Exterminate It! Antimalware

malpedia

Known threats:699,742 Last Update:November 20, 22:46

Testimonials

exterminate it remove the agent.nbo files without restart. i let it scan again, nothing found! great job!

now i surf since 5 minutes, no popups, it looks like the problem is solved!

big thanks to you and your team, you are the only company that give me response and realy help to remove this bad worm/malware!

i will place now links to our network to your homepage and email my friends and business partners that they know that there is a realy good company with a great tool and good programmers.

thanks.

regards,

m. s.

AutoRun- Registry Values List

This is a complete list of AutoRun registry values collected by Exterminate It!. If you find any of these registry values on your PC, your computer is very likely to be infected with the AutoRun - worm.

IMPORTANT: Because the registry is a core component of your Windows system, it is strongly recommended that you back up the registry before you begin deleting keys and values. For information about backing up the Windows registry, refer to the Registry Editor online help.
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]wzfqwgrrhc=wscript.exe //B "[%PROFILE_TEMP%]\wzfqwgrrhc..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{32F3B2BF-9E04-4DBA-BD7F-260E2B4C7EE8}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\TNZHC').NbDfeOHSNo)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]vutbsehkzg=wscript.exe //B "[%PROFILE_TEMP%]\vutbsehkzg..vbs"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]kpcgrhynko=wscript.exe //B "[%APPDATA%]\kpcgrhynko..vbs"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]Msn Messsenger=[%SYSTEM%]\regsvr.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]mazqnjrurg=wscript.exe //B "[%PROFILE_TEMP%]\mazqnjrurg..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{0F48D31B-30CC-4C4E-94F4-004D0F857630}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\JnyBGycs').zjQUzWkGrLrO)));
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]kpcgrhynko=wscript.exe //B "[%APPDATA%]\kpcgrhynko..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{0EE677B3-5C3B-4C8C-B7C4-16DD6D6EE402}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ZOZKLDIHHSXMYNO').kUsrYbq)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]tmxnftcqgr=wscript.exe //B "[%PROFILE_TEMP%]\tmxnftcqgr..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{F24C24BE-D386-45C0-A37F-CFD82E8B6FAA}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\TNJFOPNQMKQFBYG').qJBdWmiGbb)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{9FD41EA3-6814-4DAF-8F0A-F50AE66B05E8}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\BTENFRTE').VNDJQSJ)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]yyncsiwkgz=wscript.exe //B "[%PROFILE_TEMP%]\yyncsiwkgz..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{D90998A3-9B6F-4DD6-82D9-A9373A6FEF01}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\MAVzaJvacm').lPWMGU)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]vfenprcjhp=wscript.exe //B "[%PROFILE_TEMP%]\vfenprcjhp..vbs"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]ynijmozkac=wscript.exe //B "[%PROFILE_TEMP%]\ynijmozkac..vbs"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]Msn Messsenger=[%APPDATA%]\regsvr.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]sysazwbsays32=[%USER_RECYCLE_BIN%]\sysaewazbys32.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lja7shayne2=[%USER_RECYCLE_BIN%]\lja7shayne2.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lja7shayne3=[%USER_RECYCLE_BIN%]\lja7shayne3.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lja7shayne4=[%USER_RECYCLE_BIN%]\lja7shayne4.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lja7shayne10=[%USER_RECYCLE_BIN%]\lja7shayne10.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lja7shayne7=[%USER_RECYCLE_BIN%]\lja7shayne7.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lja7shayne6=[%USER_RECYCLE_BIN%]\lja7shayne6.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lliseconc8a=[%USER_RECYCLE_BIN%]\lliseconc8a.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lliseconc8=[%USER_RECYCLE_BIN%]\lliseconc8.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lisecosys32=[%USER_RECYCLE_BIN%]\lisecosys32.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lliseconc4=[%USER_RECYCLE_BIN%]\lliseconc4.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lisvewvvew=[%USER_RECYCLE_BIN%]\lisecewwevw.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lliseconc2=[%USER_RECYCLE_BIN%]\lliseconc2.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lliseconc1=[%USER_RECYCLE_BIN%]\lliseconc1.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]syseeeaz=[%USER_RECYCLE_BIN%]\systeez.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]backwindow632=[%USER_RECYCLE_BIN%]\backwindow632.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]backwindow132=[%USER_RECYCLE_BIN%]\backwindow132.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]backwindow532=[%USER_RECYCLE_BIN%]\backwindow532.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]backwindow232=[%USER_RECYCLE_BIN%]\backwindow232.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]systimwindow32=[%USER_RECYCLE_BIN%]\systimwindow32.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]backwindow32=[%USER_RECYCLE_BIN%]\backwindow32.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]systemhots32=[%USER_RECYCLE_BIN%]\systemhots32.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]Test11a23ert=[%USER_RECYCLE_BIN%]\17fd1ar8ert.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lansys32=[%USER_RECYCLE_BIN%]\lansys32.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lanconnect38=[%USER_RECYCLE_BIN%]\lanconnect38.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lanconnect40=[%USER_RECYCLE_BIN%]\lanconnect40.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lanconnect36=[%USER_RECYCLE_BIN%]\lanconnect36.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lanconnect31=[%USER_RECYCLE_BIN%]\lanconnect31.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lanconnect33=[%USER_RECYCLE_BIN%]\lanconnect33.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lanconnect34=[%USER_RECYCLE_BIN%]\lanconnect34.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]msiserver85=[%USER_RECYCLE_BIN%]\msiserver85.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]msiserver123=[%USER_RECYCLE_BIN%]\msiserver123.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]msiserver74=[%USER_RECYCLE_BIN%]\msiserver74.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]msiserver38=[%USER_RECYCLE_BIN%]\msiserver38.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]msiserver161=[%USER_RECYCLE_BIN%]\msiserver161.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]msiserver156=[%USER_RECYCLE_BIN%]\msiserver156.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]msiserver17=[%USER_RECYCLE_BIN%]\msiserver17.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]msiserver226=[%USER_RECYCLE_BIN%]\msiserver226.exe
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{5502E415-E389-4F92-B83D-3AB1C33740C0}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\DzlamJuc').kLHe)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]0ynijmozkac=wscript.exe //B "[%PROFILE_TEMP%]\0ynijmozkac..vbs"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]djsiptmqou=wscript.exe //B "[%PROFILE_TEMP%]\djsiptmqou..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{4227AF4E-6928-41F6-817E-24A61F53B430}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\GnsO').RZFJEPRAM)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]ebqmaxvjjn=wscript.exe //B "[%PROFILE_TEMP%]\ebqmaxvjjn..vbs"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]myphyoljsc=wscript.exe //B "[%PROFILE_TEMP%]\myphyoljsc..vbs"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]fesueicmre=wscript.exe //B "[%PROFILE_TEMP%]\fesueicmre..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{CA8A312A-F6E4-435C-A60E-C63E0E65833F}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\PHYTAGY').GVXFMTIOQN)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]wsqityaydw=wscript.exe //B "[%PROFILE_TEMP%]\wsqityaydw..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{468A7FC2-2857-464B-ABCC-9482C871FAE5}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\mpOhbL').CIQTFFWCAWVCZV)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]Msn Messsenger=(EMPTY)
