System32\drivers\errdev.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\evbda.sys && icacls C:\Windows\System32\drivers\evbda.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\elxstor.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\dxgmms1.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dxgkrnl.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\elxstor.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\exfat.sys && icacls C:\Windows\System32\drivers\exfat.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\dxgmms1.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fastfat.sys && icacls C:\Windows\System32\drivers\fastfat.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\evbda.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fdc.sys && icacls C:\Windows\System32\drivers\fdc.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\errdev.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\evbda.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fileinfo.sys && icacls C:\Windows\System32\drivers\fileinfo.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\exfat.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\errdev.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\filetrace.sys && icacls C:\Windows\System32\drivers\filetrace.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fdc.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\exfat.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\flpydisk.sys && icacls C:\Windows\System32\drivers\flpydisk.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fastfat.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fdc.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fileinfo.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fltMgr.sys && icacls C:\Windows\System32\drivers\fltMgr.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fsdepends.sys && icacls C:\Windows\System32\drivers\fsdepends.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fileinfo.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fastfat.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fs_rec.sys && icacls C:\Windows\System32\drivers\fs_rec.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\filetrace.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fsdepends.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\fvevol.sys && icacls C:\Windows\System32\drivers\fvevol.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fltMgr.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\flpydisk.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\filetrace.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\FWPKCLNT.SYS && icacls C:\Windows\System32\drivers\FWPKCLNT.SYS /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fsdepends.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\GAGP30KX.SYS && icacls C:\Windows\System32\drivers\GAGP30KX.SYS /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\flpydisk.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fs_rec.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fltMgr.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\FWPKCLNT.SYS

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fs_rec.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\fvevol.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hcw85cir.sys && icacls C:\Windows\System32\drivers\hcw85cir.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hdaudbus.sys && icacls C:\Windows\System32\drivers\hdaudbus.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\FWPKCLNT.SYS /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\GAGP30KX.SYS

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\gmreadme.txt

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HdAudio.sys && icacls C:\Windows\System32\drivers\HdAudio.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\GAGP30KX.SYS /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\fvevol.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\gm.dls

