Trojan.Encoder.38811

Technical Information

Malicious functions

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Windows Task Manager (Taskmgr)

deletes volume shadow copies.

adds antivirus exclusion:

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -Force -ExclusionExtension py
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -Force -ExclusionExtension exe
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -Force -ExclusionPath E:\
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -Force -ExclusionPath C:\
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -Force -ExclusionPath D:\
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -Force -ExclusionPath <Drive name for removable media>:\

Launches a large number of processes

Reads files which store third party applications passwords

%HOMEPATH%\desktop\1189.jpg
%HOMEPATH%\desktop\168.jpeg
%APPDATA%\mozilla\firefox\profiles.ini
%HOMEPATH%\desktop\3.jpeg
%APPDATA%\thunderbird\profiles.ini
%HOMEPATH%\desktop\3.jpg

Modifies file system

Creates the following files

%TEMP%\_mei8842\qfikwz-rddghi-orgiyj-6m1zqp895d8af1-e9d0-296b-344b-1536e1de0893new.exe.manifest
%CommonProgramFiles(x86)%\adobe\reader\dc\linguistics\providers\plugins2\adobehunspellplugin\abbreviations\en_us\list.txt.new
%ALLUSERSPROFILE%\package cache\{42667d2e-b054-46c1-9d46-2ee1332c14c1}v14.29.30133\packages\vcruntimeadditional_x86\cab1.cab.new
%HOMEPATH%\music\desktop.ini.new
C:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\desktop.ini.new
%CommonProgramFiles%\microsoft shared\themes14\axis\axis.elm.new
%ProgramFiles(x86)%\opera\29.0.1795.47\d3dcompiler_47.dll.new
%LOCALAPPDATA%\google\chrome\application\chrome.exe.new
C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\osetup.dll.new
%ProgramFiles(x86)%\microsoft visual studio 8\vsta\bin\vstaclientpkg.dll.new
%CommonProgramFiles%\microsoft shared\translat\arfr\msb1arfr.its.new
%ProgramFiles(x86)%\steam\bin\steamservice.exe.new
%CommonProgramFiles%\microsoft shared\office14\1033\aceodbci.dll.new
C:\users\default\appdata\roaming\microsoft\windows\sendto\fax recipient.lnk.new
%CommonProgramFiles%\microsoft shared\translat\esen\msb1esen.dll.new
%ALLUSERSPROFILE%\package cache\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\packages\vcruntimeadditional_x86\cab1.cab.new
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\acroapp\enu\appcenter_r.aapp.new
%ALLUSERSPROFILE%\microsoft\office\assetlibrary.ico.new
%ProgramFiles%\microsoft office\office14\accddsf.dll.new
%ProgramFiles(x86)%\msbuild\microsoft\windows workflow foundation\v3.5\workflow.targets.new
%CommonProgramFiles%\microsoft shared\smart tag\1033\stintl.dll.new
%CommonProgramFiles(x86)%\microsoft shared\help\1040\hxdsui.dll.new
%ProgramFiles%\java\jre1.8.0_45\bin\bci.dll.new
%CommonProgramFiles%\microsoft shared\vgx\vgx.dll.new
%ProgramFiles%\microsoft office\media\office14\lines\bd10307_.gif.new
%ProgramFiles%\microsoft analysis services\as oledb\10\cartridges\sql70.xsl.new
%ProgramFiles(x86)%\msbuild\microsoft\windows workflow foundation\v3.0\workflow.targets.new
%ALLUSERSPROFILE%\package cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe.new
%ALLUSERSPROFILE%\microsoft\assistance\client\1.0\en-us\help_mkwd_bestbet.h1w.new
%CommonProgramFiles(x86)%\microsoft shared\portal\portalconnectcore.dll.new
%CommonProgramFiles%\microsoft shared\textconv\msconv97.dll.new
%CommonProgramFiles%\microsoft shared\translat\enfr\msb1enfr.its.new
%ALLUSERSPROFILE%\package cache\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\packages\vcruntimeminimum_x86\cab1.cab.new
%ProgramFiles%\microsoft office\office14\1033\actip10.hlp.new
%ProgramFiles%\microsoft office\media\cagcat10\j0090070.wmf.new
%CommonProgramFiles%\microsoft shared\translat\enes\msb1enes.its.new
%ProgramFiles%\microsoft office\clipart\pub60cor\ag00052_.gif.new
%ProgramFiles%\java\jre1.8.0_45\thirdpartylicensereadme-javafx.txt.new
%CommonProgramFiles%\microsoft shared\themes14\blends\blends.elm.new
%APPDATA%\microsoft\protect\s-1-5-21-3150914307-1777937420-491476919-1000\51da22b7-9513-4885-adb9-cd2e72f47f0a.new
C:\msocache\all users\{90140000-0117-0409-1000-0000000ff1ce}-c\access.en-us\accessmui.msi.new
%ProgramFiles%\microsoft office\media\office14\bullets\bd10297_.gif.new
%CommonProgramFiles%\microsoft shared\themes14\bluecalm\bluecalm.elm.new
%ALLUSERSPROFILE%\package cache\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\packages\vcruntimeadditional_amd64\cab1.cab.new
%ProgramFiles%\microsoft office\media\office14\lines\bd10308_.gif.new
%HOMEPATH%\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.new
C:\users\default\ntuser.dat.log.new
%CommonProgramFiles%\microsoft shared\web folders\1033\msosvint.dll.new
%APPDATA%\mozilla\firefox\crash reports\installtime20200708170202.new
%APPDATA%\mozilla\firefox\profiles\m15ucxjx.default\times.json.new
%CommonProgramFiles%\microsoft shared\themes14\axis\axis.inf.new
%HOMEPATH%\favorites\links\web slice gallery.url.new
%CommonProgramFiles%\microsoft shared\web folders\msosv.dll.new
C:\users\public\recorded tv\desktop.ini.new
%LOCALAPPDATA%low\sun\java\deployment\deployment.properties.new
C:\users\public\libraries\recordedtv.library-ms.new
%ProgramFiles%\microsoft office\clipart\pub60cor\ag00057_.gif.new
%APPDATA%\microsoft\internet explorer\quick launch\launch internet explorer browser.lnk.new
C:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\shows desktop.lnk.new
%LOCALAPPDATA%low\sun\java\jre1.8.0_45_x64\jre1.8.0_45.msi.new
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\acrobroker.exe.new
C:\users\public\music\sample music\desktop.ini.new
%ProgramFiles(x86)%\reference assemblies\microsoft\framework\v3.5\microsoft.build.conversion.v3.5.dll.new
%HOMEPATH%\favorites\links for united states\desktop.ini.new
%ProgramFiles%\winrar\default.sfx.new
%CommonProgramFiles(x86)%\microsoft shared\help\1049\hxdsui.dll.new
%ALLUSERSPROFILE%\package cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.new
%APPDATA%\microsoft\internet explorer\quick launch\google chrome.lnk.new
%APPDATA%\thunderbird\installs.ini.new
%CommonProgramFiles%\microsoft shared\themes14\arctic\arctic.inf.new
%CommonProgramFiles(x86)%\microsoft shared\help\hx.hxc.new
%ProgramFiles%\microsoft office\office14\1033\acwizrc.dll.new
C:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\dw20.exe.new
%ProgramFiles(x86)%\adobe\acrobat reader dc\resource\typesupport\unicode\mappings\adobe\symbol.txt.new
%HOMEPATH%\favorites\microsoft websites\ie add-on site.url.new
%ProgramFiles(x86)%\microsoft analysis services\as oledb\10\cartridges\sql2000.xsl.new
%ProgramFiles(x86)%\msbuild\microsoft\windows workflow foundation\v3.0\workflow.visualbasic.targets.new
%HOMEPATH%\links\desktop.ini.new
C:\users\public\desktop\mozilla thunderbird.lnk.new
%ProgramFiles%\mozilla thunderbird\api-ms-win-core-processthreads-l1-1-1.dll.new
%CommonProgramFiles%\microsoft shared\themes14\aftrnoon\aftrnoon.inf.new
C:\users\public\music\desktop.ini.new
%HOMEPATH%\favorites\desktop.ini.new
%CommonProgramFiles(x86)%\adobe\reader\dc\linguistics\languagenames2\displaylanguagenames.en_us.txt.new
%ProgramFiles(x86)%\microsoft office\office14\grooveex.dll.new
%ProgramFiles(x86)%\msbuild\microsoft.office.infopath.targets.new
C:\msocache\all users\{90140000-0117-0409-1000-0000000ff1ce}-c\accessmuiset.msi.new
%ALLUSERSPROFILE%\package cache\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\packages\vcruntimeadditional_amd64\cab1.cab.new
%CommonProgramFiles(x86)%\microsoft shared\portal\1033\portalconnect.dll.new
%CommonProgramFiles%\microsoft shared\smart tag\fbiblio.dll.new
%HOMEPATH%\contacts\user.contact.new
%HOMEPATH%\downloads\desktop.ini.new
%CommonProgramFiles(x86)%\system\directdb.dll.new
%CommonProgramFiles(x86)%\system\ado\adojavas.inc.new
%CommonProgramFiles%\microsoft shared\msinfo\msinfo32.exe.new
%APPDATA%\microsoft\protect\credhist.new
C:\users\public\desktop\firefox.lnk.new
%ProgramFiles(x86)%\adobe\acrobat reader dc\resource\saslprep\saslprepprofile_norm_bidi.spp.new
C:\users\default\appdata\roaming\microsoft\windows\sendto\desktop (create shortcut).desklink.new
%ALLUSERSPROFILE%\package cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe.new
%ProgramFiles%\microsoft office\stationery\1033\jungle.gif.new
%ALLUSERSPROFILE%\microsoft help\ms.excel.dev.14.1033.hxn.new
%ALLUSERSPROFILE%\package cache\{295d1583-fdb9-414b-a4c8-da539362a26b}\vc_redist.x64.exe.new
%ProgramFiles%\mozilla thunderbird\api-ms-win-core-localization-l1-2-0.dll.new
%CommonProgramFiles%\microsoft shared\msinfo\en-us\msinfo32.exe.mui.new
%APPDATA%\microsoft\internet explorer\quick launch\desktop.ini.new
%ProgramFiles(x86)%\microsoft analysis services\as oledb\10\cartridges\informix.xsl.new
%ProgramFiles%\microsoft office\media\cagcat10\j0088542.wmf.new
%CommonProgramFiles(x86)%\microsoft shared\msinfo\msinfo32.exe.new
