Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/07/2024, 16:58
Static task
static1
Behavioral task
behavioral1
Sample
64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe
-
Size
296KB
-
MD5
64029764c9cc8eedb624ae07f521b550
-
SHA1
cd8207bfa3102fcb71ba8262a8200d9c0f566545
-
SHA256
7c3f59e50e19c3f455795dca0c22a6d2df3589c2b9c9e992b3c00e913f01e5d4
-
SHA512
7a19a50cbaf4b962265d7bd7e18238d9067cbe296dfee919546d732f15416b29c353f4a78d65de6bc33bbb24a2f4463cae4e25013b7532585bd1b0a5a50a4644
-
SSDEEP
6144:CkcCwx84nRuEbaKu60ymK1Z7XLlP9a0vvVeh6Zh4Q45vEK:QOEaVemA7k0nY6Hi
Malware Config
Extracted
darkcomet
TARGETS
darkjordan.zapto.org:99
DC_MUTEX-4HRQL7S
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
6JAyfX7jmXyP
-
install
true
-
offline_keylogger
true
-
password
1983
-
persistence
false
-
reg_key
MicroUpdate
Extracted
darkcomet
- gencode
-
install
false
-
offline_keylogger
false
-
persistence
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 49 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Sets file to hidden 1 TTPs 64 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1044 attrib.exe 944 attrib.exe 2636 attrib.exe 3456 attrib.exe 3512 attrib.exe 936 attrib.exe 3452 attrib.exe 3308 attrib.exe 3116 attrib.exe 3160 attrib.exe 3252 attrib.exe 2376 attrib.exe 2680 attrib.exe 924 attrib.exe 2988 attrib.exe 2116 attrib.exe 4056 attrib.exe 836 attrib.exe 3604 attrib.exe 236 attrib.exe 2652 attrib.exe 3152 attrib.exe 2240 attrib.exe 2312 attrib.exe 2908 attrib.exe 768 attrib.exe 1052 attrib.exe 3968 attrib.exe 1044 attrib.exe 1804 attrib.exe 2140 attrib.exe 1648 attrib.exe 1988 attrib.exe 2712 attrib.exe 1812 attrib.exe 2728 attrib.exe 1812 attrib.exe 3124 attrib.exe 3032 attrib.exe 2716 attrib.exe 2752 attrib.exe 1680 attrib.exe 1528 attrib.exe 2116 attrib.exe 2404 attrib.exe 684 attrib.exe 2928 attrib.exe 3636 attrib.exe 936 attrib.exe 3460 attrib.exe 3588 attrib.exe 2076 attrib.exe 2964 attrib.exe 2296 attrib.exe 3744 attrib.exe 3468 attrib.exe 3140 attrib.exe 2256 attrib.exe 4044 attrib.exe 3204 attrib.exe 3328 attrib.exe 2212 attrib.exe 1028 attrib.exe 2956 attrib.exe -
Deletes itself 1 IoCs
pid Process 2948 notepad.exe -
Executes dropped EXE 64 IoCs
pid Process 2708 msdcsc.exe 3016 msdcsc.exe 2920 msdcsc.exe 980 msdcsc.exe 2940 msdcsc.exe 2180 msdcsc.exe 576 msdcsc.exe 2368 msdcsc.exe 2544 msdcsc.exe 2820 msdcsc.exe 2416 msdcsc.exe 1724 msdcsc.exe 772 msdcsc.exe 912 msdcsc.exe 2972 msdcsc.exe 1596 msdcsc.exe 3068 msdcsc.exe 396 msdcsc.exe 1784 msdcsc.exe 2104 msdcsc.exe 1776 msdcsc.exe 1036 msdcsc.exe 2500 msdcsc.exe 2584 msdcsc.exe 2416 msdcsc.exe 2400 msdcsc.exe 1272 msdcsc.exe 1620 msdcsc.exe 1800 msdcsc.exe 3024 msdcsc.exe 1964 msdcsc.exe 2516 msdcsc.exe 2388 msdcsc.exe 2452 msdcsc.exe 2240 msdcsc.exe 3032 msdcsc.exe 1540 msdcsc.exe 1352 msdcsc.exe 1608 msdcsc.exe 2188 msdcsc.exe 2764 msdcsc.exe 2064 msdcsc.exe 236 msdcsc.exe 2936 msdcsc.exe 2772 msdcsc.exe 2124 msdcsc.exe 2016 msdcsc.exe 876 msdcsc.exe 2396 msdcsc.exe 2404 msdcsc.exe 1528 msdcsc.exe 2792 msdcsc.exe 2956 msdcsc.exe 2296 msdcsc.exe 3052 msdcsc.exe 2772 msdcsc.exe 284 msdcsc.exe 1156 msdcsc.exe 2740 msdcsc.exe 684 msdcsc.exe 2076 msdcsc.exe 2740 msdcsc.exe 944 msdcsc.exe 1788 msdcsc.exe -
Loads dropped DLL 64 IoCs
pid Process 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 3016 msdcsc.exe 3016 msdcsc.exe 980 msdcsc.exe 980 msdcsc.exe 2180 msdcsc.exe 2180 msdcsc.exe 2368 msdcsc.exe 2368 msdcsc.exe 2820 msdcsc.exe 2820 msdcsc.exe 1724 msdcsc.exe 1724 msdcsc.exe 912 msdcsc.exe 912 msdcsc.exe 1596 msdcsc.exe 1596 msdcsc.exe 396 msdcsc.exe 396 msdcsc.exe 2104 msdcsc.exe 2104 msdcsc.exe 1036 msdcsc.exe 1036 msdcsc.exe 2584 msdcsc.exe 2584 msdcsc.exe 2400 msdcsc.exe 2400 msdcsc.exe 1620 msdcsc.exe 1620 msdcsc.exe 3024 msdcsc.exe 3024 msdcsc.exe 2516 msdcsc.exe 2516 msdcsc.exe 2452 msdcsc.exe 2452 msdcsc.exe 3032 msdcsc.exe 3032 msdcsc.exe 1352 msdcsc.exe 1352 msdcsc.exe 2188 msdcsc.exe 2188 msdcsc.exe 2064 msdcsc.exe 2064 msdcsc.exe 2936 msdcsc.exe 2936 msdcsc.exe 2124 msdcsc.exe 2124 msdcsc.exe 876 msdcsc.exe 876 msdcsc.exe 2404 msdcsc.exe 2404 msdcsc.exe 2792 msdcsc.exe 2792 msdcsc.exe 2296 msdcsc.exe 2296 msdcsc.exe 2772 msdcsc.exe 2772 msdcsc.exe 1156 msdcsc.exe 1156 msdcsc.exe 684 msdcsc.exe 684 msdcsc.exe 2740 msdcsc.exe 2740 msdcsc.exe -
resource yara_rule behavioral1/memory/2152-3-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2152-4-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2152-5-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2152-8-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2152-9-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2152-10-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2152-11-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2152-42-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/3016-50-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/3016-51-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/3016-94-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/980-104-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/980-106-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/980-149-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2180-159-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2180-203-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/3016-206-0x0000000003320000-0x0000000003555000-memory.dmp upx behavioral1/memory/2368-217-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2368-259-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2820-269-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2820-315-0x0000000003240000-0x0000000003475000-memory.dmp upx behavioral1/memory/2820-312-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/1724-367-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/912-377-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/912-420-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/1596-432-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/1596-476-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/396-487-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/396-529-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2104-543-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2104-585-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/1036-595-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/1036-639-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2584-651-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2584-695-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2584-696-0x0000000003290000-0x00000000034C5000-memory.dmp upx behavioral1/memory/2104-709-0x0000000003400000-0x0000000003635000-memory.dmp upx -