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]alefypypsd=wscript.exe //B "[%PROFILE_TEMP%]\alefypypsd..vbs"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]bctpwwgtte=wscript.exe //B "[%PROFILE_TEMP%]\bctpwwgtte..vbs"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]Updatea.vbs="[%PROFILE_TEMP%]\Updatea.vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{86448A35-26BC-4228-A78C-D92BB3022CF7}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\OXPPZAUKRPBLGL').YQkdEsqPDjqahuT)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]ykgipiurfj=wscript.exe //B "[%PROFILE_TEMP%]\ykgipiurfj..vbs"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]sys=[%FONTS%]\Fonts.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]qjmavtlxpm=wscript.exe //B "[%ANY_DRIVE%]\TEMP\qjmavtlxpm..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{4202FDD6-7046-40AD-A966-5F5D9351676E}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\IGFLTBFKEZR').DwksPLK)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]ridqohmdna=wscript.exe //B "[%PROFILE_TEMP%]\ridqohmdna..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{C5F8B67B-024F-4D81-A582-4481B8876C71}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ffti').FHAQG)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]qcqwcfzlgc=wscript.exe //B "[%PROFILE_TEMP%]\qcqwcfzlgc..vbs"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]Explorer=[%APPDATA%]\PowerFile.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]Updat=wscript.exe //B "[%PROFILE_TEMP%]\updat.vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{577F8137-FCAA-4D04-9E82-2691C4DA867A}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\yFZPCrGAqN').XCMo)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{A74209ED-2A91-43E6-8192-A8B7F00064E4}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\HKNKGTSYYNTXOOS').nfmeD)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{1E114D20-A4FD-43AF-933E-AF0F6053448F}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\MCZCVNCKLNYOWX').OQYjpyvIlWjChc)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]widrbqpzod=wscript.exe //B "[%PROFILE_TEMP%]\widrbqpzod..vbs"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]mkbgqkhlth=wscript.exe //B "[%PROFILE_TEMP%]\mkbgqkhlth..vbs"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]serv=[%WINDOWS%]\system\SYS.VBS
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]backwindow332=[%USER_RECYCLE_BIN%]\backwindow332.exe
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{F2EF296C-6991-40C6-AE21-5CD0104C3956}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\KItsQv').oXxqfxNfBFRgBzW)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{9A1F53D1-EA0D-4C87-BBBF-4367AB562837}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\FFsB').CyiMXezA)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lanconnect35=[%USER_RECYCLE_BIN%]\lanconnect35.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]odrxpcjtlv=wscript.exe //B "[%PROFILE_TEMP%]\odrxpcjtlv..vbs"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]Msn Messsenger=\regsvr.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]wdggdmhfeb=wscript.exe //B "[%PROFILE_TEMP%]\wdggdmhfeb..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{86FC7157-55E4-42AA-B220-05AD565C7683}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\BFNGXMOPU').PJIMRPXGQGRDW)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]miqmmfgqex=wscript.exe //B "[%PROFILE_TEMP%]\miqmmfgqex..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{93632A01-0B5B-4059-8D46-175206045900}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\MLEOGRJF').gnog)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]zwsgorjnqc=wscript.exe //B "[%PROFILE_TEMP%]\zwsgorjnqc..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{65F639DE-D619-481F-AFAF-3714455F706D}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\VPQGOEJPFLVT').MTHET)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]hxogiqiajc=wscript.exe //B "[%PROFILE_TEMP%]\hxogiqiajc..vbs"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]load=[%PROFILE_TEMP%]\svchost.com
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]run=[%PROFILE_TEMP%]\svchost.com
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]User Agent=[%SYSTEM%]\fdisk.com
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]HotKey=[%TEMPLATES%]\cache\vmx.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]HotKey=[%TEMPLATES%]\cache\vmx.exe
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{9DC98E14-56A6-4AC8-97D6-45A83516CD1F}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\imGhZcqlAJEaTgb').Bjtj)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{C4474850-69B2-427F-A414-3B9FF283BA01}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\UkPQRTKYghMGRf').sUYOiJXkH)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{0744B390-B561-46C9-9A30-B3C981B77637}=powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\wvrlTEp').TFZKKLCDIOYOJCL)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{8EEE93FB-1893-4879-BC35-4F6D6C7FA08F}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\kXiMjSsobdKAWJ').BVhqsC)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{190D839E-E6B7-4A65-9058-A3F0526BA635}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\NREUYECWQRBTXS').ekoCjOhYtGCrey)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{B06D706E-0894-40A2-9231-CBAFD36650C7}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\NKQLQPARGEEBCUS').kPCTDOzdaRZOQM)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]scvhchost232=[%USER_RECYCLE_BIN%]\scvhchost232.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]scvhchost992=[%USER_RECYCLE_BIN%]\scvhchost932.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lja7shayne8=[%USER_RECYCLE_BIN%]\lja7shayne8.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]scvhchostc62600a=[%USER_RECYCLE_BIN%]\scvhchostc6600a.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]lisecosys=[%USER_RECYCLE_BIN%]\lisecosys.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]backwindow432=[%USER_RECYCLE_BIN%]\backwindow432.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]mmkqpglajp=wscript.exe //B "[%PROFILE_TEMP%]\mmkqpglajp..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{3EEB5873-51E4-4E9E-BB3A-0FD8E88323CB}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\HDLXJEZMVTGFEMH').JQHR)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{5692BD9F-6CDE-4448-A1C1-255263F0D9A8}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\iMvCMAYK').hyMqm)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{0EE80FBD-2B5E-4DC9-A627-31A6B19072DD}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\AKKkhoB').UURVYJLQO)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{44F875D5-5481-4FF3-8016-B3D1C2C17100}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\NLXARUJSELDV').djbzmwWdgsVdYc)));
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run][%PROFILE_TEMP%]\Ev~NeN^e.eXe=[%PROFILE_TEMP%]\Ev~NeN^e.eXe
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{8D98AA00-E351-4AAB-A59E-24E5A0632434}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\IWpgkBtgOUmmxCp').FFYACBMJWODPUWE)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{F6C43F9C-4A73-4DD7-83B5-5B4FF64CBE4B}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\TXNLLTACFTY').RRYDGRVELSKUON)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]cxxshbfudj=wscript.exe //B "[%PROFILE_TEMP%]\cxxshbfudj..vbs"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]ykqdqjbsdz=wscript.exe //B "[%PROFILE_TEMP%]\ykqdqjbsdz..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{AAA20B27-C5CF-4F17-ADBD-B7423FA34054}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ALMZBNMMGOJAY').FVFDRH)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{C2003ABA-B45A-42B3-9B43-6C40E5045999}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\pgjHJpJxw').lIagRtgqAA)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{61A4445E-8F69-4B8F-B4CC-51F93759CDC9}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\CBBBHRDOJJS').uWiAtmnnt)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{DD64AC5C-B7FF-44E3-B96B-F74E260B2D38}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\XSiRicHCMO').lcYSEbdtvEfvqk)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]tkgrklxjri=wscript.exe //B "[%PROFILE_TEMP%]\tkgrklxjri..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{A77F7E84-60C3-43C0-AF45-DB61D25C1E34}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\GVWcAyVc').HtxHSLaP)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]fkzxbrvmsi=wscript.exe //B "[%PROFILE_TEMP%]\fkzxbrvmsi..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{EEB51F73-878A-467D-BB18-F9789C493CC2}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\unrSWCQRiTh').eUQqR)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{2D785F0F-C30C-41F8-A5D2-3C9F1FDBA3EC}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\NwhHbiq').EQPRCABYFDJTO)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]aidjinfgsl=wscript.exe //B "[%PROFILE_TEMP%]\aidjinfgsl..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{5E80AE94-9E4B-4476-AC43-201179CDC5A6}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\HtDj').TEZVVHZYDM)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{85DA7764-14E1-465E-98B5-A6543D515717}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\JnpZRC').XUPPIMJYN)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]lbuzbklvca=wscript.exe //B "[%PROFILE_TEMP%]\lbuzbklvca..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{092C7376-8FCA-4C88-9117-996B82F1C78A}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\WlpTmZPWREYhbi').IFhymsQMEI)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{5E94693E-831E-43C2-8386-82BA17229B10}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\exsjgVsCkKU').EBNMAFSXD)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{0FE1BFE1-1380-45EE-8373-01AFDFE44FA4}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\aRbZJYRRg').sgYKqcIIj)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{0092223A-3F52-48A8-8A4E-AB998722337F}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ZRRBTPPKBAFHJD').OZIYZJXV)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]qjmavtlxpm=wscript.exe //B "[%PROFILE_TEMP%]\qjmavtlxpm..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{BD847351-D741-4B16-89C3-9E4A1A2196AC}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ijMgZ').PDQCSKLFBQ)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]systemwindows32=[%USER_RECYCLE_BIN%]\systemwindows32.exe
