darkcomet | 34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0b

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-10-2024 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Size

993KB
MD5

4424ff327fc46ccbf1e122212df6f6c0
SHA1

b1d555f699b5c1f04cf05b5a09f7c03195275b71
SHA256

34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0b
SHA512

91c752aa8d6e5f27f783f16c518ea41c3d3cd1d11eb610447a4b268ffa280489c51ca70ed46b4797aa5d8f8d581e98f6e97c45a62b4ac25fe9b5b7429846d9cf
SSDEEP

24576:2AojG2m6TtySYXU9/UwlPGhnxy4i9XCWsu5agFya3T5OeZINOh:A/PtySL9/UwluhnhuyWZagdTcuIQh

Score

10^/10

darkcomet dyn-noip discovery evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Dyn-NoIp

rezausa.no-ip.org:3030

rezausa.dyndns.org:3030

Mutex

DC_MUTEX-S2T3FWA

Attributes

InstallPath
taskhost.exe
gencode
MR9sLp0UQRG4
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

taskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe"	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe,C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 64 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

taskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhost.exe

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
3792	attrib.exe
4400	attrib.exe
4484	attrib.exe
5128	attrib.exe
2664	attrib.exe
2348	attrib.exe
7128	attrib.exe
8076	attrib.exe
996	attrib.exe
6996	attrib.exe
5620	attrib.exe
6372	attrib.exe
7984	attrib.exe
7756	attrib.exe
3920	attrib.exe
4332	attrib.exe
2588	attrib.exe
7080	attrib.exe
4704	attrib.exe
6876	attrib.exe
9092	attrib.exe
6676	attrib.exe
8360	attrib.exe
5748	attrib.exe
6348	attrib.exe
1524	attrib.exe
4784	attrib.exe
2720	attrib.exe
4012	attrib.exe
5448	attrib.exe
7492	attrib.exe
2572	attrib.exe
1240	attrib.exe
4908	attrib.exe
5776	attrib.exe
5660	attrib.exe
7416	attrib.exe
2992	attrib.exe
3388	attrib.exe
5484	attrib.exe
4972	attrib.exe
2240	attrib.exe
1948	attrib.exe
6368	attrib.exe
6820	attrib.exe
8836	attrib.exe
3644	attrib.exe
5588	attrib.exe
7812	attrib.exe
7120	attrib.exe
3988	attrib.exe
6208	attrib.exe
960	attrib.exe
4968	attrib.exe
1008	attrib.exe
3532	attrib.exe
6840	attrib.exe
3316	attrib.exe
4116	attrib.exe
1936	attrib.exe
8696	attrib.exe
3928	attrib.exe
5720	attrib.exe
5260	attrib.exe

Checks BIOS information in registry 2 TTPs 64 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhost.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid	Process
2800	notepad.exe

Executes dropped EXE 64 IoCs

Processes:

pid	Process
2632	taskhost.exe
1916	taskhost.exe
2024	taskhost.exe
380	taskhost.exe
1884	taskhost.exe
2804	taskhost.exe
2836	taskhost.exe
400	taskhost.exe
2540	taskhost.exe
272	taskhost.exe
1544	taskhost.exe
2492	taskhost.exe
1672	taskhost.exe
2176	taskhost.exe
1568	taskhost.exe
2340	taskhost.exe
2348	taskhost.exe
1364	taskhost.exe
1612	taskhost.exe
908	taskhost.exe
2660	taskhost.exe
2572	taskhost.exe
1228	taskhost.exe
2124	taskhost.exe
2700	taskhost.exe
3008	taskhost.exe
3024	taskhost.exe
644	taskhost.exe
2808	taskhost.exe
2868	taskhost.exe
304	taskhost.exe
1056	taskhost.exe
324	taskhost.exe
1156	taskhost.exe
2180	taskhost.exe
996	taskhost.exe
1888	taskhost.exe
2624	taskhost.exe
1516	taskhost.exe
2220	taskhost.exe
1524	taskhost.exe
2052	taskhost.exe
2536	taskhost.exe
2284	taskhost.exe
2972	taskhost.exe
1524	taskhost.exe
3128	taskhost.exe
3256	taskhost.exe
3532	taskhost.exe
3660	taskhost.exe
3936	taskhost.exe
4068	taskhost.exe
3192	taskhost.exe
3360	taskhost.exe
3680	taskhost.exe
3860	taskhost.exe
2428	taskhost.exe
3176	taskhost.exe
3536	taskhost.exe
3872	taskhost.exe
4020	taskhost.exe
3108	taskhost.exe
3568	taskhost.exe
3412	taskhost.exe