Adds Run key to start application 2 TTPs 49 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\6JAyfX7jmXyP\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP attrib.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\ msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe attrib.exe File created C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP attrib.exe File created C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe attrib.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP attrib.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC attrib.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP attrib.exe File created C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\ msdcsc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\ msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe msdcsc.exe -
Suspicious use of SetThreadContext 49 IoCs
description pid Process procid_target PID 1628 set thread context of 2152 1628 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 30 PID 2708 set thread context of 3016 2708 msdcsc.exe 39 PID 2920 set thread context of 980 2920 msdcsc.exe 48 PID 2940 set thread context of 2180 2940 msdcsc.exe 57 PID 576 set thread context of 2368 576 msdcsc.exe 66 PID 2544 set thread context of 2820 2544 msdcsc.exe 75 PID 2416 set thread context of 1724 2416 msdcsc.exe 84 PID 772 set thread context of 912 772 msdcsc.exe 93 PID 2972 set thread context of 1596 2972 msdcsc.exe 102 PID 3068 set thread context of 396 3068 msdcsc.exe 111 PID 1784 set thread context of 2104 1784 msdcsc.exe 120 PID 1776 set thread context of 1036 1776 msdcsc.exe 129 PID 2500 set thread context of 2584 2500 msdcsc.exe 138 PID 2416 set thread context of 2400 2416 msdcsc.exe 147 PID 1272 set thread context of 1620 1272 msdcsc.exe 156 PID 1800 set thread context of 3024 1800 msdcsc.exe 165 PID 1964 set thread context of 2516 1964 msdcsc.exe 174 PID 2388 set thread context of 2452 2388 msdcsc.exe 183 PID 2240 set thread context of 3032 2240 msdcsc.exe 192 PID 1540 set thread context of 1352 1540 msdcsc.exe 201 PID 1608 set thread context of 2188 1608 msdcsc.exe 210 PID 2764 set thread context of 2064 2764 msdcsc.exe 219 PID 236 set thread context of 2936 236 msdcsc.exe 228 PID 2772 set thread context of 2124 2772 msdcsc.exe 237 PID 2016 set thread context of 876 2016 msdcsc.exe 246 PID 2396 set thread context of 2404 2396 msdcsc.exe 255 PID 1528 set thread context of 2792 1528 msdcsc.exe 264 PID 2956 set thread context of 2296 2956 msdcsc.exe 273 PID 284 set thread context of 1156 284 msdcsc.exe 291 PID 2740 set thread context of 684 2740 msdcsc.exe 300 PID 2076 set thread context of 2740 2076 msdcsc.exe 309 PID 944 set thread context of 1788 944 msdcsc.exe 318 PID 2572 set thread context of 3008 2572 msdcsc.exe 327 PID 3096 set thread context of 3176 3096 msdcsc.exe 336 PID 3400 set thread context of 3480 3400 msdcsc.exe 345 PID 3684 set thread context of 3776 3684 msdcsc.exe 354 PID 4000 set thread context of 4076 4000 msdcsc.exe 363 PID 3140 set thread context of 3272 3140 msdcsc.exe 372 PID 3512 set thread context of 3648 3512 msdcsc.exe 381 PID 3900 set thread context of 3996 3900 msdcsc.exe 390 PID 1648 set thread context of 3184 1648 msdcsc.exe 399 PID 3448 set thread context of 3364 3448 msdcsc.exe 408 PID 3964 set thread context of 4012 3964 msdcsc.exe 417 PID 2168 set thread context of 3296 2168 msdcsc.exe 426 PID 3700 set thread context of 3840 3700 msdcsc.exe 435 PID 2524 set thread context of 1820 2524 msdcsc.exe 444 PID 3636 set thread context of 3420 3636 msdcsc.exe 453 PID 4040 set thread context of 3772 4040 msdcsc.exe 462 PID 3524 set thread context of 3700 3524 msdcsc.exe 471 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: SeSecurityPrivilege 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: SeSystemtimePrivilege 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: SeBackupPrivilege 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: SeRestorePrivilege 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: SeShutdownPrivilege 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: SeDebugPrivilege 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: SeUndockPrivilege 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: SeManageVolumePrivilege 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: SeImpersonatePrivilege 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: 33 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: 34 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: 35 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 3016 msdcsc.exe Token: SeSecurityPrivilege 3016 msdcsc.exe Token: SeTakeOwnershipPrivilege 3016 msdcsc.exe Token: SeLoadDriverPrivilege 3016 msdcsc.exe Token: SeSystemProfilePrivilege 3016 msdcsc.exe Token: SeSystemtimePrivilege 3016 msdcsc.exe Token: SeProfSingleProcessPrivilege 3016 msdcsc.exe Token: SeIncBasePriorityPrivilege 3016 msdcsc.exe Token: SeCreatePagefilePrivilege 3016 msdcsc.exe Token: SeBackupPrivilege 3016 msdcsc.exe Token: SeRestorePrivilege 3016 msdcsc.exe Token: SeShutdownPrivilege 3016 msdcsc.exe Token: SeDebugPrivilege 3016 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3016 msdcsc.exe Token: SeChangeNotifyPrivilege 3016 msdcsc.exe Token: SeRemoteShutdownPrivilege 3016 msdcsc.exe Token: SeUndockPrivilege 3016 msdcsc.exe Token: SeManageVolumePrivilege 3016 msdcsc.exe Token: SeImpersonatePrivilege 3016 msdcsc.exe Token: SeCreateGlobalPrivilege 3016 msdcsc.exe Token: 33 3016 msdcsc.exe Token: 34 3016 msdcsc.exe Token: 35 3016 msdcsc.exe Token: SeIncreaseQuotaPrivilege 980 msdcsc.exe Token: SeSecurityPrivilege 980 msdcsc.exe Token: SeTakeOwnershipPrivilege 980 msdcsc.exe Token: SeLoadDriverPrivilege 980 msdcsc.exe Token: SeSystemProfilePrivilege 980 msdcsc.exe Token: SeSystemtimePrivilege 980 msdcsc.exe Token: SeProfSingleProcessPrivilege 980 msdcsc.exe Token: SeIncBasePriorityPrivilege 980 msdcsc.exe Token: SeCreatePagefilePrivilege 980 msdcsc.exe Token: SeBackupPrivilege 980 msdcsc.exe Token: SeRestorePrivilege 980 msdcsc.exe Token: SeShutdownPrivilege 980 msdcsc.exe Token: SeDebugPrivilege 980 msdcsc.exe Token: SeSystemEnvironmentPrivilege 980 msdcsc.exe Token: SeChangeNotifyPrivilege 980 msdcsc.exe Token: SeRemoteShutdownPrivilege 980 msdcsc.exe Token: SeUndockPrivilege 980 msdcsc.exe Token: SeManageVolumePrivilege 980 msdcsc.exe -