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{35FE513A-D236-49FE-8E5B-B53BBCB6AFD8}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\KSMSIFTPDPH').RISe)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{49779648-E374-457F-B9AB-52F082348C69}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\FSBWH').XIEN)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]msnat2aff694f=[%PROFILE_TEMP%]\msnat3d3fbf.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]ybrtddygtw=wscript.exe //B "[%PROFILE_TEMP%]\ybrtddygtw..vbs"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]bjkxmjxlem=wscript.exe //B "[%PROFILE_TEMP%]\bjkxmjxlem..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{82E8FEB6-66D6-4B42-BD16-78A09C556368}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\FPSPYOagekLgv').FXUBDXGJECPBSQP)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{ADB53701-B926-44E0-B31F-970E0C684F25}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\YZMSWWPOGDBL').oKijOiCIPL)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]zriclbjord=wscript.exe //B "[%PROFILE_TEMP%]\zriclbjord..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{2818D0B2-3317-41CB-B30B-CE3E6AC40A0E}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\CCuE').TXOGPTKVD)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{F4BD4222-E660-41BC-AAD8-C15C3DF79F19}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\DVYEH').YekgcH)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{8E55D02F-5FDC-406D-98C5-26F5CEB47495}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\BMUGRMITGN').SGvEaBLGuag)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{54FCA34E-C989-4EC2-B65F-487A096FBB86}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\CKXTgIGBJbS').HFPADRYSEGKM)));
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]Adobe Reader 9.0=[%SYSTEM%]\wscript.exe /E:vbs [%SYSTEM%]\baseWINDOWS.db
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]baseWINDOWS=[%SYSTEM%]\wscript.exe /E:vbs [%SYSTEM%]\baseWINDOWS.db
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{571107AC-A9B5-4649-98A9-22BB6D596221}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\VACVJUCFS').mQFDLhwmjVdgPK)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]sqvkfccbdh=wscript.exe //B "[%PROFILE_TEMP%]\sqvkfccbdh..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{344957ED-14C5-446D-937D-91BF1CBE6808}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\LHBDOdgHQNu').RxdirdrieLCVRUS)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{21379DB8-EABE-48A8-99A6-2112017FC6ED}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\TJHPLPCKCETDUVS').RNDWEXIPRTLRLHX)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]zlaw13az2f313=[%USER_RECYCLE_BIN%]\zla3213az1f3.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]scvhchost232=[%USER_RECYCLE_BIN%]\scvhchost432.exe
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{85E1D190-29F0-40AD-A856-85CDE9C505CF}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\UPeyTofIklKj').ZSHPSUUHTLYXZ)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]sejvhwvsmx=wscript.exe //B "[%PROFILE_TEMP%]\sejvhwvsmx..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{568B0D39-2B32-48A5-824C-D70A631DB9A3}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\JHKx').XOQCQJ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{5F378155-79F3-40CE-B6A4-72C066B1A495}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\kacJaOl').VkaafbNQHtM)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{3FFA4251-EAE9-4AD3-89DC-36F48DAA5A64}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\dUxVbxsxigWdg').ALvVUAgiaYuBj)));
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]lsasss=[%SYSTEM_DRIVE%]\lsasss.exe
  • [HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE]Windows Audit Service Update=[%PROGRAM_FILES_COMMON%]\Windows Audit Service Update\aywa539e.exe
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{339071D2-877C-49CA-91D6-AA38F35CA706}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\fQWEJWBnv').IBUQQ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{7FD83842-D049-4929-9419-D431434C7289}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\UNSOOJYKMQP').YGHTJQVLWJGHLI)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{7A9C81CE-C998-4BBC-8748-5573E90F81D7}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\fUgQlPVY').UrcrkrLbpXuQU)));
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Taskman=[%APPDATA%]\vfbu.exe
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{616DFE21-FCED-4298-80F7-C5E38CE58FE1}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\zPhdTmL').JPZGCFEGKONBZE)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]xgygrhsirb=wscript.exe //B "[%PROFILE_TEMP%]\xgygrhsirb..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{111736B6-24C3-4612-BE04-0F913F499D43}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\SERXJGJIYAVB').WeGp)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{A02BC007-2CA8-486B-8C94-98F244BCE155}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\rhHLhxwFGoSI').ozqUCd)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{76817ECC-72BE-40AC-996B-8318E53176F7}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\DUcFsnJ').tmNesRTcRQE)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{76C75615-00EB-4D1A-9404-70B211B8D0E9}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\NxPn').CInTklGBrtBL)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{2D86475F-3A41-4CFC-9BCC-8CEAD01A3653}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\HnJmrntcyMmNdpf').eWTKGhyFXsWF)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{E9395054-0727-41D6-9CB6-F87F64B1D524}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\YtFMLoXkSGzrf').GYFTU)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{95CDD7F8-371C-41B3-8352-FB326D570885}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ynjIYR').mQDFPmZmYDRm)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]syseeeaz=[%SYSTEM_DRIVE%]\RECYCLER\S-1-5-21-0243556031-888888379-781862338-6985472110112323\systeez.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]ghizqwkyae=wscript.exe //B "[%PROFILE_TEMP%]\ghizqwkyae..vbs"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]xhajzaoixj=wscript.exe //B "[%PROFILE_TEMP%]\xhajzaoixj..vbs"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]McaFee virus detect program.=[%PROGRAM_FILES%]\Network Associates\VirusScan\McaUpdate.exe
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{04F2C16F-126E-4E26-9958-5C806E0B2D3B}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\YVPQJFSBP').NIRC)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{4B91D2BC-4883-4048-A22C-391877390B8B}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\CENVJHKILCODS').dJPcQX)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{9AFA29B1-1A59-4E7C-B046-D06D899333A0}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\TixZAiOiY').lljTkeFmSja)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]WORM=wscript.exe //B "[%PROFILE_TEMP%]\worm.vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{C0CF9EF0-BE27-4F53-9D25-5836789C8342}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\EDOGaISBxx').bGqiuooMPEIoF)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{4FAA6981-DB12-49CC-9CCD-6A4077A84D37}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\dYAlVDBucqfz').UCUMFBK)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{939E6A04-11FC-4AEA-AEB5-5AEB69E060A5}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\EOFKwMavVr').AODE)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{720F381A-003E-488C-94D1-4977CE2E88E4}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\RQILTZQJJPGPT').WBJbTGWRsnYifsQ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{01E0BF7A-BDC9-4C89-8BCE-25FB4E165129}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\LTGNIMJOYCP').PALDQJESHZOJ)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]hqhuyrarok=wscript.exe //B "[%PROFILE_TEMP%]\hqhuyrarok..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{69206958-543B-4219-A731-34F9D242B503}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\SFuSzXElaaVnZO').PABTJ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{45784C00-D5C1-4F74-B38A-60A57D87E0AA}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\YNYWGSI').EDVHNSICCBUWTS)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{1A8DBFDF-2AC2-49F4-B21A-BF82CC213D62}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\rWXGRM').IJSJYP)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{2E57F554-947F-4929-A94A-1F93885D5699}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\RDRlLtNzwdtAaW').bJrHwtpc)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{D48E8BF4-351B-48A2-9094-049093FE9269}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\LHMlcbgMQpCbin').istxxVTWyzuht)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{1993BCB9-7928-4D8E-888A-1BBC04A47269}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\qyiZuRRDpko').SBSZDKB)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]msnat226f699f=[%PROFILE_TEMP%]\msnat525f270f.exe