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidbatt.sys && icacls C:\Windows\System32\drivers\hidbatt.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hcw85cir.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hdaudbus.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hcw85cir.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hdaudbus.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidbth.sys && icacls C:\Windows\System32\drivers\hidbth.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\HdAudio.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidclass.sys && icacls C:\Windows\System32\drivers\hidclass.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidbatt.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidir.sys && icacls C:\Windows\System32\drivers\hidir.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hidbatt.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\HdAudio.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidbth.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidparse.sys && icacls C:\Windows\System32\drivers\hidparse.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidclass.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hidbth.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hidusb.sys && icacls C:\Windows\System32\drivers\hidusb.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hidclass.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\HpSAMD.sys && icacls C:\Windows\System32\drivers\HpSAMD.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidir.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidparse.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\http.sys && icacls C:\Windows\System32\drivers\http.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2009073917732663071670004183-1855518428-836762450-1435725251-854236903-1722664778"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hidusb.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\hwpolicy.sys && icacls C:\Windows\System32\drivers\hwpolicy.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hidir.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hidparse.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\HpSAMD.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hidusb.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\i8042prt.sys && icacls C:\Windows\System32\drivers\i8042prt.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\HpSAMD.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\http.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iaStorV.sys && icacls C:\Windows\System32\drivers\iaStorV.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\hwpolicy.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\iirsp.sys && icacls C:\Windows\System32\drivers\iirsp.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\http.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\hwpolicy.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\i8042prt.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\iaStorV.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelide.sys && icacls C:\Windows\System32\drivers\intelide.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\intelppm.sys && icacls C:\Windows\System32\drivers\intelppm.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ipfltdrv.sys && icacls C:\Windows\System32\drivers\ipfltdrv.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\i8042prt.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\iaStorV.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\iirsp.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\iirsp.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\IPMIDrv.sys && icacls C:\Windows\System32\drivers\IPMIDrv.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ipnat.sys && icacls C:\Windows\System32\drivers\ipnat.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\intelppm.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\intelide.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\irda.sys && icacls C:\Windows\System32\drivers\irda.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\intelide.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\intelppm.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\irenum.sys && icacls C:\Windows\System32\drivers\irenum.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\IPMIDrv.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ipfltdrv.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\isapnp.sys && icacls C:\Windows\System32\drivers\isapnp.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ipnat.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\IPMIDrv.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\irda.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kbdclass.sys && icacls C:\Windows\System32\drivers\kbdclass.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ipfltdrv.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\irenum.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\kbdhid.sys && icacls C:\Windows\System32\drivers\kbdhid.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ipnat.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\irda.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ks.sys && icacls C:\Windows\System32\drivers\ks.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\irenum.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksecdd.sys && icacls C:\Windows\System32\drivers\ksecdd.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\isapnp.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\kbdclass.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksecpkg.sys && icacls C:\Windows\System32\drivers\ksecpkg.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ks.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\kbdhid.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ksthunk.sys && icacls C:\Windows\System32\drivers\ksthunk.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\isapnp.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\kbdclass.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ksecdd.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\kbdhid.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ks.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ksecpkg.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ksecdd.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lltdio.sys && icacls C:\Windows\System32\drivers\lltdio.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_fc.sys && icacls C:\Windows\System32\drivers\lsi_fc.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ksecpkg.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ksthunk.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_sas.sys && icacls C:\Windows\System32\drivers\lsi_sas.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ksthunk.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_sas2.sys && icacls C:\Windows\System32\drivers\lsi_sas2.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\lsi_fc.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\lltdio.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\lsi_sas.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\lsi_scsi.sys && icacls C:\Windows\System32\drivers\lsi_scsi.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\lsi_sas2.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\lsi_fc.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\luafv.sys && icacls C:\Windows\System32\drivers\luafv.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "821171106-13132607852750238001029164962-19380523714014206011873636859-412662357"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\lltdio.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\lsi_sas2.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mcd.sys && icacls C:\Windows\System32\drivers\mcd.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\lsi_sas.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\lsi_scsi.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\megasas.sys && icacls C:\Windows\System32\drivers\megasas.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MegaSR.sys && icacls C:\Windows\System32\drivers\MegaSR.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\luafv.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\modem.sys && icacls C:\Windows\System32\drivers\modem.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\lsi_scsi.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mcd.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\monitor.sys && icacls C:\Windows\System32\drivers\monitor.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\luafv.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mouclass.sys && icacls C:\Windows\System32\drivers\mouclass.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mcd.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mouhid.sys && icacls C:\Windows\System32\drivers\mouhid.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\megasas.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\MegaSR.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\modem.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\megasas.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mountmgr.sys && icacls C:\Windows\System32\drivers\mountmgr.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mpio.sys && icacls C:\Windows\System32\drivers\mpio.