Identifies Wine through registry keys 2 TTPs 64 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	taskhost.exe

Loads dropped DLL 64 IoCs

Processes:

pid	Process
2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
1916	taskhost.exe
1916	taskhost.exe
380	taskhost.exe
380	taskhost.exe
2804	taskhost.exe
2804	taskhost.exe
400	taskhost.exe
400	taskhost.exe
272	taskhost.exe
272	taskhost.exe
2492	taskhost.exe
2492	taskhost.exe
2176	taskhost.exe
2176	taskhost.exe
2340	taskhost.exe
2340	taskhost.exe
1364	taskhost.exe
1364	taskhost.exe
908	taskhost.exe
908	taskhost.exe
2572	taskhost.exe
2572	taskhost.exe
2124	taskhost.exe
2124	taskhost.exe
3008	taskhost.exe
3008	taskhost.exe
2868	taskhost.exe
2868	taskhost.exe
1056	taskhost.exe
1056	taskhost.exe
1156	taskhost.exe
1156	taskhost.exe
996	taskhost.exe
996	taskhost.exe
2624	taskhost.exe
2624	taskhost.exe
2220	taskhost.exe
2220	taskhost.exe
2052	taskhost.exe
2052	taskhost.exe
2284	taskhost.exe
2284	taskhost.exe
1524	taskhost.exe
1524	taskhost.exe
3256	taskhost.exe
3256	taskhost.exe
3660	taskhost.exe
3660	taskhost.exe
4068	taskhost.exe
4068	taskhost.exe
3360	taskhost.exe
3860	taskhost.exe
3860	taskhost.exe
3176	taskhost.exe
3176	taskhost.exe
3872	taskhost.exe
3872	taskhost.exe
3108	taskhost.exe
3108	taskhost.exe
3412	taskhost.exe
3412	taskhost.exe
3196	taskhost.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MR9sLp0UQRG4\\MR9sLp0UQRG4\\taskhost.exe"	taskhost.exe

Checks whether UAC is enabled 1 TTPs 64 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe

Drops file in System32 directory 64 IoCs

Processes:

attrib.exeattrib.exeattrib.exeattrib.exetaskhost.exetaskhost.exeattrib.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exeattrib.exeattrib.exeattrib.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exeattrib.exetaskhost.exeattrib.exetaskhost.exeattrib.exetaskhost.exetaskhost.exeattrib.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exeattrib.exetaskhost.exeattrib.exetaskhost.exetaskhost.exeattrib.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File created	C:\Windows\SysWOW64\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File created	C:\Windows\SysWOW64\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File created	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\	taskhost.exe
File created	C:\Windows\SysWOW64\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File created	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File created	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File created	C:\Windows\SysWOW64\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File created	C:\Windows\SysWOW64\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File created	C:\Windows\SysWOW64\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File created	C:\Windows\SysWOW64\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File created	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File created	C:\Windows\SysWOW64\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4	attrib.exe
File created	C:\Windows\SysWOW64\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File created	C:\Windows\SysWOW64\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\	taskhost.exe
File created	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File created	C:\Windows\SysWOW64\MR9sLp0UQRG4\taskhost.exe	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe	taskhost.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exe