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{CEB0B0B9-CFC0-40A9-AB6B-7578243ABCFC}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\kWUKaGJshKGeJW').dTbqQcXJIEg)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{FE08D7AE-C1F9-4A4B-B0D9-368F4D13F2E3}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ePAcDpfvZaK').eCKFiBXcsIP)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{388ABFE2-E6FC-437D-805E-0BF1079335EF}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\DvFKZxoH').UNDpRmkT)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{C0570109-D892-48AE-8F6B-7CEF14E8067A}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\xJMs').JUNXZGLHF)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{65B30EBC-7DF7-4823-960F-4C2465F74A2B}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\WFOQNXLIHKHVS').TLEOETVNFKPJHVH)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{C6CC023A-B181-4E4B-93D5-4442F43075A1}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\gNRLDJFcDiuvrw').sQxmGAsnUnnZ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{CB102283-45C5-455C-8499-B66B10A80E03}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\gjmA').XJWRSESWOA)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{DDCEBEE9-25D1-4773-A49D-A8C771F00FC0}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\mCXX').NCIC)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]scvhchov00ad=[%USER_RECYCLE_BIN%]\scvhchv00ad.exe
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{4854903B-D6E7-413C-9B1B-1C92995B2375}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\HZQPATFWN').lrNm)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{45B1BB0F-A840-4F94-8025-33F0A4835C00}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\OPpioe').VLYMGQGRWPWXPJE)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{B59D2191-62C4-4BFD-A59A-33ABF047AAB1}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\IMNMAIHF').TWTIYMEIERSI)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{6370EE6C-19AA-4424-BDAC-6939FE8096FB}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\mZaTWhFus').CQHKQJAQBUKSC)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{3462CC0F-DAFC-41B8-B43F-CF58DC5BD687}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\WLUQEQPO').xThhhpS)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{31F2C892-220A-4F07-B0DE-C3141CFEC9A0}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\lRfCSxN').NCLMNFMAE)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{A8CBF0D2-3039-4161-8B4E-555AF51A95DE}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\hAQYejXMpo').qWgVCMRN)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{AEAFE40C-0D89-4D91-A180-B0F1C7BB2F5A}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\XTEGI').DULM)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{5F7878CF-B210-472C-8440-865DDE3E2FEF}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\YSVxWSLcSYxg').gAnmEZ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{16EFC44A-DDF3-4B4B-B5D2-7D93E74536FF}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\GOYYFGLN').ONIGCCH)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{45F35EC9-A857-452A-88CB-13CABA166C5F}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\fhOMuZF').uAOYxYMs)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{31DFF494-CE98-4F72-9329-181658D9C7DC}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\KEKABFVMXIIWDJX').BgAPZTjlQcGa)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]kjzxitgkje=wscript.exe //B "[%PROFILE_TEMP%]\kjzxitgkje..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{471A40F9-768D-4591-A453-A8F39727C10F}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\IMNMAIHF').TWTIYMEIERSI)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{B9B01904-889A-4EF7-98C4-C240953C9D7C}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\XCUC').FPCOREJQ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{D9047887-8FEC-454E-B41A-4262BFCCFB45}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\QFEDCLGSKDLC').rdGrzjbOt)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{F876987E-1CE1-4D3C-AF22-58FA76373E71}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\DMFVYCFRSQOVOQM').VWUADESJUGWHKQV)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{2837E341-5250-4D19-BF54-18FCFC637C51}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\xZhAYwE').EZNTVLXBRUN)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{F5B5B2CB-52C2-4FCA-95DC-D1AD6ABB4AAF}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\VMEHKX').hXXD)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{1C008FB5-7CB9-4DFA-8263-BD66544CCBFD}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\UJKGLPHL').YCDXGGPQW)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{FBC4FE1E-45D1-4419-A0EF-94BD9481CC68}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\sANKKm').BDGARde)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{98667AB3-F3AF-4286-8108-884DD04564D8}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ZqPoSrPTUao').ExREtbnxhmDt)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{C0DB2DF8-A2BE-4E1D-99A7-6DB2373A4B0F}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\kIHeFmOhXZcCQ').lguNi)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{C9D56A83-9182-472E-B829-B36D1BDD3FD1}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\GyrF').jfXUGVjqdNTSTH)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{7E2F2A58-2962-4446-8650-1A934105CF22}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\EQJFR').VFaxrhI)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{C1C4DB76-2AD9-4B69-BCE7-15F6FE6CFEBF}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\UOGST').MifhHFfNY)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{AF83A0E7-50C6-452E-AC2F-1666625A3200}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\UMVJAYMCHBSOCPD').NAOUDWPXAYR)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{29D280E0-90B3-4D18-B71C-C88B7F2A5B8E}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\mMqXIwJfqqeKl').YxKAXapDgtdjb)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{34C76DC3-C083-441C-A73A-6CEDF94C467D}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\FIPGZDLHIYCVHJN').PFEKBYNTJPAGKWX)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{F5A8DC26-E43B-43B8-8698-5AE2427BA138}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\HfpkXbNdDNr').tkYyfhFph)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{A6CB5D6F-4FB6-42BC-A67A-2D1B4A962C3F}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\VGZTXCCDGLTMGL').vrLxfsztDCivba)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{566FC2FC-F65D-4205-83BF-B5622CC8123C}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\XQACBLDFCLQOD').CMIDGZsonlCfz)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{56EF8E28-D2A6-45B2-B1B0-CB271251D2A8}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\PIPTC').ZLSXRHAYNYHIXQ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{13F6FBFE-615A-40CB-AEC8-9BA242218FB8}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\inFpqJTMWr').KQCICPVHIUFWT)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{C4554A5E-46F9-4C0E-9D4B-4AE07A9B5184}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\YDMNOXOWPJBMIKX').RSGSGOJWHISJYXH)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{B16C3FF6-60F3-4B49-BA1B-BB4C6A0554E1}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\XDZHH').cykXMa)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{07CA79F2-128E-4626-AC8F-D02F0B6078D7}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\dfCNvjETYKrxU').ECRDIBhYOBuz)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{8BD7B3C7-A3B2-4F48-AD0C-34AD867D7249}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\WszSdgx').IoNksJBEsHmcvv)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{3ADF3868-AE66-42C7-AF23-06D1C0255C82}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\jrtpEflncPviMrT').Qlqya)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{3CDDAD12-B039-4D87-B7AA-327B373783CD}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\YUXYCSOV').kEXSRmbJagsL)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{3366B4A5-C468-49FA-8ECD-9764EDBD69BA}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\OBffiVuDsszGw').PXLIAOTYFOQOQT)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{442EE1D8-1864-4790-A75A-25A54E276905}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\YTDaOPVK').iNITVdHRJnZW)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{BC9C7F98-7F7A-44AE-BBC2-4864A752AFF8}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\YZGWM').pmGtGUJzMCj)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{5D83F8B3-2A04-4DF9-9382-F4E88AA1FDA1}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\yKMLRGqSApqT').rrGAzaqZB)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{1C5A5182-599A-4B21-87C9-2BDF902B292E}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\HiIKU').BWIENKY)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]qufpuvzmra=wscript.exe //B "[%PROFILE_TEMP%]\qufpuvzmra..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{3406FB6B-C379-41FD-93C7-2AB45BF89F9F}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\UXjGKPDYXI').IPYNYGLSTFKKQF)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{2F58A4DF-F37A-4533-BDA6-6AAFB2E74789}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\yiooUVTxJC').ALNUV)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]scvhchost632=[%USER_RECYCLE_BIN%]\scvhchost732.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]scvhchost232=[%USER_RECYCLE_BIN%]\scvhchost332.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]svchost62=[%USER_RECYCLE_BIN%]\svchost62.exe