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\monitor.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\modem.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\MegaSR.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mpsdrv.sys && icacls C:\Windows\System32\drivers\mpsdrv.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxdav.sys && icacls C:\Windows\System32\drivers\mrxdav.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mouclass.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb.sys && icacls C:\Windows\System32\drivers\mrxsmb.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\monitor.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb10.sys && icacls C:\Windows\System32\drivers\mrxsmb10.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1983115247-1434122079-614781042-7406681702089988482-331161857-333778550-918386086"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mouhid.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2141853289-917733064-158127044-3866211610232782301006422223-242268813-1884497704"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15541073201327003157-1033637160-1112205660520911141596239588-293012031503135362"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mpio.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mrxsmb20.sys && icacls C:\Windows\System32\drivers\mrxsmb20.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mouclass.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mountmgr.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mpio.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msahci.sys && icacls C:\Windows\System32\drivers\msahci.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mouhid.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mpsdrv.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mrxsmb10.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mrxdav.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mountmgr.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mrxsmb.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mpsdrv.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msdsm.sys && icacls C:\Windows\System32\drivers\msdsm.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mrxsmb20.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mrxsmb10.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mrxdav.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mrxsmb.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msfs.sys && icacls C:\Windows\System32\drivers\msfs.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mrxsmb20.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msahci.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf && icacls C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msdsm.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msfs.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\msahci.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\msdsm.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mshidkmdf.sys && icacls C:\Windows\System32\drivers\mshidkmdf.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\msfs.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msisadrv.sys && icacls C:\Windows\System32\drivers\msisadrv.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msiscsi.sys && icacls C:\Windows\System32\drivers\msiscsi.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mskssrv.sys && icacls C:\Windows\System32\drivers\mskssrv.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mspclock.sys && icacls C:\Windows\System32\drivers\mspclock.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mspqm.sys && icacls C:\Windows\System32\drivers\mspqm.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mshidkmdf.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msisadrv.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msiscsi.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\msrpc.sys && icacls C:\Windows\System32\drivers\msrpc.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mshidkmdf.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "112174941115455205722096464011973091391775900097-931240359-2138449729131979299"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\msiscsi.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mskssrv.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\msisadrv.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mssmbios.sys && icacls C:\Windows\System32\drivers\mssmbios.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mstee.sys && icacls C:\Windows\System32\drivers\mstee.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mspqm.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mspclock.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mskssrv.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\MTConfig.sys && icacls C:\Windows\System32\drivers\MTConfig.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mspqm.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\msrpc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\mup.sys && icacls C:\Windows\System32\drivers\mup.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mspclock.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndis.sys && icacls C:\Windows\System32\drivers\ndis.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndiscap.sys && icacls C:\Windows\System32\drivers\ndiscap.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\msrpc.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mssmbios.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mstee.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndistapi.sys && icacls C:\Windows\System32\drivers\ndistapi.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\mup.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mup.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mstee.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndis.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\mssmbios.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\MTConfig.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndiscap.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndisuio.sys && icacls C:\Windows\System32\drivers\ndisuio.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ndis.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\MTConfig.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ndiscap.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndistapi.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndiswan.sys && icacls C:\Windows\System32\drivers\ndiswan.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ndproxy.sys && icacls C:\Windows\System32\drivers\ndproxy.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netbios.sys && icacls C:\Windows\System32\drivers\netbios.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netbt.sys && icacls C:\Windows\System32\drivers\netbt.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ndistapi.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\netio.sys && icacls C:\Windows\System32\drivers\netio.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nfrd960.sys && icacls C:\Windows\System32\drivers\nfrd960.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndisuio.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndiswan.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ndproxy.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\netbios.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\npfs.sys && icacls C:\Windows\System32\drivers\npfs.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\netbt.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ndisuio.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\nfrd960.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\netbios.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ndiswan.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nsiproxy.sys && icacls C:\Windows\System32\drivers\nsiproxy.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\netbt.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\netio.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ndproxy.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\nfrd960.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ntfs.sys && icacls C:\Windows\System32\drivers\ntfs.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\null.sys && icacls C:\Windows\System32\drivers\null.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\netio.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\npfs.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvraid.sys && icacls C:\Windows\System32\drivers\nvraid.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ntfs.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\nsiproxy.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nvstor.sys && icacls C:\Windows\System32\drivers\nvstor.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\npfs.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\null.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ntfs.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\nsiproxy.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\NV_AGP.SYS && icacls C:\Windows\System32\drivers\NV_AGP.SYS /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\nwifi.sys && icacls C:\Windows\System32\drivers\nwifi.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\nvraid.sys