Suspicious use of SetWindowsHookEx 49 IoCs
pid Process 1628 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 2708 msdcsc.exe 2920 msdcsc.exe 2940 msdcsc.exe 576 msdcsc.exe 2544 msdcsc.exe 2416 msdcsc.exe 772 msdcsc.exe 2972 msdcsc.exe 3068 msdcsc.exe 1784 msdcsc.exe 1776 msdcsc.exe 2500 msdcsc.exe 2416 msdcsc.exe 1272 msdcsc.exe 1800 msdcsc.exe 1964 msdcsc.exe 2388 msdcsc.exe 2240 msdcsc.exe 1540 msdcsc.exe 1608 msdcsc.exe 2764 msdcsc.exe 236 msdcsc.exe 2772 msdcsc.exe 2016 msdcsc.exe 2396 msdcsc.exe 1528 msdcsc.exe 2956 msdcsc.exe 284 msdcsc.exe 2740 msdcsc.exe 2076 msdcsc.exe 944 msdcsc.exe 2572 msdcsc.exe 3096 msdcsc.exe 3400 msdcsc.exe 3684 msdcsc.exe 4000 msdcsc.exe 3140 msdcsc.exe 3512 msdcsc.exe 3900 msdcsc.exe 1648 msdcsc.exe 3448 msdcsc.exe 3964 msdcsc.exe 2168 msdcsc.exe 3700 msdcsc.exe 2524 msdcsc.exe 3636 msdcsc.exe 4040 msdcsc.exe 3524 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1628 wrote to memory of 2152 1628 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 30 PID 1628 wrote to memory of 2152 1628 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 30 PID 1628 wrote to memory of 2152 1628 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 30 PID 1628 wrote to memory of 2152 1628 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 30 PID 1628 wrote to memory of 2152 1628 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 30 PID 1628 wrote to memory of 2152 1628 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 30 PID 1628 wrote to memory of 2152 1628 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 30 PID 1628 wrote to memory of 2152 1628 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 30 PID 1628 wrote to memory of 2152 1628 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 30 PID 2152 wrote to memory of 2668 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 31 PID 2152 wrote to memory of 2668 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 31 PID 2152 wrote to memory of 2668 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 31 PID 2152 wrote to memory of 2668 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 31 PID 2152 wrote to memory of 2760 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 32 PID 2152 wrote to memory of 2760 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 32 PID 2152 wrote to memory of 2760 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 32 PID 2152 wrote to memory of 2760 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 32 PID 2152 wrote to memory of 2948 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 35 PID 2152 wrote to memory of 2948 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 35 PID 2152 wrote to memory of 2948 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 35 PID 2152 wrote to memory of 2948 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 35 PID 2152 wrote to memory of 2948 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 35 PID 2152 wrote to memory of 2948 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 35 PID 2152 wrote to memory of 2948 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 35 PID 2152 wrote to memory of 2948 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 35 PID 2152 wrote to memory of 2948 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 35 PID 2152 wrote to memory of 2948 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 35 PID 2152 wrote to memory of 2948 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 35 PID 2152 wrote to memory of 2948 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 35 PID 2152 wrote to memory of 2948 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 35 PID 2152 wrote to memory of 2948 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 35 PID 2152 wrote to memory of 2948 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 35 PID 2152 wrote to memory of 2948 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 35 PID 2152 wrote to memory of 2948 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 35 PID 2152 wrote to memory of 2948 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 35 PID 2152 wrote to memory of 2708 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 36 PID 2152 wrote to memory of 2708 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 36 PID 2152 wrote to memory of 2708 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 36 PID 2152 wrote to memory of 2708 2152 64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe 36 PID 2668 wrote to memory of 2652 2668 cmd.exe 37 PID 2668 wrote to memory of 2652 2668 cmd.exe 37 PID 2668 wrote to memory of 2652 2668 cmd.exe 37 PID 2668 wrote to memory of 2652 2668 cmd.exe 37 PID 2760 wrote to memory of 2212 2760 cmd.exe 38 PID 2760 wrote to memory of 2212 2760 cmd.exe 38 PID 2760 wrote to memory of 2212 2760 cmd.exe 38 PID 2760 wrote to memory of 2212 2760 cmd.exe 38 PID 2708 wrote to memory of 3016 2708 msdcsc.exe 39 PID 2708 wrote to memory of 3016 2708 msdcsc.exe 39 PID 2708 wrote to memory of 3016 2708 msdcsc.exe 39 PID 2708 wrote to memory of 3016 2708 msdcsc.exe 39 PID 2708 wrote to memory of 3016 2708 msdcsc.exe 39 PID 2708 wrote to memory of 3016 2708 msdcsc.exe 39 PID 2708 wrote to memory of 3016 2708 msdcsc.exe 39 PID 2708 wrote to memory of 3016 2708 msdcsc.exe 39 PID 2708 wrote to memory of 3016 2708 msdcsc.exe 39 PID 3016 wrote to memory of 1836 3016 msdcsc.exe 40 PID 3016 wrote to memory of 1836 3016 msdcsc.exe 40 PID 3016 wrote to memory of 1836 3016 msdcsc.exe 40 PID 3016 wrote to memory of 1836 3016 msdcsc.exe 40 PID 3016 wrote to memory of 2864 3016 msdcsc.exe 41 PID 3016 wrote to memory of 2864 3016 msdcsc.exe 41 PID 3016 wrote to memory of 2864 3016 msdcsc.exe 41 PID 3016 wrote to memory of 2864 3016 msdcsc.exe 41 -