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{756760A7-8BC5-4B36-9A6C-F56321D371C5}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\OYMJGVBWNFXA').SUOUPAIEJERO)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{C55888BF-AFBB-40D3-9D3F-437C54D6BCF0}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\JCRL').oeoXXtLrOCeJfz)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{87954D3F-502B-4CB2-9B6F-3C4C48B5AB03}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\LFTFF').UIWTSGRK)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{FA28463F-7677-4F4D-A8EF-7B0CF2B53B99}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\JrqNOLGQQQZNy').MSUCUZT)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{8A1A68F9-99A6-4875-9C61-9B4F0FC3BADE}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\LAYPLI').MGGBMADFRMYO)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{D62EB8D0-B251-4508-94BB-B8E0520A5DB6}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\uYWh').GWETZWVTNF)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{DE3F7F77-D040-498A-8585-D439FE552490}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ddqgTHipe').cKrO)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{E165EC78-58EF-4D24-A293-4C10487E462A}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\UDhwFjV').UEupEhIcWKNdL)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{C9AD4916-693F-4D42-9231-7E0C728571F4}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\FRHT').saqDDWbwyyl)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{46E7A992-DF30-4B24-9CED-00A682C0BF26}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\JWYBM').ERYBEE)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{39858D18-78B1-4ED9-A120-F00A98BF8595}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\FWpOMgTz').IOXZ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{A4327321-36EA-4B6D-B76E-AB2D51B95BF8}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\HBXOVCDXJNPDR').cAcMaK)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]ewethxqlug=wscript.exe //B "[%PROFILE_TEMP%]\ewethxqlug..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{B9FEEFA9-0663-42EB-ACDF-582E96783FEC}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ZLRRZQACDY').QSPVIUTNL)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{8F0DA80E-476F-47E2-A6D9-78294B27791C}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\OSHN').GNMEOVVARNDEVW)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{65E88036-EB90-419A-8C85-C65ED0D43F05}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\XOODVqpZaaHS').oPRvEW)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{AEABBCE5-3703-49C5-9D34-A7248E3E47AA}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\WQAEP').XHVDD)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{23DACC48-A33E-4FAF-AB21-B4F7466F947D}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\SCLHVXCRFOWIJWU').plhUejvuGPx)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{25FC59C6-CDB4-46A8-AA78-A7FD4ED75C74}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\JELV').WNJXUUIXIB)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{57D21F90-5499-49AC-9849-AC560C0C13C7}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\UomRoC').GFNQHDZHNXLAXX)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{7DA8F324-5207-4E36-9104-EDE06D282F9B}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\eDwjNcSFw').FADM)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{322A88D2-7395-4CAB-85CB-7EBF5B23AD20}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\VPOPFDX').JUIZNTTWB)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{650A38BE-7F8D-46B5-8965-A0B5BB5BC2EF}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\iAWqpEPjgEddVMB').RQEmZMdvCYZKL)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{15AB1F4B-DA69-4FF9-829E-9CCA1012C8BB}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\SYDAMXPITEVX').BvFncknuWjupdM)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{6A2D3BC0-5DF8-4D93-93ED-8079F2147195}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\FPEJHDRCRE').HLhwedOjg)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{291920F0-6988-481F-A46C-A433BA624A53}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\mfNcHQm').izOXoUSUndbrb)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{AEF56BB5-29C6-4A2C-B6A7-C946B73C234D}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\PARtqrl').dmDtOUFBZbnSPM)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{DA4BCBB7-3239-482B-B4CF-A3E95061FA33}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\IIEUEAKANGTGE').aftalTSMczpW)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{8D372B58-FD20-4093-95C8-F9B917FBF827}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\oqMPAtqbBc').MBJIZAYJGZUFLU)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{057E5C28-3BC7-430E-A69A-464121F1F9C3}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\nzUUulkBNnW').mNWzLXvy)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{82BCE311-FC9A-4CEA-8EA3-C6B9891B7895}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\WAJEGGRSYT').HMMBNZ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{A3500CF2-DC68-4482-8537-6B0A9A13E78A}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\vKTbIquLb').MEOOGEDCH)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{80D40995-C7EA-46D6-B067-F2A91FA2FEBD}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\CeoaMM').LXMLXB)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{DD23F544-E39B-4731-955B-E81AE3020004}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\zlahgrvBQBRMVp').FHLSULZWMYUBGXB)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{F7301E6D-934F-46A1-9BA3-86039B0AC7D8}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\lYHyZmcpFGltF').HafHjwljyAfj)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{ED0E1DB7-4AEB-4818-9416-1D6DECA1305B}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\flTNxJpkQ').NHYYULE)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{3F782994-57B7-4D6F-B8A0-2E4C87AE36FE}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\uVJEmJLJNXeHTyO').SYWJTZLLRVFGPWZ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{7FA22BCA-A2A0-45C3-9B76-596F1E657D9F}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\GIMGKM').rKHM)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]rundll.exe=[%APPDATA%]\Microsoft\Protect\Credentialsrundll.exe
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{E0D4EC86-DBA1-44A3-A48D-C9C3C81BE557}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\VCIB').TfQngUBelNrV)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{3AB12254-A059-4A4D-93A2-A2260786DFFA}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\JWeEJarKZk').NHKvfvPsduDBYZ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{76C3C724-9B77-4091-8F45-6CCE413D26D4}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\xhGdW').hqdrlqhY)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{D107A3B6-E89F-4985-BA9C-ACDAC5362596}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\PKXXGFPK').SROMZU)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{263DA3CA-075C-44AA-A5E5-C2736304C711}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\JSLOP').ucUX)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{4CF9519C-D196-44E6-ADD7-45C466BB4D85}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\PsHobRU').KaDfe)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{FAE13CB2-0DB9-47B1-ADEB-2239E8373E47}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\TgsNyMYHb').JYQP)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{C3225387-6396-4B86-98C7-0775FBED2D3B}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\rBxqcy').PZWZsGOro)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{8B30E31D-D78F-478E-8777-3ADC4CAFDA4D}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\JENdhacXLxAEhCF').YDPJEBHDBXXAE)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]ytrzmderii=wscript.exe //B "[%PROFILE_TEMP%]\ytrzmderii..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{EA2BFCBB-466A-4546-9F03-46CB54513AA3}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\TBVYLDROEYJS').kzVuN)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{C971F10C-7350-4FB6-B08A-EA233A14771F}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ySvkwi').OWGEWRSSWDWNNBQ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{40F3725C-3A3F-45A8-88E2-9828BDC9BA1C}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\HAOPDIKMWYBAT').smuWHMzY)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]ozkvgpcbtp=wscript.exe //B "[%PROFILE_TEMP%]\ozkvgpcbtp..vbs"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{00188A62-F5BC-4522-B9C2-91EB93865CE2}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\YANZPSESJRF').HAXJJPKPZSUGU)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{E7539CA8-89D1-4D60-BD6A-CCF58FF56EB4}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\MVCAOKJVL').JONYXNC)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{E7293691-9D1F-450C-94C9-EFEB11EDBC4E}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\JtGJEIXVSsrHKl').YGEFTPYyHR)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{A9D708FD-8A54-4B02-A1C3-C5CD76A86670}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\bPaLPJMx').zMkbDAY)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{51DADAE4-8786-4E38-AB26-B957D90FEC37}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\YtqV').ISZPPEAKUAQDOMF)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{F20C4C3A-2568-4FD7-9B16-4EBF6AA06E9B}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\PBNEiEt').DNPFPQNHFGTJX)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{84E5E300-CF39-47B6-9B08-06A60A2A1685}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\BcSrmNpCxxs').QVZJUPBRE)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{EB2B90B0-31ED-48AD-89EC-1A663A5E7D31}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ICNRSAPQ').SXJGOIOIV)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{43955FF5-F065-4CBB-99B9-F6146C506FDB}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\CXDZ').NDIENSEOYBTRF)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{93723B9A-39A8-4C2C-B8F3-400F4E555E7A}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\RKJSMQDIRDG').ITBP)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{D7F4BAFB-1916-4369-8C47-F08DB4623260}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\UDFSCAVNGD').CQdHT)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{2672F021-5E1A-44D6-9758-AF2AC07B7A76}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\TXCEZQXQ').cCSCWw)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{C921F403-FB88-4CBB-B415-468D6A13FD1C}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\PSJIBV').NVEPQJZQYP)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{1F2209C6-54D6-4850-A594-A16DE1397AD4}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\RNJsHiYF').tMBfi)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{28F4FEEB-A147-489E-9259-9FEEA2A9EE94}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\PKFFKIQ').DEBREEDYTMNOHG)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{6AC078B7-DD2A-4D4D-9D3C-F8EFC1F4BE91}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\iiWWV').MXIDYGIJ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{FD633F4F-EF94-4A00-8CC3-43A7B74C2556}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\LJNekhlNGBgdL').TKriMowjkbT)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{CA055960-18D9-41F9-AD57-D924A869A9D2}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ehJCKAt').uUfnwMvQBMbAaX)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{9FAC0FDD-2C67-42C2-9029-8674E6153322}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\KUZA').KGCHQDTNKSIX)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{ECFCC70B-25F4-47E3-A26B-EDB7D331CA7E}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\GAOAFVBS').BDYZGD)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{9F520DC5-7189-4B35-B964-34157185A034}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\GDRUDWCUZPHFSS').XfRUqjNNF)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{D17B0F48-D8CB-453B-85CF-A5F1951CCF96}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\jJcGJJlZdikgCzm').BMGU)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{5983998F-F8FF-4C7F-B917-172E6984765C}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\XODCGAIXNYHUQ').dyjZyZGNgEIJJW)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{577EFB15-267F-44C7-9970-F31100801931}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\KDAQAZRK').BBqg)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{CC7E9091-8EBB-4160-924F-0C60C6364323}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\KSOZAIJPUEEEFX').rEksOytO)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{D220B100-5AC5-4785-BDFE-87BDBD58DBEC}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\TNXkBKJXEOqh').etgBBANwwQ)));
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]Explorer=[%WINDOWS%]\Windows Explorer.exe
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{8BB9916A-1FE6-4745-BBF1-3DC0994966C8}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\WBdJjwasMgN').MTGBFMAUCYMKQN)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{16DEAAD9-21EB-440D-9CC1-8B1ED12C0680}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\fblX').jSsoV)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{D26EF0C8-548A-47C8-B977-46F93CAEF2D0}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ONFBgn').GAMUNMRJFTXSA)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{3DC35366-39CF-4242-8CFA-29783B7E5C8A}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\byAhgEPszHrd').rDdOJq)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{2EB6214E-09C3-498E-B4CF-BB509260E193}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\FNKENYCSRDNL').OJVDJNXVOWJMH)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{16503412-53F6-4C1D-B595-F74079B86D99}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\DqUM').qCzJ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{6A1FC179-2A90-410F-AE74-12B619FF2929}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\PPVED').ENDLYDXURZFDJ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{E2DC8972-23EE-4B04-B0C4-24E14E93F956}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\VCTUHY').pudtC)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{3CA391D6-43C6-4AD3-B782-D04D3D0850E0}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\VCTUHY').pudtC)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{FAF29D13-DCCD-4E6C-A9CA-921E72397F4A}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\LQNW').qSxaGheDyGi)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{951B052F-7C29-4AB3-9624-2D36E4E7536B}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\EFxlPcKZWR').GBABNPZIPFXMITH)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{4087A266-2E5E-4989-BAA4-238EA1BCBD81}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\BITHMUQF').TsKDfnFWfuTd)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{0C8C5371-8DF6-4B0E-9A13-5255F40B7DB3}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\BSAZJUGIYWFXN').GfNU)));
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]WORM=wscript.exe "[%PROFILE_TEMP%]\worm.vbs_Cleaned.js"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{77C76A05-1F20-46A1-AB7F-4E23F6A532AC}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\PbqUrMAQEMCtjdK').TGCkl)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{ABAA6910-B2D5-485F-B00B-FC4288A01EB7}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\RYTPEYXEJD').NZMGNZITUZIKDF)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{2E92E312-6A0A-416F-B87D-20F14E3157CB}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\GAWJF').JXMLK)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{40A343A2-37C0-4E51-BA15-080FF0F8C934}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\MYCQDT').OIUQS)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{E994FA66-FFDE-4F38-8E03-C8739518FE41}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ZCNFQ').MABGQHEHHRTE)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{20FF0D6E-6424-42F9-B82A-1157DDC8B054}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\WOEUATDTBWFMZQU').AEOSSvchR)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{E0B1CBCA-C613-42AE-9662-07AE38B801FE}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\RPKJAFQSQNKN').MtiyACGIHYtm)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{0FB83719-8BF3-4DD5-A31B-57FCAA8252CF}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\RJUZISVVNFZPH').EUXNZRZCMOLEY)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{E762866D-D82A-4783-89B4-76C2F5AD8099}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\NDYZLFYZ').xMEmmOK)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{609204DD-710B-490A-93AE-6FFEC8BDCA2A}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\AHBJXLRIKY').HLGLDRHFPFWOPY)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{322F4F69-DF5E-47E7-9B9F-3D974A4122E9}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\OERHVOFL').dEqgTsySlnNg)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{CFA40BC5-CFC0-4C72-BF48-935694381F9B}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\NYTFPUAULSEJKD').VlwGPxBtjtNjZ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{3825AFF9-A1BE-478D-994B-125455F1D2AA}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\UQHFWNWES').BDDDTRVIPC)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{54E202FD-4B31-4954-8775-7B3631CB7F22}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\MMDBC').EGIDKVZYDPGJ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{55D832FC-4B09-49C1-ABE3-1327C400D89A}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\MaPJ').aHfNzBhrbHrqb)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{C3162A7B-49DE-4FD7-B206-F119266D04B4}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\IRFZB').qXWZBWKuUYS)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{DBB96821-A255-43D6-A1CB-BB333AEE8DB4}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\mNZQd').JCVEQCWXYMAFQQ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{2B63DDE4-4DB4-4936-8AF5-96F5019287D0}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ORCYMHKSKZTDWHS').xbDlXjJfugrJoGN)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{09FBA946-8143-487F-B826-B702212628AC}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\QAvHp').ehAk)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{B7131C7B-5793-40D7-BF4C-85BA90F0E812}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\DRAWQXTIIDHP').YTQOMFD)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{F7782A0B-623F-4337-BF72-C9D7EDFC8573}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\DKUUIAHPA').LTYZXOIJVAW)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{8D7B7CA4-BCA7-4618-892A-12F311B38FA7}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ZUJH').WKNE)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{5E54022D-47AE-449C-9A6F-813DE4F14F15}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\iopFEXnHRZlPK').QAPCNVW)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{93C436CD-5796-4B79-B215-1CF6B4A6F56F}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\cGqKMqlFWh').MCORFDYAX)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{3E764D21-789A-423B-BCCD-C85FD7AB2B3B}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\EDCLKVZQJFQFAK').APSMBF)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