%ProgramFiles%\microsoft office\media\office14\lines\bd10289_.gif.new
C:\users\default\appdata\roaming\microsoft\windows\start menu\programs\maintenance\desktop.ini.new
%CommonProgramFiles(x86)%\microsoft shared\office14\1033\msointl.dll.new
%ProgramFiles%\microsoft analysis services\as oledb\10\cartridges\sql2000.xsl.new
%CommonProgramFiles%\microsoft shared\officesoftwareprotectionplatform\osppcext.dll.new
%ProgramFiles%\microsoft office\media\office14\lines\bd10290_.gif.new
%ProgramFiles%\microsoft office\office14\1033\accvdtui.dll.new
%CommonProgramFiles%\microsoft shared\source engine\ose.exe.new
%CommonProgramFiles(x86)%\microsoft shared\ink\en-us\inkobj.dll.mui.new
%ProgramFiles%\winrar\ace32loader.exe.new
%ProgramFiles%\microsoft office\clipart\publisher\backgrounds\j0143749.gif.new
%ProgramFiles%\microsoft office\media\office14\autoshap\bd18180_.wmf.new
%CommonProgramFiles(x86)%\microsoft shared\help\1041\hxdsui.dll.new
%ProgramFiles(x86)%\microsoft analysis services\as oledb\10\cartridges\msjet.xsl.new
%CommonProgramFiles%\microsoft shared\themes14\arctic\arctic.elm.new
%CommonProgramFiles(x86)%\adobe\reader\dc\linguistics\languagenames2\displaylanguagenames.en_us_posix.txt.new
%ProgramFiles%\microsoft office\media\office14\bullets\bd10268_.gif.new
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\publicassemblies\microsoft.visualstudio.tools.applications.addinmanager.dll.new
%CommonProgramFiles%\microsoft shared\vc\msdia100.dll.new
%ProgramFiles(x86)%\microsoft.net\primary interop assemblies\adodb.dll.new
%CommonProgramFiles(x86)%\microsoft shared\help\1042\hxdsui.dll.new
C:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\command prompt.lnk.new
%ProgramFiles(x86)%\microsoft visual studio 8\vsta\bin\1033\vstaclientpkgui.dll.new
%CommonProgramFiles%\microsoft shared\equation\mtextra.ttf.new
%ProgramFiles%\microsoft office\document themes 14\aspect.thmx.new
%CommonProgramFiles(x86)%\microsoft shared\help\1046\hxdsui.dll.new
%ProgramFiles%\microsoft office\media\office14\bullets\bd10267_.gif.new
%CommonProgramFiles%\microsoft shared\office14\acecore.dll.new
%ProgramFiles(x86)%\opera\launcher.exe.new
%ProgramFiles(x86)%\adobe\acrobat reader dc\resource\font\adobepistd.otf.new
%APPDATA%\mozilla\firefox\profiles.ini.new
%APPDATA%\microsoft\windows\libraries\desktop.ini.new
C:\users\public\pictures\desktop.ini.new
%ProgramFiles%\microsoft sql server compact edition\v3.5\sqlceer35en.dll.new
C:\users\default\appdata\roaming\microsoft\windows\sendto\desktop.ini.new
%APPDATA%\microsoft\crypto\rsa\s-1-5-21-3150914307-1777937420-491476919-1000\f58155b4b1d5a524ca0261c3ee99fb50_d99ef00b-ccd3-4f1d-9980-90ac453b0b47.new
%CommonProgramFiles(x86)%\adobe\reader\dc\linguistics\providers\plugins2\adobehunspellplugin\abbreviations\en_gb\list.txt.new
%ProgramFiles%\microsoft office\media\office14\bullets\bd10265_.gif.new
%ProgramFiles%\microsoft office\media\office14\bullets\bd10264_.gif.new
%CommonProgramFiles(x86)%\adobe\reader\dc\linguistics\providers\plugins2\adobehunspellplugin\adobehunspellplugin.dll.new
%APPDATA%\mozilla\firefox\installs.ini.new
%ProgramFiles(x86)%\opera\installer_prefs.json.new
%CommonProgramFiles(x86)%\adobe\reader\dc\linguistics\providers\plugins2\adobehunspellplugin\abbreviations\en_ca\list.txt.new
%HOMEPATH%\favorites\links\desktop.ini.new
C:\users\default\appdata\roaming\microsoft\windows\start menu\programs\maintenance\help.lnk.new
%ProgramFiles%\microsoft office\media\office14\bullets\bd10266_.gif.new
%ALLUSERSPROFILE%\package cache\{f65db027-aff3-4070-886a-0d87064aabb1}\state.rsm.new
C:\users\public\libraries\desktop.ini.new
%CommonProgramFiles%\microsoft shared\themes14\aftrnoon\aftrnoon.elm.new
%ALLUSERSPROFILE%\package cache\{38b2c744-ad08-4d5b-91a2-3fb6f739ff3e}\state.rsm.new
%CommonProgramFiles%\microsoft shared\msclientdatamgr\mscdm.dll.new
%ALLUSERSPROFILE%\microsoft\office\documentrepository.ico.new
%CommonProgramFiles%\microsoft shared\office14\1033\acewstr.dll.new
%ProgramFiles(x86)%\adobe\acrobat reader dc\resource\typesupport\unicode\mappings\mac\centeuro.txt.new
%APPDATA%\mozilla\firefox\profiles\v08trqk6.default-release\addonstartup.json.lz4.new
C:\users\public\music\sample music\kalimba.mp3.new
%CommonProgramFiles%\microsoft shared\themes14\boldstri\boldstri.elm.new
%CommonProgramFiles%\microsoft shared\themes14\bluecalm\bluecalm.inf.new
%HOMEPATH%\favorites\windows live\get windows live.url.new
%ALLUSERSPROFILE%\microsoft\rac\statedata\racdatabase.sdf.new
%ALLUSERSPROFILE%\microsoft\office\mysharepoints.ico.new
%ProgramFiles(x86)%\microsoft.net\primary interop assemblies\microsoft.mshtml.dll.new
%APPDATA%\microsoft\windows\start menu\desktop.ini.new
%ProgramFiles(x86)%\steam\steam.exe.new
%CommonProgramFiles(x86)%\microsoft shared\vc\msdia100.dll.new
%ProgramFiles%\microsoft office\media\office14\lines\bd14516_.gif.new
%APPDATA%\microsoft\internet explorer\quick launch\window switcher.lnk.new
%APPDATA%\microsoft\windows\recent\desktop.ini.new
%ALLUSERSPROFILE%\package cache\{fd9b6070-d13e-45dc-819b-41806bf45b6b}\state.rsm.new
C:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\notepad.lnk.new
%ProgramFiles%\microsoft office\media\office14\bullets\bd10301_.gif.new
%CommonProgramFiles%\microsoft shared\vsto\vstoee.dll.new
%CommonProgramFiles%\microsoft shared\textconv\wks9pxy.cnv.new
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\acroapp\enu\combine_r_rhp.aapp.new
%ProgramFiles%\microsoft office\clipart\pub60cor\ag00092_.gif.new
%ProgramFiles%\microsoft office\media\office14\lines\bd10358_.gif.new
%ProgramFiles%\microsoft office\clipart\publisher\backgrounds\j0143752.gif.new
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\publicassemblies\microsoft.visualstudio.tools.applications.comrpcchannel.dll.new
%CommonProgramFiles(x86)%\microsoft shared\help\2052\hxdsui.dll.new
%CommonProgramFiles%\microsoft shared\web server extensions\14\bin\1033\fpext.msg.new
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\publicassemblies\microsoft.visualstudio.tools.applications.designtime.dll.new
%CommonProgramFiles%\microsoft shared\translat\fren\msb1fren.dll.new
%ProgramFiles(x86)%\microsoft visual studio 8\vsta\bin\vstaproject.dll.new
%CommonProgramFiles(x86)%\microsoft shared\vgx\vgx.dll.new
C:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\ease of access.lnk.new
%CommonProgramFiles%\microsoft shared\web server extensions\14\bin\fpsrvutl.dll.new
%CommonProgramFiles%\microsoft shared\themes14\blueprnt\blueprnt.elm.new
%ProgramFiles(x86)%\adobe\acrobat reader dc\resource\typesupport\unicode\mappings\win\cp1250.txt.new
%ProgramFiles(x86)%\microsoft analysis services\as oledb\10\cartridges\sql90.xsl.new
%CommonProgramFiles(x86)%\microsoft shared\help\hxruntime.hxs.new
%LOCALAPPDATA%\google\chrome\application\42.0.2311.135\chrome.dll.new
%ProgramFiles%\microsoft analysis services\as oledb\10\cartridges\sybase.xsl.new
%CommonProgramFiles%\microsoft shared\themes14\blueprnt\blueprnt.inf.new
%ProgramFiles%\microsoft office\media\cagcat10\j0149407.wmf.new
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\acroapp\enu\comments.aapp.new
%CommonProgramFiles(x86)%\java\java update\jusched.exe.new
%ProgramFiles%\microsoft office\office14\1033\bcsruntimeres.dll.new
%ProgramFiles%\microsoft office\templates\1033\access\contacts.accdt.new
%LOCALAPPDATA%\microsoft\feeds\feedsstore.feedsdb-ms.new
%ALLUSERSPROFILE%\package cache\{ec9807de-b577-47b1-a024-0251805acf24}v14.29.30133\packages\vcruntimeminimum_x86\cab1.cab.new
%CommonProgramFiles%\microsoft shared\themes14\breeze\breeze.elm.new
%CommonProgramFiles%\microsoft shared\translat\esen\msb1esen.its.new
%CommonProgramFiles%\microsoft shared\themes14\blends\preview.gif.new
C:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\magnify.lnk.new
%ALLUSERSPROFILE%\package cache\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\packages\vcruntimeminimum_x86\vc_runtimeminimum_x86.msi.new
%ProgramFiles%\microsoft office\media\office14\autoshap\bd18182_.wmf.new
%APPDATA%\microsoft\protect\s-1-5-21-3150914307-1777937420-491476919-1000\preferred.new
%CommonProgramFiles%\microsoft shared\themes14\bluecalm\preview.gif.new
%ProgramFiles%\microsoft office\clipart\publisher\backgrounds\j0143753.gif.new
%CommonProgramFiles%\microsoft shared\smart tag\fperson.dll.new
%ProgramFiles%\microsoft office\clipart\pub60cor\ag00103_.gif.new
%CommonProgramFiles(x86)%\microsoft shared\help\keywords.hxk.new
%APPDATA%\microsoft\windows\recent\automaticdestinations\1b4dd67f29cb1962.automaticdestinations-ms.new
%ALLUSERSPROFILE%\package cache\{e699e009-1c3c-4e50-9b57-2b39f0954c7f}v14.29.30133\packages\vcruntimeadditional_amd64\cab1.cab.new
%ProgramFiles(x86)%\microsoft analysis services\as oledb\10\cartridges\sybase.xsl.new
%ProgramFiles(x86)%\adobe\acrobat reader dc\resource\font\courierstd-boldoblique.otf.new
%CommonProgramFiles%\microsoft shared\vsto\10.0\1033\vstoinstallerui.dll.new
C:\users\default\ntuser.dat.log1.new
C:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\run.lnk.new
%APPDATA%\microsoft\windows\libraries\music.library-ms.new
%ProgramFiles%\mozilla thunderbird\api-ms-win-core-timezone-l1-1-0.dll.new
%CommonProgramFiles(x86)%\microsoft shared\vba\vba6\vbe6ext.olb.new
%HOMEPATH%\favorites\windows live\windows live gallery.url.new
%APPDATA%\microsoft\windows\recent\customdestinations\1b4dd67f29cb1962.customdestinations-ms.new
%APPDATA%\thunderbird\profiles.ini.new
%APPDATA%\microsoft\windows\sendto\desktop (create shortcut).desklink.new
%ProgramFiles%\microsoft office\media\office14\bullets\bd10302_.gif.new
%ALLUSERSPROFILE%\microsoft help\ms.infopath.14.1033.hxn.new
%CommonProgramFiles%\microsoft shared\proof\mswds_en.lex.new
%HOMEPATH%\links\downloads.lnk.new
%ALLUSERSPROFILE%\package cache\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\packages\vcruntimeminimum_x86\cab1.cab.new
%ProgramFiles%\microsoft sync framework\v1.0\runtime\x64\resources\1033\synchronization.rll.new
%ProgramFiles(x86)%\reference assemblies\microsoft\framework\v3.0\presentationbuildtasks.dll.new
C:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\pptlr.cab.new
%ALLUSERSPROFILE%\package cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe.new
C:\users\public\desktop\opera.lnk.new
%CommonProgramFiles%\microsoft shared\textconv\recovr32.cnv.new
%APPDATA%\mozilla\firefox\profiles\m15ucxjx.default\user.js.new
%ProgramFiles%\microsoft analysis services\as oledb\10\cartridges\sql90.xsl.new
%HOMEPATH%\favorites\msn websites\msn autos.url.new
C:\users\public\videos\desktop.ini.new
%ProgramFiles(x86)%\steam\steam.cfg.new
%ALLUSERSPROFILE%\package cache\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\packages\vcruntimeminimum_amd64\cab1.cab.new
%ALLUSERSPROFILE%\package cache\{9d29fc96-9eee-4253-943f-96b3bbfdd0b6}v14.16.27024\packages\vcruntimeadditional_amd64\cab1.cab.new
%CommonProgramFiles(x86)%\microsoft shared\help\hx.hxt.new
%ProgramFiles(x86)%\microsoft visual studio 8\vsta\bin\1033\vstaprojectui.dll.new
%ALLUSERSPROFILE%\microsoft help\ms.graph.14.1033.hxn.new
%CommonProgramFiles%\microsoft shared\translat\frar\msb1frar.its.new
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\acroapp\enu\certificates_r.aapp.new
%CommonProgramFiles%\microsoft shared\vba\vba7\1033\fm20.chm.new
%ALLUSERSPROFILE%\package cache\{38b2c744-ad08-4d5b-91a2-3fb6f739ff3e}\vc_redist.x86.exe.new
%ProgramFiles%\java\jre1.8.0_45\bin\dcpr.dll.new
%ALLUSERSPROFILE%\package cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe.new
%CommonProgramFiles%\microsoft shared\office14\1033\acerecr.dll.new
%CommonProgramFiles%\microsoft shared\themes14\arctic\preview.gif.new
%ProgramFiles(x86)%\microsoft analysis services\as oledb\10\cartridges\sql70.xsl.new
%CommonProgramFiles%\microsoft shared\vba\vba7\vbe7.dll.new
%ALLUSERSPROFILE%\package cache\{6cd9e9ed-906d-4196-8dc3-f987d2f6615f}v14.29.30133\packages\vcruntimeminimum_amd64\cab1.cab.new
%ProgramFiles%\microsoft office\clipart\publisher\backgrounds\j0143750.gif.new
%ALLUSERSPROFILE%\microsoft\rac\publisheddata\racwmidatabase.sdf.new
%CommonProgramFiles(x86)%\microsoft shared\help\3082\hxdsui.dll.new
%APPDATA%\thunderbird\crash reports\installtime20210406220621.new
%CommonProgramFiles%\microsoft shared\translat\msb1ar.lex.new
%LOCALAPPDATA%\google\chrome\application\42.0.2311.135\42.0.2311.135.manifest.new
%CommonProgramFiles%\microsoft shared\smart tag\1033\stintl.dll.idx_dll.new
C:\users\default\appdata\roaming\microsoft\windows\sendto\mail recipient.mapimail.new
%APPDATA%\microsoft\internet explorer\quick launch\shows desktop.lnk.new
%ProgramFiles%\java\jre1.8.0_45\thirdpartylicensereadme.txt.new
%ProgramFiles%\mozilla thunderbird\api-ms-win-core-synch-l1-2-0.dll.new
%ProgramFiles%\winrar\default64.sfx.new
C:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\window switcher.lnk.new
%ProgramFiles(x86)%\steam\logs\bootstrap_log.txt.new
%ALLUSERSPROFILE%\oracle\java\javapath\javaw.exe.new
%HOMEPATH%\favorites\msn websites\msn money.url.new
%HOMEPATH%\favorites\msn websites\msn.url.new
%HOMEPATH%\favorites\microsoft websites\microsoft at home.url.new
%ProgramFiles%\microsoft office\media\office14\bullets\bd10299_.gif.new
%HOMEPATH%\favorites\msn websites\msnbc news.url.new
%ProgramFiles%\microsoft office\media\office14\bullets\bd10300_.gif.new
%HOMEPATH%\favorites\links for united states\usa.gov.url.new
%HOMEPATH%\favorites\microsoft websites\microsoft at work.url.new
%HOMEPATH%\favorites\msn websites\msn sports.url.new
%ALLUSERSPROFILE%\microsoft help\ms.groove.14.1033.hxn.new
%CommonProgramFiles%\microsoft shared\vsto\10.0\vstoinstaller.config.new
%CommonProgramFiles%\microsoft shared\smart tag\fdate.dll.new
C:\users\public\desktop\steam.lnk.new
%ProgramFiles%\java\jre1.8.0_45\bin\decora_sse.dll.new
%APPDATA%\telegram desktop\telegram.exe.new
%HOMEPATH%\favorites\microsoft websites\microsoft store.url.new
%HOMEPATH%\favorites\msn websites\msn entertainment.url.new
%APPDATA%\microsoft\protect\s-1-5-21-3150914307-1777937420-491476919-1000\a786b820-2a9e-4925-b3ac-88dea09c4a01.new
%APPDATA%\mozilla\firefox\profiles\v08trqk6.default-release\addons.json.new
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\acroapp\enu\collectsignatures.aapp.new
%ProgramFiles%\microsoft office\media\cagcat10\j0090386.wmf.new
%ProgramFiles%\microsoft sql server compact edition\v3.5\sqlceme35.dll.new
%HOMEPATH%\favorites\microsoft websites\ie site on microsoft.com.url.new
%HOMEPATH%\favorites\links for united states\gobiernousa.gov.url.new
%ProgramFiles%\microsoft office\document themes 14\austin.thmx.new
%ProgramFiles%\microsoft office\media\office14\bullets\bd10298_.gif.new
%ProgramFiles%\microsoft office\clipart\pub60cor\ag00090_.gif.new
%CommonProgramFiles%\microsoft shared\themes14\blends\blends.inf.new
%HOMEPATH%\links\desktop.lnk.new
%APPDATA%\microsoft\windows\sendto\compressed (zipped) folder.zfsendtotarget.new
C:\msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\owow32lr.cab.new
C:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\desktop.ini.new
%CommonProgramFiles%\microsoft shared\grphflt\epsimp32.flt.new
%ProgramFiles(x86)%\adobe\acrobat reader dc\resource\font\courierstd-bold.otf.new
%CommonProgramFiles%\microsoft shared\themes14\axis\preview.gif.new
%ProgramFiles%\microsoft office\media\office14\autoshap\bd18181_.wmf.new
%ProgramFiles(x86)%\adobe\acrobat reader dc\resource\typesupport\unicode\mappings\adobe\zdingbat.txt.new
%CommonProgramFiles%\microsoft shared\themes14\aftrnoon\preview.gif.new
%ALLUSERSPROFILE%\package cache\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\packages\vcruntimeminimum_amd64\cab1.cab.new
%ProgramFiles%\reference assemblies\microsoft\framework\v3.5\microsoft.build.conversion.v3.5.dll.new
%LOCALAPPDATA%low\oracle\java\au\au.msi.new
C:\users\default\appdata\roaming\microsoft\windows\sendto\compressed (zipped) folder.zfsendtotarget.new
%TEMP%\_mei8842\pyinstaller-4.4.dist-info\metadata
%TEMP%\_mei8842\pyinstaller-4.4.dist-info\record
%TEMP%\_mei8842\pyinstaller-4.4.dist-info\wheel
%TEMP%\_mei8842\pyinstaller-4.4.dist-info\entry_points.txt
%TEMP%\_mei8842\pyinstaller-4.4.dist-info\metadata.json
%TEMP%\_mei8842\pyinstaller-4.4.dist-info\description.rst
%TEMP%\_mei8842\pip-20.1.1.dist-info\top_level.txt
%TEMP%\_mei8842\pyinstaller-4.4.dist-info\license.txt
%TEMP%\_mei8842\pyinstaller-4.4.dist-info\top_level.txt
%TEMP%\_mei8842\setuptools-47.1.0.dist-info\record
%TEMP%\_mei8842\setuptools-47.1.0.dist-info\wheel
%TEMP%\_mei8842\setuptools-47.1.0.dist-info\dependency_links.txt
%TEMP%\_mei8842\setuptools-47.1.0.dist-info\entry_points.txt
%TEMP%\_mei8842\setuptools-47.1.0.dist-info\top_level.txt
%TEMP%\_mei8842\setuptools-47.1.0.dist-info\installer
%TEMP%\_mei8842\setuptools-47.1.0.dist-info\license
%TEMP%\_mei8842\setuptools-47.1.0.dist-info\metadata
<Current directory>\pfd.txt
%TEMP%\_mei8842\setuptools-47.1.0.dist-info\zip-safe
%TEMP%\jn9k7_d1
%TEMP%\_mei8842\cryptography-3.4.7.dist-info\metadata
%TEMP%\_mei8842\cryptography-3.4.7.dist-info\record
%TEMP%\_mei8842\cryptography-3.4.7.dist-info\wheel
%TEMP%\_mei8842\cryptography-3.4.7.dist-info\top_level.txt
%TEMP%\_mei8842\importlib_metadata-4.6.1.dist-info\installer
%TEMP%\_mei8842\pip-20.1.1.dist-info\entry_points.txt
%TEMP%\_mei8842\cryptography-3.4.7.dist-info\license.bsd
%TEMP%\_mei8842\pip-20.1.1.dist-info\wheel
%TEMP%\_mei8842\importlib_metadata-4.6.1.dist-info\license
%TEMP%\_mei8842\importlib_metadata-4.6.1.dist-info\top_level.txt
%TEMP%\_mei8842\pip-20.1.1.dist-info\installer
%TEMP%\_mei8842\pip-20.1.1.dist-info\license.txt
%TEMP%\_mei8842\pip-20.1.1.dist-info\metadata
%TEMP%\_mei8842\pip-20.1.1.dist-info\record
%TEMP%\_mei8842\importlib_metadata-4.6.1.dist-info\metadata
%TEMP%\_mei8842\importlib_metadata-4.6.1.dist-info\record
%TEMP%\_mei8842\importlib_metadata-4.6.1.dist-info\wheel
%LOCALAPPDATA%\win32cryp.dll