description	pid	Process	procid_target
PID 876 set thread context of 2648	876	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	31
PID 2632 set thread context of 1916	2632	taskhost.exe	40
PID 2024 set thread context of 380	2024	taskhost.exe	49
PID 1884 set thread context of 2804	1884	taskhost.exe	58
PID 2836 set thread context of 400	2836	taskhost.exe	67
PID 2540 set thread context of 272	2540	taskhost.exe	76
PID 1544 set thread context of 2492	1544	taskhost.exe	85
PID 1672 set thread context of 2176	1672	taskhost.exe	94
PID 1568 set thread context of 2340	1568	taskhost.exe	103
PID 2348 set thread context of 1364	2348	taskhost.exe	112
PID 1612 set thread context of 908	1612	taskhost.exe	121
PID 2660 set thread context of 2572	2660	taskhost.exe	130
PID 1228 set thread context of 2124	1228	taskhost.exe	139
PID 2700 set thread context of 3008	2700	taskhost.exe	148
PID 3024 set thread context of 644	3024	taskhost.exe	157
PID 2808 set thread context of 2868	2808	taskhost.exe	166
PID 304 set thread context of 1056	304	taskhost.exe	175
PID 324 set thread context of 1156	324	taskhost.exe	184
PID 2180 set thread context of 996	2180	taskhost.exe	193
PID 1888 set thread context of 2624	1888	taskhost.exe	202
PID 1516 set thread context of 2220	1516	taskhost.exe	211
PID 1524 set thread context of 2052	1524	taskhost.exe	220
PID 2536 set thread context of 2284	2536	taskhost.exe	229
PID 2972 set thread context of 1524	2972	taskhost.exe	238
PID 3128 set thread context of 3256	3128	taskhost.exe	247
PID 3532 set thread context of 3660	3532	taskhost.exe	256
PID 3936 set thread context of 4068	3936	taskhost.exe	265
PID 3192 set thread context of 3360	3192	taskhost.exe	274
PID 3680 set thread context of 3860	3680	taskhost.exe	283
PID 2428 set thread context of 3176	2428	taskhost.exe	292
PID 3536 set thread context of 3872	3536	taskhost.exe	301
PID 4020 set thread context of 3108	4020	taskhost.exe	310
PID 3568 set thread context of 3412	3568	taskhost.exe	319
PID 3684 set thread context of 3196	3684	taskhost.exe	328
PID 3632 set thread context of 3996	3632	taskhost.exe	337
PID 3380 set thread context of 3532	3380	taskhost.exe	346
PID 3124 set thread context of 3584	3124	taskhost.exe	355
PID 4084 set thread context of 2428	4084	taskhost.exe	364
PID 3428 set thread context of 3972	3428	taskhost.exe	373
PID 3344 set thread context of 4012	3344	taskhost.exe	382
PID 3956 set thread context of 3784	3956	taskhost.exe	391
PID 3116 set thread context of 2428	3116	taskhost.exe	400
PID 3916 set thread context of 3136	3916	taskhost.exe	409
PID 4340 set thread context of 4472	4340	taskhost.exe	418
PID 4748 set thread context of 4876	4748	taskhost.exe	427
PID 3300 set thread context of 4156	3300	taskhost.exe	436
PID 4448 set thread context of 4644	4448	taskhost.exe	445
PID 4920 set thread context of 5072	4920	taskhost.exe	454
PID 4352 set thread context of 3388	4352	taskhost.exe	463
PID 4840 set thread context of 5032	4840	taskhost.exe	472
PID 3956 set thread context of 4216	3956	taskhost.exe	481
PID 4888 set thread context of 4932	4888	taskhost.exe	490
PID 4424 set thread context of 4752	4424	taskhost.exe	499
PID 2120 set thread context of 3120	2120	taskhost.exe	508
PID 5004 set thread context of 4540	5004	taskhost.exe	517
PID 4668 set thread context of 3084	4668	taskhost.exe	526
PID 4480 set thread context of 3788	4480	taskhost.exe	535
PID 3916 set thread context of 5052	3916	taskhost.exe	544
PID 4800 set thread context of 4832	4800	taskhost.exe	553
PID 4404 set thread context of 3108	4404	taskhost.exe	562
PID 4984 set thread context of 4824	4984	taskhost.exe	571
PID 5192 set thread context of 5320	5192	taskhost.exe	580
PID 5596 set thread context of 5728	5596	taskhost.exe	589
PID 6000 set thread context of 6128	6000	taskhost.exe	598

UPX packed file 46 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2648-18-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2648-21-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2648-16-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2648-23-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2648-24-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2648-22-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2648-15-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2648-10-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2648-8-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2648-25-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2648-59-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1916-79-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1916-77-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1916-122-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1916-114-0x0000000005630000-0x00000000057CE000-memory.dmp	upx
behavioral1/memory/380-139-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/380-180-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2804-198-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2804-235-0x0000000005600000-0x000000000579E000-memory.dmp	upx
behavioral1/memory/2804-237-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/400-251-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/400-287-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/272-301-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/272-342-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2492-358-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2492-391-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2176-445-0x0000000005710000-0x00000000058AE000-memory.dmp	upx
behavioral1/memory/2176-444-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2340-459-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2340-497-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1364-548-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/908-564-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/908-601-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2572-650-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2124-667-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2124-703-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/3008-751-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/644-766-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/644-800-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2868-813-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2868-848-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1056-861-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1056-896-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1156-909-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1156-945-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2868-1091-0x00000000057C0000-0x000000000595E000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