{C5A14D9B-4C5C-42D5-A380-9EBF0148C000}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\TFQMXWFNIZ').nUAs)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{9E80A9FF-3726-48F2-BD4E-31F7DA09E845}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ASQHMTJJ').hWGNsIG)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{F56DFC07-A9FB-4B7F-A0A9-95991B4C737C}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\mtyAlyJ').qHtC)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{D2A9168F-6082-484D-A27F-A3173A06AE37}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\XXIDLJBOS').HHYSBARSIW)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{3A7D515D-8B73-4907-B900-BD44DDB116AA}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\spoeqN').BMJALII)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{010797BB-A195-4B42-95E1-21392EADA84E}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\EZSIKHSNYLHC').YNLMLGSWMGZSGZX)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{9AA7CFB6-A748-4976-89AF-0C6D89B84C33}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\AAOUHNMQNL').wtDQDPNzGc)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{01FC93CE-0A22-4920-ADFF-B7CF5206DC1C}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\KTrptqRLucrnx').paqR)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{0F6EE9A0-E909-4ADD-AED1-25B468A10426}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\HMJQJHFGVY').IAHPGYOTHW)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{E31DE7B3-8A80-474E-BAEB-5C1F586187EB}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\PQNqbPOnktXVY').qOZMpwsqz)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{B05BBF5D-ACCA-4D29-964C-D1C767B31ADE}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\WUCBISZW').qQYjeC)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{93D8D85B-7480-4B39-A731-5FE7BDF941AB}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\WUCBISZW').qQYjeC)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{E8F2DF99-66C2-4F85-AE7E-74B6A1CE6190}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\UWAMMs').CVIKUmoRLen)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{A7DC0DE6-EB37-4E86-8F40-5B8E9CE53C9D}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\mFUQeWBOI').CNWTLIPCGDJCMK)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{C3F69A9A-CBE7-4437-821C-6004E3F068AC}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ENyD').BWLQEBZUDOIYMK)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{3419B1DA-75A3-440C-8BB6-1BCC72CD368D}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\FoWJb').MuwEqaVxEO)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{64B77FEF-CC60-4710-A187-337A9053B171}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\DJRXXESR').aJVGeHVcBwIUoL)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{1CD74213-FD80-444E-A3E6-ECDCFFF0FE46}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\IhYhMmyb').SUBAPRGAZGS)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{A33935A9-97C0-44AE-AB32-E012677FAB29}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\SPWZFNMQPB').hXTjcNgxI)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{7D6B8DA8-9E49-45E8-8C2B-96F998A8A464}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\yMGTpoPffZbG').faXNVPYhnw)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{5D9EBFB9-8B96-412D-A956-91418E07B436}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\FHWZSGGQCQJFURD').JKGZJK)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{80271396-F137-4A2A-8F36-C82239E4AABB}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\CJNBLV').NXXPS)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{65DA336E-6BD0-4305-8E22-FECEB81EB1D1}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\mtqOkoSEAr').HCAFGL)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{079EB631-62ED-4F6C-8369-4E438B9F1C59}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\VWUI').YBGLRXTPEJUBTIG)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{0694B7D1-81E3-40EB-A835-508827B70ABC}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\VWAWIWKP').gZafzlwlvW)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{6AE58276-4F1E-4A9C-A9A9-27475A8BCB5B}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\DYZPX').eGit)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{22BF167E-7E86-4DAE-AEA2-452A568ED142}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\beXvtBBXSVaoN').MngmMniM)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{D0C29C6B-F10D-4787-9E74-F594CF602B33}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\DvWvlAkr').TSQHJIOHEPL)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{4995108B-6976-458F-ACF1-8AEC5BAA347F}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\jRygGRUkI').YUIeGwzp)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{EE48A032-5611-4E65-85D7-79249FD1531C}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\TixZAiOiY').lljTkeFmSja)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{F125C064-1CBA-48F6-A359-D557E6BD93F4}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\WkFAkunqT').WARCIPICYQMLHOH)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{40C87473-DE83-4A3E-B549-80688BEB15F7}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\KIOHAUIRNKT').VtTJYBOoeYuWnVJ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{E9E0EC9C-CE55-4112-AB36-5C1E4FF84C67}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\xgQLHQk').JgxpFromVUmY)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{D1EDC1F2-BBF7-45FA-B6EB-D30F7BD143BD}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ABHBNZACI').nqnhnkPCwwhnme)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{E5F1438C-FC17-49C1-B83F-C72FBB83A0BA}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\fUNniVSrSgSzW').HYQEMJBHDCFMRZ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{73FD930B-E48E-4C55-B21C-5FD018F28EF9}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\JUAJTVB').MVWUZV)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{2D77982D-DB74-4B22-83F7-D12B01CF54BD}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\SHWL').XWFCKMUSZICNT)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{E0156C44-7740-461C-80E8-8EEBB858E5D9}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\NFJFI').BOXKWYZTQMN)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{3061F955-BDF2-4103-B4E8-50A8DDD1F30D}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\prme').nPaTDJLzosudE)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{1DE50ACB-FF00-4469-AF23-E8E15E5F261B}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\rUYoVgerYaVjV').UHKMXZT)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{81302258-CC00-4511-A952-CF30C86BE23D}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\JREXIZUKYOJB').ITGGWXTQPLNA)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{710C8992-07E6-4CE6-BA69-3B1BE1D73DD0}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\JyIS').KWLMCMZBCMFARCE)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{D003B98E-AFCD-48A8-B6B8-7FAFC4D97DD7}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\wfMCuuXSl').TFSFP)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{A1D413C7-A0F4-4936-BE9F-485477A7D6DE}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\EPKUTGRYPGYMTOX').EMOMMZHVW)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{CBDF5A38-F77D-430F-A9C5-B42D9B5F5D52}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\FECFDWBP').XEZBUKTNX)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{94FDC36D-9A8A-407D-8CBC-14BEB91B2C09}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\NZJHFQZBLJFIR').JnHzZUGhaKS)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{D56368F5-3FA3-43FB-8330-7106709A7ECE}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\nKVDihCbUJSGl').aIumZeHkPniaQW)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{912C1134-83E5-41E2-87DF-EE6D4AFCF633}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\NDOKXE').zQybwXacL)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{8C5CB276-F771-4645-94E6-0E9C48E9BA41}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\UIFUBS').PCBSJJDS)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{124C528A-4D5A-4F5B-81A5-1B2C98CA8DF4}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ONELMZ').GCAYVDBIVPZV)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{1EFE35EC-499F-450C-8B83-0E56AF7E2D8C}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\NBLXWEHEPNTF').aHrBd)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{26FB503A-19FF-49AE-ABED-0018EC8CAD67}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\usbWP').ZkaKgMwsmKnThF)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{3E6C5000-B1B0-4632-B751-15BC158AD3FC}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\fuKTAtG').OHQUEJFETGZET)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{F8253462-526D-4C84-ADF4-C1A3C2A910D8}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\DokX').GauCkqaLZQpn)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{A6276C5A-3F76-446E-823F-09078DC8250B}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\qtcpvEWcxHb').HbtQ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{DE52C89B-0E87-4C9D-87C4-179E9D6AC00D}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\EMJPXBYSMDV').LWLEEXXARRDSHBA)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{F113D188-F8B2-4B37-9934-EEBF076DFE67}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\frXaffCuuey').SUJNEOPAFNEEQP)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{A03E059B-EA0C-4CE0-A91E-