%ProgramFiles%\mozilla thunderbird\accessiblehandler.dll.new
<Current directory>\pfd.txt.new
%CommonProgramFiles%\services\verisign.bmp.new
%ProgramFiles(x86)%\internet explorer\extexport.exe.new
%ALLUSERSPROFILE%\microsoft help\hx.hxn.new
%ProgramFiles%\microsoft office\stationery\1033\currency.gif.new
%CommonProgramFiles%\microsoft shared\equation\1033\eeintl.dll.new
%CommonProgramFiles%\microsoft shared\dw\dbghelp.dll.new
C:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\powerpointmui.msi.new
%ProgramFiles%\mozilla firefox\accessible.tlb.new
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\1494870c-9912-c184-4cc9-b401-a53f4d8de290.pdf.new
%ProgramFiles%\microsoft office\templates\1033\access\assets.accdt.new
%ProgramFiles%\microsoft office\document themes 14\adjacency.thmx.new
%ALLUSERSPROFILE%\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\abcpy.ini.new
%ProgramFiles%\microsoft analysis services\as oledb\10\msmdlocal.dll.new
%ProgramFiles%\mozilla firefox\accessiblehandler.dll.new
%ProgramFiles(x86)%\adobe\acrobat reader dc\esl\aiodlite.dll.new
%TEMP%\_mei8842\cryptography-3.4.7.dist-info\installer
%ProgramFiles%\microsoft analysis services\as oledb\10\cartridges\as80.xsl.new
%ProgramFiles%\java\jre1.8.0_45\copyright.new
%ProgramFiles%\microsoft office\templates\1033\adjacencyletter.dotx.new
%CommonProgramFiles%\system\directdb.dll.new
<Full path to file>.new
C:\kms\kms_vl_all_aio_debug.log.new
%ProgramFiles%\desktop.ini.new
C:\recovery\4cc8e8a4-51d2-11ee-b826-9a90d4dcffb5\boot.sdi.new
%CommonProgramFiles%\designer\msaddndr.dll.new
%ProgramFiles(x86)%\desktop.ini.new
C:\kms\kms_vl_all_aio.cmd.new
%ProgramFiles%\dvd maker\audiodepthconverter.ax.new
%ProgramFiles%\internet explorer\hmmapi.dll.new
C:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\excellr.cab.new
C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\office32ww.msi.new
C:\users\desktop.ini.new
%ProgramFiles%\mozilla thunderbird\accessible.tlb.new
%CommonProgramFiles%\microsoft shared\euro\msoeuro.dll.new
%TEMP%\_mei8842\cryptography-3.4.7.dist-info\license.apache
%ProgramFiles%\internet explorer\en-us\hmmapi.dll.mui.new
%HOMEPATH%\desktop\contact me.txt
%TEMP%\_mei8842\cryptography-3.4.7.dist-info\license.psf
%ALLUSERSPROFILE%\microsoft\assistance\client\1.0\en-us\help_mtoc_help.h1h.new
%ProgramFiles%\java\jre1.8.0_45\bin\awt.dll.new
%TEMP%\_mei8842\base_library.zip
%TEMP%\_mei8842\api-ms-win-core-interlocked-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-core-libraryloader-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-core-localization-l1-2-0.dll
%TEMP%\_mei8842\api-ms-win-core-memory-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-core-namedpipe-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-core-processenvironment-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-core-handle-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-core-util-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-core-file-l2-1-0.dll
%TEMP%\_mei8842\api-ms-win-core-rtlsupport-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-core-string-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-core-synch-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-core-synch-l1-2-0.dll
%TEMP%\_mei8842\api-ms-win-core-sysinfo-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-core-timezone-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-core-processthreads-l1-1-1.dll
%TEMP%\_mei8842\api-ms-win-core-processthreads-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-core-profile-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-core-file-l1-1-0.dll
%TEMP%\_mei8842\_socket.pyd
%TEMP%\_mei8842\_bz2.pyd
%TEMP%\_mei8842\_cffi_backend.cp37-win_amd64.pyd
%TEMP%\_mei8842\_ctypes.pyd
%TEMP%\_mei8842\_decimal.pyd
%TEMP%\_mei8842\_hashlib.pyd
%TEMP%\_mei8842\_lzma.pyd
%TEMP%\_mei8842\api-ms-win-core-file-l1-2-0.dll
%TEMP%\_mei8842\api-ms-win-crt-conio-l1-1-0.dll
%TEMP%\_mei8842\vcruntime140.dll
%TEMP%\_mei8842\_ssl.pyd
%TEMP%\_mei8842\_win32sysloader.pyd
%TEMP%\_mei8842\api-ms-win-core-console-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-core-datetime-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-core-debug-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-core-errorhandling-l1-1-0.dll
%TEMP%\_mei8842\_queue.pyd
%TEMP%\_mei8842\_multiprocessing.pyd
%TEMP%\_mei8842\api-ms-win-core-heap-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-crt-convert-l1-1-0.dll
%TEMP%\_mei8842\select.pyd
%TEMP%\_mei8842\ucrtbase.dll
%TEMP%\_mei8842\unicodedata.pyd
%TEMP%\_mei8842\win32api.pyd
%TEMP%\_mei8842\win32com\shell\shell.pyd
%TEMP%\_mei8842\win32trace.pyd
%TEMP%\_mei8842\pywintypes37.dll
%TEMP%\_mei8842\python37.dll
%TEMP%\_mei8842\tinyaes.cp37-win_amd64.pyd
%TEMP%\_mei8842\win32ui.pyd
%TEMP%\_mei8842\altgraph-0.17.dist-info\metadata
%TEMP%\_mei8842\altgraph-0.17.dist-info\record
%TEMP%\_mei8842\altgraph-0.17.dist-info\wheel
%TEMP%\_mei8842\altgraph-0.17.dist-info\top_level.txt
%TEMP%\_mei8842\altgraph-0.17.dist-info\zip-safe
%TEMP%\_mei8842\win32wnet.pyd
%TEMP%\_mei8842\altgraph-0.17.dist-info\installer
%TEMP%\_mei8842\altgraph-0.17.dist-info\license
%TEMP%\_mei8842\pythoncom37.dll
%TEMP%\_mei8842\python3.dll
%TEMP%\_mei8842\api-ms-win-crt-environment-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-crt-heap-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-crt-locale-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-crt-math-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-crt-multibyte-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-crt-process-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-crt-runtime-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-crt-stdio-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-crt-filesystem-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-crt-string-l1-1-0.dll
%TEMP%\_mei8842\api-ms-win-crt-utility-l1-1-0.dll
%TEMP%\_mei8842\cryptography\hazmat\bindings\_openssl.pyd
%TEMP%\_mei8842\cryptography\hazmat\bindings\_padding.pyd
%TEMP%\_mei8842\libcrypto-1_1.dll
%TEMP%\_mei8842\libssl-1_1.dll
%TEMP%\_mei8842\mfc140u.dll
%TEMP%\_mei8842\pyexpat.pyd
%TEMP%\_mei8842\api-ms-win-crt-time-l1-1-0.dll
%TEMP%\_mei8842\cryptography-3.4.7.dist-info\license
%APPDATA%\microsoft\windows\libraries\documents.library-ms.new
C:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\setup.xml.new
%ProgramFiles%\microsoft office\templates\1033\adjacencymergeletter.dotx.new
%ProgramFiles%\microsoft office\media\office14\autoshap\autoshap.dll.new
%ProgramFiles%\microsoft office\media\cagcat10\elphrg01.wav.new
%CommonProgramFiles%\microsoft shared\filters\odffilt.dll.new
%ProgramFiles%\microsoft office\clipart\pub60cor\ag00040_.gif.new
%ALLUSERSPROFILE%\microsoft\identitycrl\ppcrlui.dll.new
%ALLUSERSPROFILE%\microsoft\device stage\task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico.new
%ProgramFiles%\microsoft office\media\office14\lines\bd10256_.gif.new
%ProgramFiles%\microsoft office\templates\1033\access\charitable contributions.accdt.new
%ProgramFiles(x86)%\microsoft analysis services\as oledb\10\cartridges\as90.xsl.new
%CommonProgramFiles(x86)%\adobe\reader\dc\linguistics\providers\adobe\products.txt.new
%ProgramFiles%\microsoft office\office14\1033\accolki.dll.new
%CommonProgramFiles%\microsoft shared\grphflt\cgmimp32.fnt.new
%ProgramFiles%\winrar\7zxa.dll.new
%CommonProgramFiles(x86)%\adobe\reader\dc\linguistics\languagenames2\displaylanguagenames.en_gb.txt.new
%CommonProgramFiles%\microsoft shared\help\itircl55.dll.new
%ALLUSERSPROFILE%\microsoft\device stage\task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico.new
C:\msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\onenotemui.msi.new
%ProgramFiles(x86)%\microsoft office\office14\bcslaunch.dll.new
%CommonProgramFiles(x86)%\microsoft shared\help\1031\hxdsui.dll.new
%ProgramFiles%\microsoft office\clipart\pub60cor\ag00038_.gif.new
%ProgramFiles%\msbuild\microsoft\windows workflow foundation\v3.5\workflow.targets.new
%ALLUSERSPROFILE%\microsoft help\ms.excel.14.1033.hxn.new
%ProgramFiles%\microsoft office\clipart\publisher\backgrounds\j0143746.gif.new
%HOMEPATH%\contacts\desktop.ini.new
%CommonProgramFiles(x86)%\adobe\reader\dc\linguistics\languagenames2\displaylanguagenames.en_ca.txt.new
%ALLUSERSPROFILE%\microsoft\crypto\rsa\s-1-5-18\6d14e4b1d8ca773bab785d1be032546e_d99ef00b-ccd3-4f1d-9980-90ac453b0b47.new
%CommonProgramFiles%\microsoft shared\equation\eqnedt32.exe.manifest.new
%CommonProgramFiles(x86)%\microsoft shared\ink\1.0\microsoft.ink.dll.new
%ALLUSERSPROFILE%\oracle\java\javapath\java.exe.new
%CommonProgramFiles(x86)%\microsoft shared\help\1028\hxdsui.dll.new
%ProgramFiles%\microsoft office\media\office14\office10.mmw.new
%ProgramFiles%\java\jre1.8.0_45\readme.txt.new
C:\users\public\downloads\desktop.ini.new
%ProgramFiles(x86)%\microsoft analysis services\as oledb\10\cartridges\as80.xsl.new