Processes:

attrib.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

notepad.execmd.execmd.exeattrib.execmd.exetaskhost.execmd.execmd.execmd.exenotepad.execmd.execmd.execmd.exeattrib.exetaskhost.exenotepad.execmd.exeattrib.execmd.execmd.exetaskhost.exeattrib.exenotepad.exetaskhost.execmd.exetaskhost.exenotepad.exenotepad.exeattrib.exetaskhost.exetaskhost.exetaskhost.exeattrib.exetaskhost.execmd.execmd.exetaskhost.exetaskhost.exeattrib.execmd.exetaskhost.exeattrib.execmd.exeattrib.exetaskhost.exenotepad.execmd.execmd.exeattrib.exeattrib.execmd.execmd.execmd.execmd.execmd.exetaskhost.exetaskhost.exetaskhost.execmd.exetaskhost.exeattrib.exeattrib.execmd.exeattrib.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exetaskhost.exetaskhost.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: SeSecurityPrivilege	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: SeTakeOwnershipPrivilege	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: SeLoadDriverPrivilege	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: SeSystemProfilePrivilege	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: SeSystemtimePrivilege	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: SeProfSingleProcessPrivilege	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: SeIncBasePriorityPrivilege	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: SeCreatePagefilePrivilege	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: SeBackupPrivilege	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: SeRestorePrivilege	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: SeShutdownPrivilege	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: SeDebugPrivilege	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: SeSystemEnvironmentPrivilege	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: SeChangeNotifyPrivilege	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: SeRemoteShutdownPrivilege	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: SeUndockPrivilege	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: SeManageVolumePrivilege	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: SeImpersonatePrivilege	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: SeCreateGlobalPrivilege	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: 33	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: 34	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: 35	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
Token: SeIncreaseQuotaPrivilege	1916	taskhost.exe
Token: SeSecurityPrivilege	1916	taskhost.exe
Token: SeTakeOwnershipPrivilege	1916	taskhost.exe
Token: SeLoadDriverPrivilege	1916	taskhost.exe
Token: SeSystemProfilePrivilege	1916	taskhost.exe
Token: SeSystemtimePrivilege	1916	taskhost.exe
Token: SeProfSingleProcessPrivilege	1916	taskhost.exe
Token: SeIncBasePriorityPrivilege	1916	taskhost.exe
Token: SeCreatePagefilePrivilege	1916	taskhost.exe
Token: SeBackupPrivilege	1916	taskhost.exe
Token: SeRestorePrivilege	1916	taskhost.exe
Token: SeShutdownPrivilege	1916	taskhost.exe
Token: SeDebugPrivilege	1916	taskhost.exe
Token: SeSystemEnvironmentPrivilege	1916	taskhost.exe
Token: SeChangeNotifyPrivilege	1916	taskhost.exe
Token: SeRemoteShutdownPrivilege	1916	taskhost.exe
Token: SeUndockPrivilege	1916	taskhost.exe
Token: SeManageVolumePrivilege	1916	taskhost.exe
Token: SeImpersonatePrivilege	1916	taskhost.exe
Token: SeCreateGlobalPrivilege	1916	taskhost.exe
Token: 33	1916	taskhost.exe
Token: 34	1916	taskhost.exe
Token: 35	1916	taskhost.exe
Token: SeIncreaseQuotaPrivilege	380	taskhost.exe
Token: SeSecurityPrivilege	380	taskhost.exe
Token: SeTakeOwnershipPrivilege	380	taskhost.exe
Token: SeLoadDriverPrivilege	380	taskhost.exe
Token: SeSystemProfilePrivilege	380	taskhost.exe
Token: SeSystemtimePrivilege	380	taskhost.exe
Token: SeProfSingleProcessPrivilege	380	taskhost.exe
Token: SeIncBasePriorityPrivilege	380	taskhost.exe
Token: SeCreatePagefilePrivilege	380	taskhost.exe
Token: SeBackupPrivilege	380	taskhost.exe
Token: SeRestorePrivilege	380	taskhost.exe
Token: SeShutdownPrivilege	380	taskhost.exe
Token: SeDebugPrivilege	380	taskhost.exe
Token: SeSystemEnvironmentPrivilege	380	taskhost.exe
Token: SeChangeNotifyPrivilege	380	taskhost.exe
Token: SeRemoteShutdownPrivilege	380	taskhost.exe
Token: SeUndockPrivilege	380	taskhost.exe
Token: SeManageVolumePrivilege	380	taskhost.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	Process
876	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
2632	taskhost.exe
2024	taskhost.exe
1884	taskhost.exe
2836	taskhost.exe
2540	taskhost.exe
1544	taskhost.exe
1672	taskhost.exe
1568	taskhost.exe
2348	taskhost.exe
1612	taskhost.exe
2660	taskhost.exe
1228	taskhost.exe
2700	taskhost.exe
3024	taskhost.exe
2808	taskhost.exe
304	taskhost.exe
324	taskhost.exe
2180	taskhost.exe
1888	taskhost.exe
1516	taskhost.exe
1524	taskhost.exe
2536	taskhost.exe
2972	taskhost.exe
3128	taskhost.exe
3532	taskhost.exe
3936	taskhost.exe
3192	taskhost.exe
3680	taskhost.exe
2428	taskhost.exe
3536	taskhost.exe
4020	taskhost.exe
3568	taskhost.exe
3684	taskhost.exe
3632	taskhost.exe
3380	taskhost.exe
3124	taskhost.exe
4084	taskhost.exe
3428	taskhost.exe
3344	taskhost.exe
3956	taskhost.exe
3116	taskhost.exe
3916	taskhost.exe
4340	taskhost.exe
4748	taskhost.exe
3300	taskhost.exe
4448	taskhost.exe
4920	taskhost.exe
4352	taskhost.exe
4840	taskhost.exe
3956	taskhost.exe
4888	taskhost.exe
4424	taskhost.exe
2120	taskhost.exe
5004	taskhost.exe
4668	taskhost.exe
4480	taskhost.exe
3916	taskhost.exe
4800	taskhost.exe
4404	taskhost.exe
4984	taskhost.exe
5192	taskhost.exe
5596	taskhost.exe
6000	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.execmd.execmd.exetaskhost.exetaskhost.exe