BB2E62CC9C06}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\FZHVQ').DDPG)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{3944E2A6-95F9-4D99-ADB2-B61A8983EAA4}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ydFsI').rxqlu)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{C6B6E9BB-AC3F-4B61-8BE5-86BDC4002873}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\OMNMECGJLS').QJLR)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{C607F697-3AB1-418B-A1E2-945DD69931E6}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\yPfjCIY').IvSEGcRGS)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{8D1B2702-778D-47BE-B458-88DFA71D10AE}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\mMvQfgOu').EGLrYLrfPDqirJH)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{6AEB5532-D84D-41A1-B05D-FCF78DF25FC7}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\UODMLG').GtJPeidsUjahb)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{844E79C6-1D07-4990-B2F8-2611D89C51C7}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\FQmqwO').KFtgY)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{5030886F-D7F2-458C-8725-01F75C89641B}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\PGIUNWUNBDTYYCN').XVYRCGHI)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{209193E0-F921-4173-A8C0-E76DDC829543}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\GAIWHBKIZ').BGmDLohxXJ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{F1B73BEA-B887-4BB6-ABA2-2400120E5C03}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\VQXZODSPYVL').CBDXZBCYHLO)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{9798E7F9-A382-4077-906C-A4122BF3B144}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\HLFDNAXDODKFBE').QQKDBSQTJKOEI)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{86E3016F-D41D-4E6E-BD50-E507E5B2AC19}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\kgXyzWoV').JRJKJIBSJ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{3A6AB905-16B4-43AB-9527-20BC3C08EECF}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\fNLakplehX').VFMMKMTALHHNQ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{1F082D3A-7C95-44AC-B3B9-947E08A18441}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\rvANyKksoScuwFl').TJcMVr)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{B03F19E0-C7A9-42E2-84DF-88A0EB14607D}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\TYJYATD').YNMDNXK)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{14661BED-994F-475A-A258-365F6BA2E881}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\IWEMGxGIGiwXC').MOlgEoK)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{2E66B1D1-EE4E-4CFD-B409-6D8505C5DF4A}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\zXEgI').YGMHTRQKBPJTI)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{DC3DCB17-260F-4F3B-BAF5-8C370E642A3C}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\AhBUSUq').lMOIOqD)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{AF4B479E-E5AF-49B9-B055-BE874DA38F13}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\VMUKRXR').WQADNBKH)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{B99D314D-4218-4DC0-9814-C3D6EC48971E}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\EFQESWIJ').GgwTGGPxFONHsUw)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{551EF9C8-16D6-4115-9429-67265A4582CD}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ydlTIyuxJeUHc').VnABbt)));
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]NvCplDeamon=[%SYSTEM%]\drivers\servise.exe
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{6F76C452-69D3-461B-B3B5-5A865DCAE48A}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\SIXXJB').sOJkrhCVmaVMLUo)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{97F42AF8-D133-4B23-9E99-ED954BA11E80}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\BZCOZFY').MQBNEQNNDTPW)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{5E1D779E-EF68-461B-B23F-B6F7A7018EBF}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\BZCOZFY').MQBNEQNNDTPW)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{837C1912-04D4-45E6-B54A-DAE0FC04BD73}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\TPuMdhS').nvsQacGRDd)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{E1026778-BB38-4083-9DE0-DB96084BF942}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\lydSkeN').AHZTMDDGVCX)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{F4C18426-25C5-41C4-A355-9345F3CBA8DC}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\EHRXKPP').QJYUTRKFXLPLICZ)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{A5F82349-8DC9-4AC8-B7B4-ABC984F6E841}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\INZTXRR').BfxnmSEZkaowE)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{3D9B6CFA-7870-420D-A6D1-147413695308}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\JeqJljQSVEqg').ONPNLHOSC)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{9424EE8F-2D8B-4B8C-B8B6-D334B3044961}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\IMXYvNnDd').ZZFJG)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{8F4B0C80-3AFE-4876-ADC0-71D03FB0883D}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\CDRujHXxSbmHUp').NomuM)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{2D8BFB75-EE26-4701-B662-D19E91EA8887}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\BigQvt').EVTXGFXITOO)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{90D4B972-77DC-48D3-970E-033BE104424B}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\ZFQJPSBLOX').HLBPAM)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{440C78F8-9889-4363-B10C-3B89D9C45AA8}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\lCTKE').UGYILWQZOYWAUY)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{EE718B55-F8FC-4D39-A7D7-18A916701A55}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\EIPRWRLLW').GBXP)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{265A7C68-8465-4A52-8C75-DAC7E2866AF9}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\jvRxWFBFEixywKE').EFEAANYTBUPCCDY)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{0D165E51-FC36-427E-94A7-9A37A5E6B080}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\PjHnLPBGae').ShMsI)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{B397D327-EA7C-47BA-A4B3-AE6859AC00BC}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\UJJBGYEBJ').YIkFSnjpu)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{A4769AD8-6127-41E4-86D8-682B65E2ACD1}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\NDLOSIJEMJ').PDRQYBJB)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{2A9038E1-D1F8-4840-8500-9EA62B27B7D3}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\OnCn').DVDXUDTIILD)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{626C02CC-CC33-4910-A70F-61C8D87926B5}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\pBBFTzNJV').DGNAC)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{3B7C597F-DF92-44E6-A6E9-F4B4ADC4CFA7}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\tetEREdDs').UXQIG)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{6EE2F69A-5E6A-4648-9B3F-268DAE437ABA}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\VafiPweefyHj').FdxDlbEjs)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{5FE1C83F-530F-423C-B7E4-A1373FBBDEB3}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\NCXWP').oDFsThEyz)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{7B61EB79-7E8F-43E4-95BE-AF23D03FA779}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\HLJKBDJBNELLO').OCFLSDCB)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{9B6F218A-9DC4-4664-8C55-F4E65D124132}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\JUZWPHUAIF').FEGZOYEJBOTRND)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{AA0F90CB-2478-4C24-AB5F-994AC953986A}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\GKFkfuvdIIqlt').PGZJUO)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{61ABC6BF-1AAE-4414-8101-80BEF4CCE362}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\pQoFDdcJQPpkBN').JJMLJNSB)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{9424F118-A29C-474F-BD45-60E828E8B4E1}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\FXSEDERCGWEJER').HMMDFL)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{655422C5-97A8-48E1-A025-253FF136ABDD}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\inbXfj').JQJFPRP)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{478499EC-B25D-49A4-AA52-729C367608C8}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\wROBt').nPCcaIzKtfbK)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{6A097567-937C-44AA-9C60-F6B19A735CA3}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\EZBCHNT').PZnPCUzKK)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{E0109D38-9498-496D-9ACA-1239E8111A23}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\FKBKXLPLS').JAMxWSmcXTRpA)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{2B8512A1-336C-43DC-AF65-89EE36E5E5D3}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\HPONZGHXJIZ').ulfrV)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{2CF18D25-F593-4815-9295-3081F07EFF07}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\kuPWFnbxn').AAkFaO)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{826340CC-A594-40D0-BB89-8C3315B207F6}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\DSacHZIdvC').LBHVOPZMHVE)));
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]{456BA14D-8E55-4DC9-B1EB-1EE4435D6D71}=[%SYSTEM%]\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKC[%ANY_DRIVE%]\Software\Classes\OMYJAN').TNSVAYFJZLPF)));