%ALLUSERSPROFILE%\microsoft\mf\active.grl.new
C:\users\public\documents\desktop.ini.new
%ALLUSERSPROFILE%\package cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\state.rsm.new
C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\ose.exe.new
%ProgramFiles%\microsoft office\clipart\publisher\backgrounds\j0143748.gif.new
%ProgramFiles%\mozilla thunderbird\api-ms-win-core-file-l2-1-0.dll.new
%CommonProgramFiles(x86)%\microsoft shared\help\1036\hxdsui.dll.new
%CommonProgramFiles(x86)%\microsoft shared\ink\inkdiv.dll.new
%CommonProgramFiles(x86)%\java\java update\jucheck.exe.new
%CommonProgramFiles(x86)%\microsoft shared\help\1033\hxdsui.dll.new
%CommonProgramFiles(x86)%\microsoft shared\msenv\publicassemblies\extensibility.dll.new
%CommonProgramFiles(x86)%\microsoft shared\ink\1.7\microsoft.ink.dll.new
%CommonProgramFiles%\microsoft shared\office14\1033\aceintl.dll.new
%CommonProgramFiles%\microsoft shared\proof\mslid.dll.new
%ProgramFiles%\microsoft office\media\office14\bullets\bd10263_.gif.new
%CommonProgramFiles(x86)%\microsoft shared\msinfo\en-us\msinfo32.exe.mui.new
%ProgramFiles%\reference assemblies\microsoft\framework\v3.0\presentationbuildtasks.dll.new
%CommonProgramFiles(x86)%\microsoft shared\office14\csi.dll.new
%CommonProgramFiles(x86)%\steam\steamservice.exe.new
%CommonProgramFiles(x86)%\adobe\reader\dc\linguistics\languagenames2\displaylanguagenames.en_gb_euro.txt.new
%HOMEPATH%\documents\desktop.ini.new
%ProgramFiles(x86)%\internet explorer\en-us\hmmapi.dll.mui.new
C:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\1033\dwintl20.dll.new
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\publicassemblies\microsoft.visualstudio.tools.applications.adapter.dll.new
%ProgramFiles%\microsoft office\document themes 14\apothecary.thmx.new
C:\msocache\all users\{90140000-00ba-0409-1000-0000000ff1ce}-c\groovelr.cab.new
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\privateassemblies\microsoft.visualstudio.tools.applications.project.dll.new
C:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini.new
%ProgramFiles%\microsoft office\media\office14\bullets\bd10255_.gif.new
%ProgramFiles%\msbuild\microsoft\windows workflow foundation\v3.0\workflow.visualbasic.targets.new
%CommonProgramFiles%\microsoft shared\dw\dw20.exe.new
%ProgramFiles%\microsoft sql server compact edition\v3.5\sqlcecompact35.dll.new
%ProgramFiles%\java\jre1.8.0_45\lib\charsets.jar.new
%CommonProgramFiles%\microsoft shared\officesoftwareprotectionplatform\osppc.dll.new
%ProgramFiles%\java\jre1.8.0_45\release.new
%ALLUSERSPROFILE%\package cache\{295d1583-fdb9-414b-a4c8-da539362a26b}\state.rsm.new
%ProgramFiles%\microsoft sync framework\v1.0\runtime\x64\synchronization.dll.new
%ALLUSERSPROFILE%\package cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.new
%LOCALAPPDATA%low\microsoft\internet explorer\services\search_{0633ee93-d776-472f-a0ff-e1416b8b2e3a}.ico.new
%ALLUSERSPROFILE%\package cache\42d5bec7ddfbd49e76467529cbc2868987bf8460\packages\patch\x64\windows6.1-kb2999226-x64.msu.new
%CommonProgramFiles%\microsoft shared\equation\eqnedt32.hlp.new
%ALLUSERSPROFILE%\microsoft\mf\pending.grl.new
%ProgramFiles%\microsoft analysis services\as oledb\10\cartridges\msjet.xsl.new
%ProgramFiles%\microsoft analysis services\as oledb\10\cartridges\informix.xsl.new
%ProgramFiles%\microsoft sql server compact edition\v3.5\sqlceca35.dll.new
%ALLUSERSPROFILE%\microsoft\assistance\client\1.0\en-us\help_mkwd_assetid.h1w.new
%TEMP%\_mei8842\pyinstaller-4.4.dist-info\installer
%CommonProgramFiles%\microsoft shared\filters\msgfilt.dll.new
%CommonProgramFiles(x86)%\adobe\arm\1.0\adobearm.exe.new
C:\users\public\desktop\acrobat reader dc.lnk.new
%CommonProgramFiles%\microsoft shared\grphflt\cgmimp32.flt.new
%ProgramFiles%\microsoft office\clipart\publisher\backgrounds\j0143744.gif.new
%ProgramFiles%\microsoft office\clipart\pub60cor\ag00011_.gif.new
%ProgramFiles%\microsoft office\templates\1033\adjacencyreport.dotx.new
%CommonProgramFiles%\microsoft shared\equation\eqnedt32.exe.new
%ProgramFiles%\microsoft office\media\cagcat10\cagcat10.dll.new
C:\users\public\desktop\desktop.ini.new
%ProgramFiles%\microsoft office\stationery\1033\dadshirt.gif.new
%ProgramFiles%\microsoft office\clipart\publisher\backgrounds\j0143745.gif.new
%CommonProgramFiles(x86)%\java\java update\jaureg.exe.new
%ProgramFiles%\microsoft office\office14\3082\mso.acl.new
%ALLUSERSPROFILE%\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\acrordrdcupd1501020056.msp.new
%ProgramFiles%\java\jre1.8.0_45\lib\accessibility.properties.new
C:\users\public\desktop.ini.new
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\a3dutils.dll.new
%ProgramFiles%\microsoft office\office14\1036\mso.acl.new
%CommonProgramFiles%\system\ado\adojavas.inc.new
C:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\publishermui.msi.new
%ProgramFiles%\microsoft office\clipart\publisher\backgrounds\j0143743.gif.new
%CommonProgramFiles%\microsoft shared\equation\eqnedt32.cnt.new
%ProgramFiles(x86)%\adobe\acrobat reader dc\readme.htm.new
%ProgramFiles%\microsoft office\media\cagcat10\1033\cagcat10.mml.new
%ProgramFiles%\microsoft sync framework\v1.0\runtime\x64\feedsync.dll.new
%CommonProgramFiles%\microsoft shared\help\hxds.dll.new
%ProgramFiles%\microsoft office\document themes 14\angles.thmx.new
%ProgramFiles%\microsoft synchronization services\ado.net\v1.0\microsoft.synchronization.data.dll.new
C:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\wordlr.cab.new
%ProgramFiles%\microsoft office\media\office14\1033\office10.mml.new
%ProgramFiles%\mozilla firefox\accessiblemarshal.dll.new
%CommonProgramFiles%\microsoft shared\grphflt\cgmimp32.cfg.new
%ProgramFiles%\mozilla thunderbird\accessiblemarshal.dll.new
%ProgramFiles%\microsoft office\office14\accdds.dll.new
%ProgramFiles%\microsoft analysis services\as oledb\10\cartridges\as90.xsl.new
%ProgramFiles%\microsoft office\clipart\pub60cor\ag00004_.gif.new
%ProgramFiles%\mozilla thunderbird\api-ms-win-core-file-l1-2-0.dll.new
%ProgramFiles%\mozilla firefox\api-ms-win-core-file-l1-2-0.dll.new
C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.en\proof.cab.new
%CommonProgramFiles(x86)%\microsoft shared\dao\dao360.dll.new
%ALLUSERSPROFILE%\microsoft\identitycrl\ppcrlconfig.dll.new
%ALLUSERSPROFILE%\oracle\java\installcache_x64\baseimagefam8.new
%CommonProgramFiles(x86)%\adobe\arm\1.0\adobearmhelper.exe.new
%ProgramFiles%\microsoft office\media\office14\office10.dll.new
%ProgramFiles%\microsoft office\media\cagcat10\cagcat10.mmw.new
C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.es\proof.cab.new
%ProgramFiles%\msbuild\microsoft\windows workflow foundation\v3.0\workflow.targets.new
%ProgramFiles(x86)%\microsoft analysis services\as oledb\10\msmdlocal.dll.new
%ProgramFiles(x86)%\microsoft office\office14\1033\grooveintlresource.dll.new
C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proofing.msi.new
%ProgramFiles%\microsoft office\media\office14\lines\bd10219_.gif.new
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\ace.dll.new
%ProgramFiles%\microsoft office\stationery\1033\judgesch.gif.new
C:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\outlklr.cab.new
%ProgramFiles%\microsoft synchronization services\ado.net\v1.0\microsoft.synchronization.data.sqlserverce.dll.new
%ProgramFiles%\microsoft office\media\office14\bullets\bd10254_.gif.new
%ProgramFiles%\microsoft office\office14\1033\access12.acc.new
%ProgramFiles%\microsoft synchronization services\ado.net\v1.0\microsoft.synchronization.data.server.dll.new
%ProgramFiles%\microsoft office\clipart\pub60cor\ag00037_.gif.new
%ALLUSERSPROFILE%\mozilla\updates\308046b0af4a39cb\update-config.json.new
%ProgramFiles(x86)%\microsoft office\office14\authzax.dll.new
%ProgramFiles%\java\jre1.8.0_45\lib\calendars.properties.new
%ProgramFiles%\microsoft office\clipart\pub60cor\ag00021_.gif.new
%ALLUSERSPROFILE%\microsoft\assistance\client\1.0\en-us\help_cvalidator.h1d.new
%ProgramFiles%\java\jre1.8.0_45\lib\amd64\jvm.cfg.new
C:\recovery\4cc8e8a4-51d2-11ee-b826-9a90d4dcffb5\winre.wim.new
C:\msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\office32mui.msi.new
%ProgramFiles%\microsoft office\media\office14\bullets\bd10253_.gif.new
%ProgramFiles(x86)%\microsoft office\office14\1033\bhointl.dll.new
C:\msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\inflr.cab.new
%ProgramFiles%\microsoft office\office14\1033\accddsui.dll.new
%ProgramFiles%\microsoft sync framework\v1.0\runtime\x64\microsoft.synchronization.dll.new
%ProgramFiles%\java\jre1.8.0_45\license.new
%ProgramFiles%\microsoft office\document themes 14\apex.thmx.new
%ALLUSERSPROFILE%\mozilla\updates\d78bf5dd33499ec2\update-config.json.new
%CommonProgramFiles(x86)%\adobe\helpcfg\en_us\reader_dc.helpcfg.new
C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.fr\proof.cab.new
%ProgramFiles%\microsoft office\document themes 14\black tie.thmx.new