description	pid	Process	procid_target
PID 876 wrote to memory of 2648	876	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	31
PID 876 wrote to memory of 2648	876	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	31
PID 876 wrote to memory of 2648	876	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	31
PID 876 wrote to memory of 2648	876	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	31
PID 876 wrote to memory of 2648	876	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	31
PID 876 wrote to memory of 2648	876	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	31
PID 876 wrote to memory of 2648	876	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	31
PID 876 wrote to memory of 2648	876	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	31
PID 2648 wrote to memory of 2688	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	32
PID 2648 wrote to memory of 2688	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	32
PID 2648 wrote to memory of 2688	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	32
PID 2648 wrote to memory of 2688	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	32
PID 2648 wrote to memory of 2564	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	33
PID 2648 wrote to memory of 2564	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	33
PID 2648 wrote to memory of 2564	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	33
PID 2648 wrote to memory of 2564	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	33
PID 2648 wrote to memory of 2800	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	34
PID 2648 wrote to memory of 2800	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	34
PID 2648 wrote to memory of 2800	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	34
PID 2648 wrote to memory of 2800	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	34
PID 2648 wrote to memory of 2800	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	34
PID 2648 wrote to memory of 2800	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	34
PID 2648 wrote to memory of 2800	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	34
PID 2648 wrote to memory of 2800	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	34
PID 2648 wrote to memory of 2800	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	34
PID 2648 wrote to memory of 2800	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	34
PID 2648 wrote to memory of 2800	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	34
PID 2648 wrote to memory of 2800	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	34
PID 2648 wrote to memory of 2800	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	34
PID 2648 wrote to memory of 2800	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	34
PID 2648 wrote to memory of 2800	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	34
PID 2648 wrote to memory of 2800	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	34
PID 2648 wrote to memory of 2800	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	34
PID 2648 wrote to memory of 2800	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	34
PID 2688 wrote to memory of 2588	2688	cmd.exe	38
PID 2688 wrote to memory of 2588	2688	cmd.exe	38
PID 2688 wrote to memory of 2588	2688	cmd.exe	38
PID 2688 wrote to memory of 2588	2688	cmd.exe	38
PID 2564 wrote to memory of 2572	2564	cmd.exe	37
PID 2564 wrote to memory of 2572	2564	cmd.exe	37
PID 2564 wrote to memory of 2572	2564	cmd.exe	37
PID 2564 wrote to memory of 2572	2564	cmd.exe	37
PID 2648 wrote to memory of 2632	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	39
PID 2648 wrote to memory of 2632	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	39
PID 2648 wrote to memory of 2632	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	39
PID 2648 wrote to memory of 2632	2648	34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe	39
PID 2632 wrote to memory of 1916	2632	taskhost.exe	40
PID 2632 wrote to memory of 1916	2632	taskhost.exe	40
PID 2632 wrote to memory of 1916	2632	taskhost.exe	40
PID 2632 wrote to memory of 1916	2632	taskhost.exe	40
PID 2632 wrote to memory of 1916	2632	taskhost.exe	40
PID 2632 wrote to memory of 1916	2632	taskhost.exe	40
PID 2632 wrote to memory of 1916	2632	taskhost.exe	40
PID 2632 wrote to memory of 1916	2632	taskhost.exe	40
PID 1916 wrote to memory of 2280	1916	taskhost.exe	41
PID 1916 wrote to memory of 2280	1916	taskhost.exe	41
PID 1916 wrote to memory of 2280	1916	taskhost.exe	41
PID 1916 wrote to memory of 2280	1916	taskhost.exe	41
PID 1916 wrote to memory of 2908	1916	taskhost.exe	43
PID 1916 wrote to memory of 2908	1916	taskhost.exe	43
PID 1916 wrote to memory of 2908	1916	taskhost.exe	43
PID 1916 wrote to memory of 2908	1916	taskhost.exe	43
PID 1916 wrote to memory of 2856	1916	taskhost.exe	45
PID 1916 wrote to memory of 2856	1916	taskhost.exe	45