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-767348041-1026827181544141063-1338409625938758166619160371-9596168031617243366"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\null.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\nvstor.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\nvraid.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\NV_AGP.SYS

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\nvstor.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ohci1394.sys && icacls C:\Windows\System32\drivers\ohci1394.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\NV_AGP.SYS /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\nwifi.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pacer.sys && icacls C:\Windows\System32\drivers\pacer.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\parport.sys && icacls C:\Windows\System32\drivers\parport.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\partmgr.sys && icacls C:\Windows\System32\drivers\partmgr.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pci.sys && icacls C:\Windows\System32\drivers\pci.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\nwifi.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pciide.sys && icacls C:\Windows\System32\drivers\pciide.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\partmgr.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pacer.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pci.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ohci1394.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pciidex.sys && icacls C:\Windows\System32\drivers\pciidex.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pcmcia.sys && icacls C:\Windows\System32\drivers\pcmcia.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\partmgr.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ohci1394.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\pci.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\pacer.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pciide.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pcmcia.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\pciide.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\parport.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\pcw.sys && icacls C:\Windows\System32\drivers\pcw.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\pcmcia.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\parport.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\PEAuth.sys && icacls C:\Windows\System32\drivers\PEAuth.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pciidex.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\portcls.sys && icacls C:\Windows\System32\drivers\portcls.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\processr.sys && icacls C:\Windows\System32\drivers\processr.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ql2300.sys && icacls C:\Windows\System32\drivers\ql2300.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\pciidex.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\PEAuth.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ql40xx.sys && icacls C:\Windows\System32\drivers\ql40xx.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\pcw.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\PEAuth.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ql2300.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\qwavedrv.sys && icacls C:\Windows\System32\drivers\qwavedrv.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\processr.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rasacd.sys && icacls C:\Windows\System32\drivers\rasacd.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-849558772-920276630-3332335372006697455-11627957101218434821-1337156226953193726"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\processr.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\pcw.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ql2300.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\portcls.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rasl2tp.sys && icacls C:\Windows\System32\drivers\rasl2tp.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ql40xx.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\portcls.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\qwavedrv.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\raspppoe.sys && icacls C:\Windows\System32\drivers\raspppoe.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\raspptp.sys && icacls C:\Windows\System32\drivers\raspptp.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ql40xx.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "2076895029-2001306698-1297830987-1023682694855611755-192659730725361652366288406"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\qwavedrv.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rasacd.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rassstp.sys && icacls C:\Windows\System32\drivers\rassstp.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rasl2tp.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rasacd.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\raspppoe.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdbss.sys && icacls C:\Windows\System32\drivers\rdbss.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpbus.sys && icacls C:\Windows\System32\drivers\rdpbus.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rasl2tp.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\raspptp.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\raspppoe.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPCDD.sys && icacls C:\Windows\System32\drivers\RDPCDD.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpdr.sys && icacls C:\Windows\System32\drivers\rdpdr.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rassstp.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\raspptp.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPENCDD.sys && icacls C:\Windows\System32\drivers\RDPENCDD.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdbss.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdpbus.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RDPREFMP.sys && icacls C:\Windows\System32\drivers\RDPREFMP.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rassstp.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rdbss.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdpdr.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rdpbus.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\RDPCDD.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpvideominiport.sys && icacls C:\Windows\System32\drivers\rdpvideominiport.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\RDPENCDD.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rdpdr.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\RDPCDD.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\RDPREFMP.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdpwd.sys && icacls C:\Windows\System32\drivers\rdpwd.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\RDPREFMP.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\RDPENCDD.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdpvideominiport.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rdyboost.sys && icacls C:\Windows\System32\drivers\rdyboost.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "131197621-2044575529-1304336210537559764-1660967616-822976476-187918570-6295702"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rmcast.sys && icacls C:\Windows\System32\drivers\rmcast.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rdpvideominiport.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\RNDISMP.sys && icacls C:\Windows\System32\drivers\RNDISMP.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rootmdm.sys && icacls C:\Windows\System32\drivers\rootmdm.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\rspndr.sys && icacls C:\Windows\System32\drivers\rspndr.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdyboost.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rdpwd.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rmcast.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Rtnic64.sys && icacls C:\Windows\System32\drivers\Rtnic64.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rootmdm.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rdyboost.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rdpwd.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sbp2port.sys && icacls C:\Windows\System32\drivers\sbp2port.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rootmdm.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\RNDISMP.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rmcast.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\scfilter.sys && icacls C:\Windows\System32\drivers\scfilter.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\RNDISMP.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\rspndr.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\Rtnic64.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\Rtnic64.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\rspndr.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\scsiport.sys && icacls C:\Windows\System32\drivers\scsiport.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\secdrv.sys && icacls C:\Windows\System32\drivers\secdrv.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sbp2port.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\scfilter.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\serenum.sys && icacls C:\Windows\System32\drivers\serenum.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\sbp2port.