Views/modifies file attributes 1 TTPs 64 IoCs
pid Process 2524 attrib.exe 2376 attrib.exe 3460 attrib.exe 3140 attrib.exe 4056 attrib.exe 2344 attrib.exe 3820 attrib.exe 688 attrib.exe 1776 attrib.exe 3968 attrib.exe 2404 attrib.exe 1052 attrib.exe 768 attrib.exe 1556 attrib.exe 936 attrib.exe 2964 attrib.exe 2928 attrib.exe 3688 attrib.exe 3116 attrib.exe 3120 attrib.exe 2288 attrib.exe 2240 attrib.exe 2652 attrib.exe 1788 attrib.exe 2908 attrib.exe 3468 attrib.exe 2716 attrib.exe 236 attrib.exe 1572 attrib.exe 2712 attrib.exe 1812 attrib.exe 3764 attrib.exe 1476 attrib.exe 3588 attrib.exe 3796 attrib.exe 2516 attrib.exe 2116 attrib.exe 1776 attrib.exe 684 attrib.exe 3512 attrib.exe 2600 attrib.exe 3760 attrib.exe 3624 attrib.exe 3328 attrib.exe 1392 attrib.exe 2296 attrib.exe 2076 attrib.exe 2956 attrib.exe 1804 attrib.exe 2312 attrib.exe 2752 attrib.exe 2360 attrib.exe 3252 attrib.exe 3896 attrib.exe 1532 attrib.exe 2636 attrib.exe 4044 attrib.exe 3984 attrib.exe 944 attrib.exe 2728 attrib.exe 2988 attrib.exe 2928 attrib.exe 1648 attrib.exe 1044 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\64029764c9cc8eedb624ae07f521b550_JaffaCakes118.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2652
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
PID:2212
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Deletes itself
PID:2948
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h5⤵PID:1836
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h6⤵PID:2804
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h5⤵PID:2864
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h6⤵
- Views/modifies file attributes
PID:2524
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵PID:1724
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2920 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:980 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h7⤵PID:568
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h8⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2376
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h7⤵PID:2008
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h8⤵
- Views/modifies file attributes
PID:1392
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad7⤵PID:948
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2940 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2180 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h9⤵PID:2460
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h10⤵
- Sets file to hidden
PID:1044
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h9⤵PID:1736
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h10⤵PID:2240
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad9⤵PID:1460
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:576 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h11⤵PID:1536
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h12⤵
- Sets file to hidden
PID:2680
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h11⤵PID:2032
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h12⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2728
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad11⤵PID:2012
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2544 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2820 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h13⤵PID:2948
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h14⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1804
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h13⤵PID:2596
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h14⤵
- Sets file to hidden
PID:3032
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad13⤵PID:2300
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2416 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h15⤵PID:1400
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h16⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2312
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h15⤵PID:1908
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h16⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:1788
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad15⤵PID:1912
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:772 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h17⤵PID:1512
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h18⤵
- Sets file to hidden
PID:1528
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h17⤵PID:2000
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h18⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:688
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad17⤵PID:2360
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2972 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h19⤵PID:2292
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h20⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:2516
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h19⤵PID:2112
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h20⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2908
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad19⤵PID:2772
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3068 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:396 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h21⤵PID:2876
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h22⤵
- Sets file to hidden
PID:1988
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h21⤵PID:1280
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h22⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2716