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

pid	Process
780	attrib.exe
948	attrib.exe
4412	attrib.exe
7152	attrib.exe
2452	attrib.exe
1868	attrib.exe
7980	attrib.exe
4116	attrib.exe
7000	attrib.exe
5600	attrib.exe
5272	attrib.exe
6876	attrib.exe
6348	attrib.exe
3644	attrib.exe
5976	attrib.exe
5620	attrib.exe
8004	attrib.exe
4120	attrib.exe
6368	attrib.exe
7516	attrib.exe
4332	attrib.exe
6588	attrib.exe
5660	attrib.exe
2120	attrib.exe
3188	attrib.exe
7960	attrib.exe
8836	attrib.exe
3936	attrib.exe
1948	attrib.exe
5268	attrib.exe
3184	attrib.exe
5748	attrib.exe
7604	attrib.exe
8264	attrib.exe
2956	attrib.exe
3512	attrib.exe
2844	attrib.exe
7960	attrib.exe
6256	attrib.exe
7756	attrib.exe
2572	attrib.exe
3120	attrib.exe
7960	attrib.exe
5732	attrib.exe
6712	attrib.exe
4972	attrib.exe
2356	attrib.exe
1240	attrib.exe
7848	attrib.exe
9092	attrib.exe
5776	attrib.exe
6660	attrib.exe
6840	attrib.exe
7984	attrib.exe
7512	attrib.exe
3220	attrib.exe
7080	attrib.exe
3920	attrib.exe
4008	attrib.exe
7420	attrib.exe
8352	attrib.exe
2840	attrib.exe
1524	attrib.exe
3388	attrib.exe

C:\Users\Admin\AppData\Local\Temp\34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
"C:\Users\Admin\AppData\Local\Temp\34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:876
- C:\Users\Admin\AppData\Local\Temp\34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
  C:\Users\Admin\AppData\Local\Temp\34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe" +s +h
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0bN.exe" +s +h
      4⤵
      Sets file to hidden
      PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2572
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - Deletes itself
    PID:2800
- - C:\Windows\SysWOW64\taskhost.exe
    "C:\Windows\system32\taskhost.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\taskhost.exe
      C:\Windows\SysWOW64\taskhost.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\taskhost.exe" +s +h
        5⤵
        
        PID:2280
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\taskhost.exe" +s +h
        6⤵
        
        PID:668
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h
        5⤵
        
        PID:2908
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64" +s +h
        6⤵
        Drops file in Windows directory
        
        PID:408
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:2856
    - - C:\Windows\SysWOW64\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\taskhost.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2024
      - C:\Windows\SysWOW64\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\taskhost.exe
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\taskhost.exe" +s +h
        7⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\taskhost.exe" +s +h
        8⤵
        Sets file to hidden
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4" +s +h
        7⤵
        