Sets the 'hidden' attribute to the following files

%LOCALAPPDATA%\win32cryp.dll
%ProgramFiles%\desktop.ini.new
%ProgramFiles(x86)%\desktop.ini.new

Deletes the following files

%TEMP%\jn9k7_d1
<Current directory>\pfd.txt

Deletes itself.

Changes user data files extensions (Trojan.Encoder).

Network activity

Connects to

'sm##.gmail.com':465

TCP

Other

'sm##.gmail.com':465

UDP

DNS ASK re#####r1.opendns.com
DNS ASK 22#.###.67.208.in-addr.arpa
DNS ASK my##.#pendns.com
DNS ASK sm##.gmail.com

Miscellaneous

Creates and executes the following

'<SYSTEM32>\cmd.exe' /c "nslookup myip.opendns.com resolver1.opendns.com"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Windows\Caches\cversions.2.db""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{6CD9E9ED-906D-4196-8DC3-F987D2F6615F}v14.29.30133\packages\vcRuntimeMinimum_amd64\cab1.cab""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{38b2c744-ad08-4d5b-91a2-3fb6f739ff3e}\VC_redist.x86.exe""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Protect\S-1-5-21-3150914307-1777937420-491476919-1000\Preferred""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Videos\Sample Videos\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles(x86)%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Windows\SendTo\Desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\RAC\StateData\RacDatabase.sdf""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\User Account Pictures\user.bmp""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%LOCALAPPDATA%\Microsoft\Feeds\FeedsStore.feedsdb-ms""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\NTUSER.DAT.LOG1.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft Help\MS.INFOPATH.14.1033.hxn.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Windows\Caches\cversions.2.db""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles(x86)%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Feeds Cache\15IVKCR3\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Feeds Cache\BBS9HW0E\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Recorded TV\Sample Media\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\NTUSER.DAT.LOG2.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Feeds Cache\6FWA5FTW\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\User Account Pictures\user.bmp""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{6CD9E9ED-906D-4196-8DC3-F987D2F6615F}v14.29.30133\packages\vcRuntimeMinimum_amd64\cab1.cab""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%LOCALAPPDATA%\Microsoft\Feeds\FeedsStore.feedsdb-ms""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Windows\Start Menu\Programs\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\NTUSER.DAT.LOG2""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Videos\Sample Videos\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\RAC\StateData\RacDatabase.sdf""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Feeds Cache\6FWA5FTW\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Windows\SendTo\Desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "<Full path to file>""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Protect\S-1-5-21-3150914307-1777937420-491476919-1000\Preferred.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Windows\Start Menu\Programs\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\NTUSER.DAT.LOG1""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft Help\MS.INFOPATH.14.1033.hxn""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\History\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%HOMEPATH%\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\42D5BEC7DDFBD49E76467529CBC2868987BF8460\packages\Patch\x64\Windows6.1-KB2999226-x64.msu""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%APPDATA%\Microsoft\Windows\IETldCache\index.dat""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{38b2c744-ad08-4d5b-91a2-3fb6f739ff3e}\VC_redist.x86.exe""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Protect\S-1-5-21-3150914307-1777937420-491476919-1000\51da22b7-9513-4885-adb9-cd2e72f47f0a.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Music\Sample Music\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles(x86)%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Videos\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft Help\MS.GRAPH.14.1033.hxn""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_BestBet.H1W""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles%\Microsoft Shared\MSInfo\msinfo32.exe""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%APPDATA%\Microsoft\Windows\IETldCache\index.dat""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft Help\MS.GROOVE.14.1033.hxn.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Protect\S-1-5-21-3150914307-1777937420-491476919-1000\a786b820-2a9e-4925-b3ac-88dea09c4a01.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Windows\Recent\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Windows\Recent\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Windows\Start Menu\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Windows\Start Menu\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\IconCache.db.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft Help\MS.GRAPH.14.1033.hxn.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\IconCache.db""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%HOMEPATH%\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft Help\MS.GROOVE.14.1033.hxn""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%HOMEPATH%\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\42D5BEC7DDFBD49E76467529CBC2868987BF8460\packages\Patch\x64\Windows6.1-KB2999226-x64.msu""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles%\Microsoft Shared\MSInfo\msinfo32.exe""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_BestBet.H1W.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Protect\S-1-5-21-3150914307-1777937420-491476919-1000\a786b820-2a9e-4925-b3ac-88dea09c4a01""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\NTUSER.DAT.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\I3NMAT9Z\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\DYPS348I\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%LOCALAPPDATA%\Microsoft\Feeds Cache\index.dat""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%LOCALAPPDATA%\Microsoft\Windows\UsrClass.dat{62676190-51ca-11ee-be5d-0800276b50ae}.TM.blf""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_528c94ccf5464e2e06249b41105333fcda5052_cab_02612a57\display.inf""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft Help\MS.MSACCESS.14.1033.hxn.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%LOCALAPPDATA%\Microsoft\Feeds Cache\index.dat""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft Help\MS.MSACCESS.14.1033.hxn""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_MTOC_help.H1H.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\UsrClass.dat{62676190-51ca-11ee-be5d-0800276b50ae}.TM.blf.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Feeds Cache\index.dat.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_MTOC_help.H1H""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\UsrClass.dat{62676190-51ca-11ee-be5d-0800276b50ae}.TM.blf""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%LOCALAPPDATA%\Microsoft\Windows\UsrClass.dat{62676190-51ca-11ee-be5d-0800276b50ae}.TM.blf""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Feeds Cache\index.dat""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\NTUSER.DAT.LOG.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.H1D.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\index.dat.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\index.dat.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.H1D""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\EA09503G\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Windows Defender\Support\MPLog-07132009-221054.log""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_528c94ccf5464e2e06249b41105333fcda5052_cab_02612a57\display.inf""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Windows Defender\Support\MPLog-07132009-221054.log""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\EA09503G\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\I3NMAT9Z\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\DYPS348I\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\index.dat""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Recorded TV\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\microsoft shared\VGX\VGX.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles%\Microsoft Shared\VGX\VGX.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Search\Data\Applications\Windows\MSS.chk""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\cab1.cab""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%APPDATA%\Mozilla\Firefox\Profiles\v08trqk6.default-release\cert9.db""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Feeds Cache\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\History\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Feeds Cache\15IVKCR3\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Recorded TV\Sample Media\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Feeds Cache\BBS9HW0E\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Feeds Cache\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\Burn\Burn\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "<Full path to file>""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\Burn\Burn\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{EC9807DE-B577-47B1-A024-0251805ACF24}v14.29.30133\packages\vcRuntimeMinimum_x86\cab1.cab""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{EC9807DE-B577-47B1-A024-0251805ACF24}v14.29.30133\packages\vcRuntimeMinimum_x86\cab1.cab""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\microsoft shared\VGX\VGX.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Search\Data\Applications\Windows\MSS.chk""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\cab1.cab""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles%\Microsoft Shared\VGX\VGX.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%APPDATA%\Mozilla\Firefox\Profiles\v08trqk6.default-release\cert9.db""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Windows\IETldCache\index.dat.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%HOMEPATH%\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft Help\MS.EXCEL.14.1033.hxn""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\state.rsm""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Documents\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Downloads\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_d99ef00b-ccd3-4f1d-9980-90ac453b0b47""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%HOMEPATH%\Contacts\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Recovery\4cc8e8a4-51d2-11ee-b826-9a90d4dcffb5\boot.sdi""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Downloads\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles%\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft Help\Hx.hxn""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Desktop\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft Help\Hx.hxn""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles%\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_CValidator.H1D.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "del /f "%ProgramFiles%\DVD Maker\audiodepthconverter.ax""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Mozilla\updates\D78BF5DD33499EC2\update-config.json""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_CValidator.H1D""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Documents\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_AssetId.H1W""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles%\Microsoft Shared\Stationery\Bears.htm""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\microsoft shared\ink\1.0\Microsoft.Ink.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles%\Microsoft Shared\ink\Alphabet.xml""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\MF\Pending.GRL""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_d99ef00b-ccd3-4f1d-9980-90ac453b0b47""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles%\Microsoft Shared\ink\Alphabet.xml""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft Help\MS.EXCEL.14.1033.hxn.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%HOMEPATH%\Contacts\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_CValidator.H1D""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\index.dat""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles%\Microsoft Shared\Stationery\Bears.htm""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Mozilla\updates\D78BF5DD33499EC2\update-config.json""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\win32cryp.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ProgramFiles(x86)%\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles%\Internet Explorer\en-US\hmmapi.dll.mui""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles%\DVD Maker\audiodepthconverter.ax""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles%\DVD Maker\audiodepthconverter.ax""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ProgramFiles(x86)%\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ProgramFiles%\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ProgramFiles%\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft Help\Hx.hxn.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles%\Internet Explorer\hmmapi.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "vssadmin delete shadows /all /quiet"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -Force -ExclusionPath <Drive name for removable media>:\"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -Force -ExclusionPath D:\"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -Force -ExclusionPath E:\"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -Force -ExclusionPath C:\"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -Force -ExclusionExtension py"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -Force -ExclusionExtension exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "del /f "%ProgramFiles%\Internet Explorer\hmmapi.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles%\Internet Explorer\hmmapi.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles%\System\DirectDB.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "del /f "%ProgramFiles%\Internet Explorer\en-US\hmmapi.dll.mui""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_CValidator.H1D""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Desktop\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Recovery\4cc8e8a4-51d2-11ee-b826-9a90d4dcffb5\boot.sdi.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft Help\Hx.hxn""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles%\System\ado\adojavas.inc""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles%\Internet Explorer\en-US\hmmapi.dll.mui""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles%\System\ado\adojavas.inc""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles(x86)%\Internet Explorer\en-US\hmmapi.dll.mui""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles%\System\DirectDB.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles(x86)%\Internet Explorer\en-US\hmmapi.dll.mui""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\index.dat""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\OFFICE\AssetLibrary.ico""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%HOMEPATH%\Music\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%HOMEPATH%\Favorites\Links for United States\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\microsoft shared\MSInfo\msinfo32.exe""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%HOMEPATH%\Favorites\Links\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\microsoft shared\ink\1.7\Microsoft.Ink.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{295d1583-fdb9-414b-a4c8-da539362a26b}\VC_redist.x64.exe""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Windows\Libraries\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%HOMEPATH%\Favorites\Links\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Windows\Libraries\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{295d1583-fdb9-414b-a4c8-da539362a26b}\VC_redist.x64.exe""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\microsoft shared\Stationery\Bears.htm""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Protect\CREDHIST.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\microsoft shared\MSInfo\en-US\msinfo32.exe.mui""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\microsoft shared\ink\InkDiv.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Libraries\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Windows\Cookies\index.dat.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Windows\Cookies\index.dat""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\System\DirectDB.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\microsoft shared\ink\1.7\Microsoft.Ink.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Videos\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%APPDATA%\Microsoft\Windows\Cookies\index.dat""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Recorded TV\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\NTUSER.DAT.LOG""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles(x86)%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Music\Sample Music\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles(x86)%\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%APPDATA%\Microsoft\Windows\Cookies\index.dat""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%HOMEPATH%\Links\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%HOMEPATH%\Links\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%HOMEPATH%\Music\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles(x86)%\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\microsoft shared\MSInfo\msinfo32.exe""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Windows\IETldCache\index.dat""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Protect\S-1-5-21-3150914307-1777937420-491476919-1000\51da22b7-9513-4885-adb9-cd2e72f47f0a""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\OFFICE\AssetLibrary.ico""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\microsoft shared\ink\1.0\Microsoft.Ink.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%HOMEPATH%\Favorites\Links for United States\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\state.rsm""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Protect\CREDHIST""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\microsoft shared\ink\en-US\InkObj.dll.mui""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%HOMEPATH%\Favorites\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%HOMEPATH%\Documents\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles%\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\NTUSER.DAT""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\microsoft shared\DAO\dao360.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\MF\Pending.GRL""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%HOMEPATH%\Documents\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles%\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_AssetId.H1W.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Pictures\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\System\ado\adojavas.inc""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\microsoft shared\Stationery\Bears.htm""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Music\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Libraries\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Pictures\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\System\DirectDB.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\microsoft shared\ink\en-US\InkObj.dll.mui""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Oracle\Java\javapath\java.exe""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Oracle\Java\javapath\java.exe""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\microsoft shared\ink\InkDiv.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "%HOMEPATH%\Downloads\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%HOMEPATH%\Downloads\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Music\desktop.ini""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\microsoft shared\MSInfo\en-US\msinfo32.exe.mui""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "%HOMEPATH%\Favorites\desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\microsoft shared\DAO\dao360.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini.NEw""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\System\ado\adojavas.inc""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\index.dat""' (with hidden window)