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad21⤵PID:2464
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1784 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h23⤵PID:2920
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h24⤵
- Views/modifies file attributes
PID:2360
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h23⤵PID:2312
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h24⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:768
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad23⤵PID:1152
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1776 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h25⤵PID:2980
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h26⤵
- Views/modifies file attributes
PID:1572
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h25⤵PID:1960
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h26⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2116
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad25⤵PID:1408
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2500 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"26⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h27⤵PID:1792
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h28⤵
- Sets file to hidden
PID:836
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h27⤵PID:1452
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h28⤵
- Sets file to hidden
- Drops file in System32 directory
PID:924
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad27⤵PID:2408
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2416 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"28⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2400 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h29⤵PID:2160
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h30⤵
- Views/modifies file attributes
PID:1556
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h29⤵PID:2340
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h30⤵
- Sets file to hidden
PID:1028
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad29⤵PID:1260
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1272 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"30⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h31⤵PID:2232
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h32⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2752
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h31⤵PID:2208
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h32⤵
- Sets file to hidden
- Drops file in System32 directory
PID:2140
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad31⤵PID:2364
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1800 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"32⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h33⤵PID:2840
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h34⤵
- Views/modifies file attributes
PID:1476
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h33⤵PID:2648
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h34⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2076
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad33⤵PID:624
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1964 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"34⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h35⤵PID:948
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h36⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2956
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h35⤵PID:2464
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h36⤵
- Sets file to hidden
PID:1812
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad35⤵PID:1392
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2388 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"36⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h37⤵PID:1048
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h38⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2296
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h37⤵PID:2176
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h38⤵
- Views/modifies file attributes
PID:1532
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad37⤵PID:1628
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2240 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"38⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h39⤵PID:2652
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h40⤵
- Sets file to hidden
PID:1680
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h39⤵PID:3028
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h40⤵
- Sets file to hidden
- Views/modifies file attributes
PID:936
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad39⤵PID:1688
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1540 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"40⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1352 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h41⤵PID:2944
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h42⤵PID:2928
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h41⤵PID:2960
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h42⤵PID:2456
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad41⤵PID:1028
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1608 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"42⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h43⤵PID:1800
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h44⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2404
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h43⤵PID:2040
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h44⤵PID:1476
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad43⤵PID:2852
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2764 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"44⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h45⤵PID:756
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h46⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2988