        PID:784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4" +s +h
        8⤵
        Views/modifies file attributes
        
        PID:2452
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        9⤵
        
        PID:600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        10⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        9⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        10⤵
        Views/modifies file attributes
        
        PID:2840
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        9⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        9⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        11⤵
        
        PID:920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        12⤵
        Views/modifies file attributes
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        11⤵
        
        PID:352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        12⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        11⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        11⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        13⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        14⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        14⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        13⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        13⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        14⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        15⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        16⤵
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        15⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        16⤵
        
        PID:592
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        15⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        15⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        16⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        17⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        18⤵
        Sets file to hidden
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        17⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        18⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        17⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        17⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        18⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        19⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        20⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        19⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        20⤵
        Views/modifies file attributes
        
        PID:2356
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        19⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        19⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        21⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        22⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        21⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        22⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        21⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        21⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        22⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        23⤵
        
        PID:596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        24⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        23⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        24⤵
        Sets file to hidden
        
        PID:2664
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        23⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        23⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        24⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        25⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        26⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        25⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        26⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        25⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        25⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1228
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        27⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        28⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        27⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        28⤵
        Sets file to hidden
        
        PID:1936
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        27⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        27⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2700
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        28⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        29⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        30⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        29⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        29⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        29⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        30⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        31⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        32⤵
        Sets file to hidden
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        31⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        32⤵
        Views/modifies file attributes
        
        PID:2844
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        31⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        31⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2808
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        32⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        33⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        34⤵
        Sets file to hidden
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        33⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        34⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        33⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        33⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:304
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        34⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        35⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        36⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        35⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        36⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        35⤵
        
        PID:636
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        35⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:324
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        37⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        38⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        37⤵
        
        PID:940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        38⤵
        Views/modifies file attributes
        
        PID:1524
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        37⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        37⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        39⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        40⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        39⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        40⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        39⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        39⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1888
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        40⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        42⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        41⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        42⤵
        Views/modifies file attributes
        
        PID:1868
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        41⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        41⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        43⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        44⤵
        Sets file to hidden
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        43⤵
        
        PID:332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        44⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        43⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        43⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        44⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        45⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        46⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        45⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        46⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        45⤵
        
        PID:340
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        45⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        47⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        48⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        47⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        48⤵
        Sets file to hidden
        
        PID:1524
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        47⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        47⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        49⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        49⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        50⤵
        Views/modifies file attributes
        
        PID:3120
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        49⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        49⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Executes dropped EXE
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3128
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        51⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        52⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        51⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        52⤵
        Views/modifies file attributes
        
        PID:3512
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        51⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        51⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3532
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        53⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        54⤵
        Sets file to hidden
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        53⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        54⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3920
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        53⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3936
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        55⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        55⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        56⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        55⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        55⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3192
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        56⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        57⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        58⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        57⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        58⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        57⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        57⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3680
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        59⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        60⤵
        Views/modifies file attributes
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        59⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        60⤵
        Views/modifies file attributes
        
        PID:3936
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        59⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        59⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        60⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        62⤵
        Sets file to hidden
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        61⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        62⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        61⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        61⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3536
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        63⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        64⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        63⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        64⤵
        Views/modifies file attributes
        
        PID:4008
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        63⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        63⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4020
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        64⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        65⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        66⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        65⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        66⤵
        Views/modifies file attributes
        
        PID:3220
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        65⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        65⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3568
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        66⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        67⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        68⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        67⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        68⤵
        
        PID:304
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        67⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        67⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3684
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        68⤵
        Modifies WinLogon for persistence
        Loads dropped DLL
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        69⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        70⤵
        Sets file to hidden
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        70⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        69⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        69⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3632
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        70⤵
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        71⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        72⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        72⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3388
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        71⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        71⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3380
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        72⤵
        Adds Run key to start application
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        73⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        74⤵
        Views/modifies file attributes
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        73⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        74⤵
        Drops file in System32 directory
        
        PID:3116
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        73⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        73⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3124
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        74⤵
        Adds Run key to start application
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        75⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        76⤵
        Sets file to hidden
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        75⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        76⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        75⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        75⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4084
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        76⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        77⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        78⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        77⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        78⤵
        Sets file to hidden
        
        PID:3988
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        77⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        77⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3428
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        78⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        79⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        80⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        80⤵
        Views/modifies file attributes
        