Restarts the analyzed sample

Executes the following

'<SYSTEM32>\cmd.exe' /c "nslookup myip.opendns.com resolver1.opendns.com"
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles(x86)%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Windows\SendTo\Desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\RAC\StateData\RacDatabase.sdf""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\User Account Pictures\user.bmp""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%LOCALAPPDATA%\Microsoft\Feeds\FeedsStore.feedsdb-ms""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Protect\S-1-5-21-3150914307-1777937420-491476919-1000\Preferred""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Videos\Sample Videos\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft Help\MS.INFOPATH.14.1033.hxn.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Windows\Caches\cversions.2.db""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%LOCALAPPDATA%\Microsoft\Feeds\FeedsStore.feedsdb-ms""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\NTUSER.DAT.LOG1""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft Help\MS.INFOPATH.14.1033.hxn""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\NTUSER.DAT.LOG1.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{38b2c744-ad08-4d5b-91a2-3fb6f739ff3e}\VC_redist.x86.exe""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Feeds Cache\6FWA5FTW\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\User Account Pictures\user.bmp""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{6CD9E9ED-906D-4196-8DC3-F987D2F6615F}v14.29.30133\packages\vcRuntimeMinimum_amd64\cab1.cab""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Protect\S-1-5-21-3150914307-1777937420-491476919-1000\Preferred.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Windows\Start Menu\Programs\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\NTUSER.DAT.LOG2""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Videos\Sample Videos\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\RAC\StateData\RacDatabase.sdf""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Feeds Cache\6FWA5FTW\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Windows\SendTo\Desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "<Full path to file>""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Windows\Start Menu\Programs\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles(x86)%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Windows\Caches\cversions.2.db""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Windows\Recent\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Windows\Recent\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Windows\Start Menu\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft Help\MS.GRAPH.14.1033.hxn""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Recorded TV\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles%\Microsoft Shared\MSInfo\msinfo32.exe""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Protect\S-1-5-21-3150914307-1777937420-491476919-1000\51da22b7-9513-4885-adb9-cd2e72f47f0a.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Music\Sample Music\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles(x86)%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Videos\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_BestBet.H1W""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%APPDATA%\Microsoft\Windows\IETldCache\index.dat""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\NTUSER.DAT.LOG.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Windows\IETldCache\index.dat.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%HOMEPATH%\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Videos\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%APPDATA%\Microsoft\Windows\Cookies\index.dat""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Recorded TV\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\NTUSER.DAT.LOG""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\NTUSER.DAT.LOG2.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{6CD9E9ED-906D-4196-8DC3-F987D2F6615F}v14.29.30133\packages\vcRuntimeMinimum_amd64\cab1.cab""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Windows\Start Menu\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\IconCache.db.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Protect\S-1-5-21-3150914307-1777937420-491476919-1000\a786b820-2a9e-4925-b3ac-88dea09c4a01.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft Help\MS.GROOVE.14.1033.hxn.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Protect\S-1-5-21-3150914307-1777937420-491476919-1000\a786b820-2a9e-4925-b3ac-88dea09c4a01""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\IconCache.db""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%HOMEPATH%\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft Help\MS.GROOVE.14.1033.hxn""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%HOMEPATH%\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\42D5BEC7DDFBD49E76467529CBC2868987BF8460\packages\Patch\x64\Windows6.1-KB2999226-x64.msu""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles%\Microsoft Shared\MSInfo\msinfo32.exe""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_BestBet.H1W.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft Help\MS.GRAPH.14.1033.hxn.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%APPDATA%\Microsoft\Windows\IETldCache\index.dat""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%HOMEPATH%\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\42D5BEC7DDFBD49E76467529CBC2868987BF8460\packages\Patch\x64\Windows6.1-KB2999226-x64.msu""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Recorded TV\Sample Media\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Feeds Cache\BBS9HW0E\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Feeds Cache\15IVKCR3\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\DYPS348I\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%LOCALAPPDATA%\Microsoft\Feeds Cache\index.dat""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%LOCALAPPDATA%\Microsoft\Windows\UsrClass.dat{62676190-51ca-11ee-be5d-0800276b50ae}.TM.blf""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft Help\MS.MSACCESS.14.1033.hxn.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%LOCALAPPDATA%\Microsoft\Windows\UsrClass.dat{62676190-51ca-11ee-be5d-0800276b50ae}.TM.blf""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%LOCALAPPDATA%\Microsoft\Feeds Cache\index.dat""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft Help\MS.MSACCESS.14.1033.hxn""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_MTOC_help.H1H.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\UsrClass.dat{62676190-51ca-11ee-be5d-0800276b50ae}.TM.blf.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Feeds Cache\index.dat.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_MTOC_help.H1H""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\UsrClass.dat{62676190-51ca-11ee-be5d-0800276b50ae}.TM.blf""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Feeds Cache\index.dat""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\I3NMAT9Z\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Windows Defender\Support\MPLog-07132009-221054.log""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles(x86)%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\EA09503G\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.H1D.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\index.dat.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\index.dat.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.H1D""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\index.dat""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\index.dat""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_528c94ccf5464e2e06249b41105333fcda5052_cab_02612a57\display.inf""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Windows Defender\Support\MPLog-07132009-221054.log""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\EA09503G\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\I3NMAT9Z\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\DYPS348I\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\Burn\Burn\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\microsoft shared\VGX\VGX.dll""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Search\Data\Applications\Windows\MSS.chk""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\cab1.cab""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%APPDATA%\Mozilla\Firefox\Profiles\v08trqk6.default-release\cert9.db""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\Burn\Burn\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Feeds Cache\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\History\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Feeds Cache\15IVKCR3\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Recorded TV\Sample Media\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Feeds Cache\BBS9HW0E\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Feeds Cache\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "<Full path to file>""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\History\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{38b2c744-ad08-4d5b-91a2-3fb6f739ff3e}\VC_redist.x86.exe""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\index.dat""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{EC9807DE-B577-47B1-A024-0251805ACF24}v14.29.30133\packages\vcRuntimeMinimum_x86\cab1.cab""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles%\Microsoft Shared\VGX\VGX.dll""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\microsoft shared\VGX\VGX.dll""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Search\Data\Applications\Windows\MSS.chk""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\cab1.cab""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles%\Microsoft Shared\VGX\VGX.dll""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%APPDATA%\Mozilla\Firefox\Profiles\v08trqk6.default-release\cert9.db""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{EC9807DE-B577-47B1-A024-0251805ACF24}v14.29.30133\packages\vcRuntimeMinimum_x86\cab1.cab""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_528c94ccf5464e2e06249b41105333fcda5052_cab_02612a57\display.inf""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Music\Sample Music\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Windows\Libraries\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft Help\Hx.hxn""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles%\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_CValidator.H1D.NEw""
'<SYSTEM32>\cmd.exe' /c "del /f "%ProgramFiles%\DVD Maker\audiodepthconverter.ax""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Mozilla\updates\D78BF5DD33499EC2\update-config.json""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles%\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll""
'<SYSTEM32>\cmd.exe' /c "del /f "%ProgramFiles%\Internet Explorer\hmmapi.dll""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft Help\Hx.hxn.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft Help\Hx.hxn""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Desktop\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_CValidator.H1D""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\desktop.ini.NEw""