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h45⤵PID:1260
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h46⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2712
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad45⤵PID:1196
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:236 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"46⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h47⤵PID:2140
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h48⤵PID:2600
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h47⤵PID:2996
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h48⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2636
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad47⤵PID:1604
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2772 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"48⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h49⤵PID:1688
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h50⤵PID:1564
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h49⤵PID:2380
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h50⤵PID:940
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad49⤵PID:2416
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2016 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"50⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h51⤵PID:1040
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h52⤵PID:1500
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h51⤵PID:2360
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h52⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:1776
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad51⤵PID:1508
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2396 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"52⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h53⤵PID:1796
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h54⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1648
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h53⤵PID:1540
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h54⤵
- Views/modifies file attributes
PID:2928
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad53⤵PID:956
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1528 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"54⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h55⤵PID:2308
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h56⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1052
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h55⤵PID:808
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h56⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1812
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad55⤵PID:3000
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2956 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"56⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2296 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h57⤵PID:1912
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h58⤵
- Views/modifies file attributes
PID:1776
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h57⤵PID:772
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h58⤵
- Sets file to hidden
- Drops file in System32 directory
PID:2256
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad57⤵PID:1156
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"57⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"58⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h59⤵PID:1360
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h60⤵
- Sets file to hidden
- Views/modifies file attributes
PID:684
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h59⤵PID:1052
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h60⤵
- Views/modifies file attributes
PID:2600
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad59⤵PID:2964
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:284 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"60⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h61⤵PID:1100
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h62⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1044
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h61⤵PID:2248
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h62⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2964
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad61⤵PID:2288
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2740 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"62⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h63⤵PID:2212
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h64⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2928
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h63⤵PID:2636
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h64⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:944
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad63⤵PID:1608
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2076 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"64⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h65⤵PID:2704
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h66⤵
- Sets file to hidden
PID:2116
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h65⤵PID:2908
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h66⤵
- Sets file to hidden
PID:936
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad65⤵PID:3008
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:944 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"66⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
PID:1788 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h67⤵PID:276
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h68⤵PID:1572
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h67⤵PID:1592
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h68⤵PID:236
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad67⤵PID:1976