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-275867954-816991609-1973482163212926253543460737-2087791122-992445457-680969347"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\serial.sys && icacls C:\Windows\System32\drivers\serial.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\scfilter.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "110306519433655741875088130-1969021722-1141734097-1985945776-14877061921538306937"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sermouse.sys && icacls C:\Windows\System32\drivers\sermouse.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffdisk.sys && icacls C:\Windows\System32\drivers\sffdisk.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\secdrv.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\secdrv.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\scsiport.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\serial.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\serenum.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffp_mmc.sys && icacls C:\Windows\System32\drivers\sffp_mmc.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sffp_sd.sys && icacls C:\Windows\System32\drivers\sffp_sd.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\serial.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\serenum.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\scsiport.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sffdisk.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sfloppy.sys && icacls C:\Windows\System32\drivers\sfloppy.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sisraid2.sys && icacls C:\Windows\System32\drivers\sisraid2.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sermouse.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\sffdisk.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sffp_mmc.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sffp_sd.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\sffp_mmc.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sfloppy.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\sffp_sd.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\sermouse.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\sisraid4.sys && icacls C:\Windows\System32\drivers\sisraid4.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\smb.sys && icacls C:\Windows\System32\drivers\smb.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\sfloppy.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sisraid2.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\smclib.sys && icacls C:\Windows\System32\drivers\smclib.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\spldr.sys && icacls C:\Windows\System32\drivers\spldr.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\sisraid2.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\spsys.sys && icacls C:\Windows\System32\drivers\spsys.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\smclib.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\spldr.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\sisraid4.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\smb.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\sisraid4.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\smclib.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\smb.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srv.sys && icacls C:\Windows\System32\drivers\srv.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\spldr.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1439523849-89855239417051189187311152-753292813-6688488201229614800789990040"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\spsys.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srv2.sys && icacls C:\Windows\System32\drivers\srv2.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\srvnet.sys && icacls C:\Windows\System32\drivers\srvnet.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\srv.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\stexstor.sys && icacls C:\Windows\System32\drivers\stexstor.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\srv.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\spsys.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\storport.sys && icacls C:\Windows\System32\drivers\storport.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\srvnet.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\stexstor.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\srv2.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\storvsc.sys && icacls C:\Windows\System32\drivers\storvsc.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\stream.sys && icacls C:\Windows\System32\drivers\stream.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\stexstor.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\srvnet.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\srv2.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\storport.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\swenum.sys && icacls C:\Windows\System32\drivers\swenum.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\Synth3dVsc.sys && icacls C:\Windows\System32\drivers\Synth3dVsc.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\storport.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\storvsc.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\stream.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\storvsc.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tape.sys && icacls C:\Windows\System32\drivers\tape.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tcpip.sys && icacls C:\Windows\System32\drivers\tcpip.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\stream.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\swenum.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tcpipreg.sys && icacls C:\Windows\System32\drivers\tcpipreg.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdi.sys && icacls C:\Windows\System32\drivers\tdi.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\Synth3dVsc.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdpipe.sys && icacls C:\Windows\System32\drivers\tdpipe.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tcpip.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tape.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\swenum.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\Synth3dVsc.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdtcp.sys && icacls C:\Windows\System32\drivers\tdtcp.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\tcpip.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tcpipreg.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tdx.sys && icacls C:\Windows\System32\drivers\tdx.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\tape.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tdi.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tdpipe.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\tcpipreg.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\tdi.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\tdpipe.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\termdd.sys && icacls C:\Windows\System32\drivers\termdd.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tdx.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tdtcp.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\terminpt.sys && icacls C:\Windows\System32\drivers\terminpt.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tssecsrv.sys && icacls C:\Windows\System32\drivers\tssecsrv.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\tdx.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5254698641626100822-17822577821108865617208495359811934740846430294325406599"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\tdtcp.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\TsUsbFlt.sys && icacls C:\Windows\System32\drivers\TsUsbFlt.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tssecsrv.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\TsUsbGD.sys && icacls C:\Windows\System32\drivers\TsUsbGD.sys /grant "%username%:F" && exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1621972821-186423536-976347298-55815338-13948156341237883302-18084894311537270689"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\termdd.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\tssecsrv.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tsusbhub.sys && icacls C:\Windows\System32\drivers\tsusbhub.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\tunnel.sys && icacls C:\Windows\System32\drivers\tunnel.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\termdd.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\TsUsbGD.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\TsUsbFlt.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\UAGP35.SYS && icacls C:\Windows\System32\drivers\UAGP35.SYS /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\terminpt.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\udfs.sys && icacls C:\Windows\System32\drivers\udfs.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tsusbhub.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\terminpt.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\TsUsbGD.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\TsUsbFlt.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\tunnel.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\ULIAGPKX.SYS && icacls C:\Windows\System32\drivers\ULIAGPKX.SYS /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\umbus.sys && icacls C:\Windows\System32\drivers\umbus.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\tsusbhub.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\tunnel.sys /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\udfs.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\UAGP35.SYS