'<SYSTEM32>\attrib.exe' +h "%ProgramFiles(x86)%\desktop.ini.NEw"
'<SYSTEM32>\attrib.exe' -h -r -s "%ProgramFiles%\Internet Explorer\hmmapi.dll"
'<SYSTEM32>\attrib.exe' -h -r -s "%ProgramFiles%\DVD Maker\audiodepthconverter.ax"
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Desktop\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Mozilla\updates\D78BF5DD33499EC2\update-config.json""
'<SYSTEM32>\attrib.exe' +h "%LOCALAPPDATA%\win32cryp.dll"
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_CValidator.H1D""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles%\Microsoft Shared\ink\Alphabet.xml""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft Help\MS.EXCEL.14.1033.hxn.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%HOMEPATH%\Contacts\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_CValidator.H1D""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_d99ef00b-ccd3-4f1d-9980-90ac453b0b47""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Documents\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Downloads\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\state.rsm""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft Help\MS.EXCEL.14.1033.hxn""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\state.rsm""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Documents\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Downloads\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_d99ef00b-ccd3-4f1d-9980-90ac453b0b47""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%HOMEPATH%\Contacts\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Recovery\4cc8e8a4-51d2-11ee-b826-9a90d4dcffb5\boot.sdi.NEw""
'<SYSTEM32>\cmd.exe' /c "del /f "%ProgramFiles%\Internet Explorer\en-US\hmmapi.dll.mui""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles%\System\ado\adojavas.inc""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles(x86)%\Internet Explorer\ExtExport.exe""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Recovery\4cc8e8a4-51d2-11ee-b826-9a90d4dcffb5\boot.sdi""
'<SYSTEM32>\cmd.exe' /c "vssadmin delete shadows /all /quiet"
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles%\Internet Explorer\en-US\hmmapi.dll.mui""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles%\DVD Maker\audiodepthconverter.ax""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles%\DVD Maker\audiodepthconverter.ax""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ProgramFiles(x86)%\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ProgramFiles%\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ProgramFiles%\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%LOCALAPPDATA%\win32cryp.dll""
'<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles%\Internet Explorer\en-US\hmmapi.dll.mui""
'<SYSTEM32>\cmd.exe' /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -Force -ExclusionPath <Drive name for removable media>:\"
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -Force -ExclusionPath D:\"
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -Force -ExclusionPath E:\"
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -Force -ExclusionPath C:\"
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -Force -ExclusionExtension py"
'<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -Force -ExclusionExtension exe"
'<SYSTEM32>\nslookup.exe' myip.opendns.com resolver1.opendns.com
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
'<SYSTEM32>\cmd.exe' /c wevtutil.exe el
'<SYSTEM32>\attrib.exe' +h "%ProgramFiles%\desktop.ini.NEw"
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ProgramFiles(x86)%\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles%\System\ado\adojavas.inc""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles(x86)%\Internet Explorer\en-US\hmmapi.dll.mui""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles%\System\DirectDB.dll""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles(x86)%\Internet Explorer\en-US\hmmapi.dll.mui""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini""
'<SYSTEM32>\icacls.exe' "%ProgramFiles%\Internet Explorer\hmmapi.dll"
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles%\System\DirectDB.dll""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft Help\Hx.hxn""
'<SYSTEM32>\attrib.exe' -h "%ProgramFiles(x86)%\desktop.ini"
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\desktop.ini""
'<SYSTEM32>\attrib.exe' -h "%ProgramFiles%\desktop.ini"
'<SYSTEM32>\icacls.exe' "%ProgramFiles%\DVD Maker\audiodepthconverter.ax"
'<SYSTEM32>\icacls.exe' "%ProgramFiles%\Internet Explorer\en-US\hmmapi.dll.mui"
'<SYSTEM32>\wevtutil.exe' el
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles%\Internet Explorer\hmmapi.dll""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles%\Internet Explorer\hmmapi.dll""
'<SYSTEM32>\attrib.exe' -h -r -s "%ProgramFiles%\Internet Explorer\en-US\hmmapi.dll.mui"
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_AssetId.H1W""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%HOMEPATH%\Favorites\Links\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Windows\Libraries\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{295d1583-fdb9-414b-a4c8-da539362a26b}\VC_redist.x64.exe""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\microsoft shared\Stationery\Bears.htm""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Protect\CREDHIST.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\microsoft shared\MSInfo\en-US\msinfo32.exe.mui""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\microsoft shared\ink\InkDiv.dll""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Libraries\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Windows\Cookies\index.dat""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\System\DirectDB.dll""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Pictures\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\microsoft shared\Stationery\Bears.htm""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Public\Music\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Libraries\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Pictures\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\System\DirectDB.dll""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\microsoft shared\ink\en-US\InkObj.dll.mui""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Windows\Cookies\index.dat.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{295d1583-fdb9-414b-a4c8-da539362a26b}\VC_redist.x64.exe""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles(x86)%\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\OFFICE\AssetLibrary.ico""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%HOMEPATH%\Favorites\Links for United States\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%HOMEPATH%\Links\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%HOMEPATH%\Music\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles(x86)%\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\microsoft shared\MSInfo\msinfo32.exe""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Windows\IETldCache\index.dat""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Protect\S-1-5-21-3150914307-1777937420-491476919-1000\51da22b7-9513-4885-adb9-cd2e72f47f0a""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\microsoft shared\ink\1.7\Microsoft.Ink.dll""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%APPDATA%\Microsoft\Windows\Cookies\index.dat""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%HOMEPATH%\Links\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\OFFICE\AssetLibrary.ico""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%HOMEPATH%\Music\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%HOMEPATH%\Favorites\Links for United States\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\microsoft shared\MSInfo\msinfo32.exe""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%HOMEPATH%\Favorites\Links\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\microsoft shared\ink\1.7\Microsoft.Ink.dll""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Oracle\Java\javapath\java.exe""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\microsoft shared\ink\InkDiv.dll""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\NTUSER.DAT""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\microsoft shared\DAO\dao360.dll""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\MF\Pending.GRL""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%HOMEPATH%\Documents\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles%\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_AssetId.H1W.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\microsoft shared\ink\1.0\Microsoft.Ink.dll""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles%\Microsoft Shared\Stationery\Bears.htm""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\MF\Pending.GRL""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles%\Microsoft Shared\Stationery\Bears.htm""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\microsoft shared\ink\1.0\Microsoft.Ink.dll""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles%\Microsoft Shared\ink\Alphabet.xml""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\NTUSER.DAT.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles%\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%HOMEPATH%\Downloads\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Public\Music\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\microsoft shared\MSInfo\en-US\msinfo32.exe.mui""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%HOMEPATH%\Favorites\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\microsoft shared\DAO\dao360.dll""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll""
'<SYSTEM32>\cmd.exe' /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%ALLUSERSPROFILE%\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn.NEw""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ALLUSERSPROFILE%\Oracle\Java\javapath\java.exe""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\System\ado\adojavas.inc""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%HOMEPATH%\Downloads\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%ALLUSERSPROFILE%\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%APPDATA%\Microsoft\Protect\CREDHIST""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%CommonProgramFiles(x86)%\microsoft shared\ink\en-US\InkObj.dll.mui""
'<SYSTEM32>\cmd.exe' /c "attrib -h "%HOMEPATH%\Favorites\desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib +h "%HOMEPATH%\Documents\desktop.ini.NEw""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%ALLUSERSPROFILE%\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm""
'<SYSTEM32>\cmd.exe' /c "attrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll""
'<SYSTEM32>\cmd.exe' /c "icacls.exe "%CommonProgramFiles(x86)%\System\ado\adojavas.inc""
'<SYSTEM32>\cmd.exe' /c "attrib -h -r -s "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\index.dat""

技术

术语

教育培训

误区

Technical Information

Curing recommendations

Free trial