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"67⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2572 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"68⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h69⤵PID:2116
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h70⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3140
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h69⤵PID:1964
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h70⤵
- Sets file to hidden
PID:3160
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad69⤵PID:1556
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"69⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3096 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"70⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
PID:3176 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h71⤵PID:3232
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h72⤵
- Sets file to hidden
PID:3452
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h71⤵PID:3240
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h72⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3460
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad71⤵PID:3256
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"71⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3400 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"72⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
PID:3480 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h73⤵PID:3528
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h74⤵
- Sets file to hidden
PID:3744
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h73⤵PID:3536
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h74⤵
- Views/modifies file attributes
PID:3760
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad73⤵PID:3544
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"73⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3684 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"74⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
PID:3776 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h75⤵PID:3828
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h76⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4044
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h75⤵PID:3844
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h76⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4056
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad75⤵PID:3856
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"75⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4000 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"76⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
PID:4076 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h77⤵PID:1700
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h78⤵PID:3288
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h77⤵PID:3084
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h78⤵
- Sets file to hidden
PID:3308
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad77⤵PID:2168
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"77⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3140 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"78⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
PID:3272 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h79⤵PID:3344
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h80⤵
- Sets file to hidden
- Drops file in System32 directory
PID:3604
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h79⤵PID:3352
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h80⤵
- Views/modifies file attributes
PID:3624
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad79⤵PID:3228
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"79⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3512 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"80⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
PID:3648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h81⤵PID:3568
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h82⤵PID:3960
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h81⤵PID:3596
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h82⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3968
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad81⤵PID:3652
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"81⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3900 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"82⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
PID:3996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h83⤵PID:4024
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h84⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3116
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h83⤵PID:4048
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h84⤵
- Sets file to hidden
PID:3152
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad83⤵PID:3772
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"83⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1648 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"84⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
PID:3184 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h85⤵PID:3396
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h86⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3588
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h85⤵PID:3392
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h86⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3468
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad85⤵PID:3164
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"85⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3448 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"86⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
PID:3364 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h87⤵PID:3576
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h88⤵PID:3980
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h87⤵PID:3564
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h88⤵
- Views/modifies file attributes
PID:3820