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\umpass.sys && icacls C:\Windows\System32\drivers\umpass.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\UAGP35.SYS /grant "Admin:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\umbus.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\ULIAGPKX.SYS

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usb8023.sys && icacls C:\Windows\System32\drivers\usb8023.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\ULIAGPKX.SYS /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\umbus.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\udfs.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\USBCAMD2.sys && icacls C:\Windows\System32\drivers\USBCAMD2.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\umpass.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbccgp.sys && icacls C:\Windows\System32\drivers\usbccgp.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbcir.sys && icacls C:\Windows\System32\drivers\usbcir.sys /grant "%username%:F" && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbd.sys && icacls C:\Windows\System32\drivers\usbd.sys /grant "%username%:F" && exit

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\umpass.sys /grant "Admin:F"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-18527294761008946761-13354187-1962718761-2016503921823899208-2041297686589303772"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbehci.sys && icacls C:\Windows\System32\drivers\usbehci.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\USBCAMD2.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\usb8023.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbhub.sys && icacls C:\Windows\System32\drivers\usbhub.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\usbccgp.sys

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbohci.sys && icacls C:\Windows\System32\drivers\usbohci.sys /grant "%username%:F" && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\usbd.sys

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\usbcir.sys

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\usb8023.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\usbccgp.sys /grant "Admin:F"

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\USBCAMD2.sys /grant "Admin:F"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\usbport.sys && icacls C:\Windows\System32\drivers\usbport.sys /grant "%username%:F" && exit

Network

N/A

Files

memory/2068-0-0x000000013FA80000-0x000000013FAEE000-memory.dmp

memory/2068-1-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

memory/2068-2-0x000000001BA30000-0x000000001BAB0000-memory.dmp

C:\Users\Admin\Desktop\MountFind.htm.CIHENCRYPTOR

MD5 4945cbc2f409897d542893fc4035f15a
SHA1 346a4b1af3d1e868074faad1c7e015bf590956e9
SHA256 2e9f8c3035259edf1ee9f7728c35e70cd25c4d206f3ebb369bd8b40dbdabc583
SHA512 15c09be55975b7685f227d0c773e645ef9d78b85408cb3b75403635ec11080d42cf190ecfc8784bd4e560c19dfaefd4a2acf53fa69c0d33e5bed396baad72f9e

C:\Users\Admin\Desktop\TestProtect.txt.CIHENCRYPTOR

MD5 c20f13136299814d71994a27067301d2
SHA1 d2800507b1fa996743807cbb119a7bf6b3d39385
SHA256 2dcc93af37fb15f3077dea4c6cd79ee57d2896738b722df2471a57e80d110f89
SHA512 165fb33b84c82035db639e34d0f4d3bcf9527ba73c5735c85ad013873ba6ad11044800383a3524740c9095081e59172e3b43837795c2231bb293fa15f89126c3

C:\Users\Admin\Desktop\¶4½♪¶₧ø∩◘╠╤ě9ÿïń¶▄▲½ε5ž®µ3¥╥▐ö♥½►ÆåÂ▌◘♀ž▼╚šńå╔¾¼↕ø☻œ¾45¼é█◘½•ó◄▄č₧ÿ█9¤®▀Σ—╩■•ń™2▄♫ě♦◘œ—9♠♥╠♂☼↑♫▌ÿ■╔▀

MD5 9e1e5883c74742a497cf5c272ccd2321
SHA1 2cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256 ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512 f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b

C:\Users\Admin\AppData\Local\Temp\wallpaper.bmp

MD5 18e0b500eebdd3f868af5388baa7ff79
SHA1 49a5acb14e59a9e2fb370425bffcda9d00d84fb6
SHA256 9a1dbb8a87da13e11ac40e6d77981cac8698aa289b87f0db8ee5240f6cbd31df
SHA512 15415fe9e2a384e2190a3d24ab34614f871cc8666e333add5fb4b5029464c1dd7f09bb917908d7e62fbfe27fc0b13ef1f6ddd9d8a5b077c4e4729f06ff407dc4

memory/2068-136-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

memory/2068-137-0x000000001BA30000-0x000000001BAB0000-memory.dmp