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad87⤵PID:3692
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"87⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3964 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"88⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
PID:4012 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h89⤵PID:4084
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h90⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3252
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h89⤵PID:4004
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h90⤵
- Sets file to hidden
PID:3204
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad89⤵PID:2376
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"89⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2168 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"90⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
PID:3296 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h91⤵PID:3260
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h92⤵
- Views/modifies file attributes
PID:3688
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h91⤵PID:3216
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h92⤵
- Views/modifies file attributes
PID:3796
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad91⤵PID:3200
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"91⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3700 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"92⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
PID:3840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h93⤵PID:3544
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h94⤵
- Views/modifies file attributes
PID:3120
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h93⤵PID:3228
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h94⤵
- Views/modifies file attributes
PID:3984
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad93⤵PID:3980
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"93⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2524 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"94⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
PID:1820 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h95⤵PID:3168
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h96⤵
- Views/modifies file attributes
PID:3764
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h95⤵PID:3284
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h96⤵
- Sets file to hidden
PID:3456
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad95⤵PID:3224
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"95⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3636 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"96⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
PID:3420 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h97⤵PID:3200
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h98⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2240
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h97⤵PID:3812
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h98⤵
- Views/modifies file attributes
PID:2288
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad97⤵PID:3884
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"97⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4040 -
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"98⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
PID:3772 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h99⤵PID:2376
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h100⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3328
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h99⤵PID:3988
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h100⤵
- Sets file to hidden
PID:3636
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad99⤵PID:3124
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"99⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3524 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"100⤵PID:3700
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h101⤵PID:3820
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h102⤵
- Views/modifies file attributes
PID:2344
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h101⤵PID:4028
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC" +s +h102⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3512
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad101⤵PID:4068
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"101⤵PID:3868
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe"102⤵PID:2396
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h103⤵PID:3428
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\msdcsc.exe" +s +h104⤵
- Views/modifies file attributes
PID:3896
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h103⤵PID:3504
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP" +s +h104⤵
- Sets file to hidden
- Views/modifies file attributes
PID:236
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad103⤵PID:3588
-
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\system32\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"103⤵PID:1364
-
C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe"104⤵PID:944
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h105⤵PID:3888
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP\msdcsc.exe" +s +h106⤵
- Sets file to hidden
PID:3124
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h105⤵PID:3904
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\6JAyfX7jmXyP\6JAyfX7jmXyP" +s +h106⤵PID:3140
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad105⤵PID:3780
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"105⤵PID:3752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
296KB
MD564029764c9cc8eedb624ae07f521b550
SHA1cd8207bfa3102fcb71ba8262a8200d9c0f566545
SHA2567c3f59e50e19c3f455795dca0c22a6d2df3589c2b9c9e992b3c00e913f01e5d4
SHA5127a19a50cbaf4b962265d7bd7e18238d9067cbe296dfee919546d732f15416b29c353f4a78d65de6bc33bbb24a2f4463cae4e25013b7532585bd1b0a5a50a4644