        PID:3188
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        79⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        79⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3344
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        80⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        82⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        81⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        82⤵
        Sets file to hidden
        
        PID:1948
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        81⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        81⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3956
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        82⤵
        Adds Run key to start application
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        83⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        84⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        83⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        84⤵
        Sets file to hidden
        
        PID:960
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        83⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        83⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3116
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        84⤵
        Adds Run key to start application
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        85⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        86⤵
        Sets file to hidden
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        85⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        86⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        85⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        85⤵
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3916
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        86⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        87⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        88⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        87⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        88⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        87⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        87⤵
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4340
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        88⤵
        Modifies WinLogon for persistence
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        89⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        90⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        89⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        90⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        89⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        89⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4748
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        90⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        91⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        91⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        92⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        91⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        91⤵
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3300
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        92⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        94⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        93⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        93⤵
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4448
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        94⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        95⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        96⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        95⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        96⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        95⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        95⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4920
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        96⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        97⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        98⤵
        Views/modifies file attributes
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        97⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        98⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        97⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        97⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4352
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        98⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        99⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        100⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        99⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        100⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        99⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        99⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4840
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        100⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        101⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        102⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        101⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        102⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        101⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        101⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3956
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        102⤵
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        103⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        104⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        103⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        104⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        103⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        103⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4888
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        104⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        105⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        106⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        105⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        106⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:4412
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        105⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        105⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4424
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        106⤵
        Modifies WinLogon for persistence
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        107⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        108⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        107⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        108⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        107⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2120
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        108⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        109⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        110⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        109⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        110⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        109⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        109⤵
        Checks BIOS information in registry
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5004
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        110⤵
        Adds Run key to start application
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        111⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        112⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        111⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        112⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        111⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        111⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4668
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        112⤵
        Adds Run key to start application
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        113⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        114⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        113⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        114⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        113⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        113⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4480
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        114⤵
        Modifies WinLogon for persistence
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        115⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        116⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        115⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        116⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        115⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        115⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3916
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        116⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        117⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        118⤵
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        117⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        118⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        117⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        117⤵
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4800
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        118⤵
        Modifies WinLogon for persistence
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        119⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        120⤵
        Sets file to hidden
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        119⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        120⤵
        Sets file to hidden
        
        PID:4484
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        119⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        119⤵
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4404
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        120⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        121⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        122⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        121⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        122⤵
        Sets file to hidden
        
        PID:4968
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        121⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        121⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4984
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        122⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        123⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        124⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        123⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        124⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        123⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        123⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5192
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        124⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:5320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        125⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        126⤵
        Sets file to hidden
        
        PID:5588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        126⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        125⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        125⤵
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5596
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        126⤵
        Adds Run key to start application
        
        PID:5728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        127⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        128⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        127⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        128⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        127⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        127⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:6000
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        128⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        129⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        130⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        129⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        130⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        129⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        129⤵
        Checks BIOS information in registry
        
        PID:5280
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        130⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:5468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        131⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        132⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        131⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        132⤵
        Sets file to hidden
        
        PID:5620
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        131⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        131⤵
        Identifies Wine through registry keys
        
        PID:5756
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        132⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        133⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        134⤵
        Sets file to hidden
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        134⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        133⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        133⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Identifies Wine through registry keys
        
        PID:5136
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        134⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        135⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        136⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        135⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        136⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        135⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        135⤵
        Checks BIOS information in registry
        
        PID:5600
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        136⤵
        Modifies WinLogon for persistence
        
        PID:5768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        137⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:6136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        137⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        138⤵
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        137⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        137⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        
        PID:4968
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        140⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        139⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        140⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        139⤵
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        
        PID:5760
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        140⤵
        Modifies WinLogon for persistence
        
        PID:5852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        141⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        141⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        142⤵
        Sets file to hidden
        
        PID:5260
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        141⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        141⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        
        PID:5176
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        142⤵
        Modifies WinLogon for persistence
        
        PID:5440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        143⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        144⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        143⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        144⤵
        Views/modifies file attributes
        
        PID:5600
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        143⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        143⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        
        PID:5652
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        144⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        145⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        146⤵
        Sets file to hidden
        
        PID:5484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        145⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        145⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        145⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        146⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:5600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        147⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        148⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        147⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        147⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        
        PID:5288
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        148⤵
        Adds Run key to start application
        
        PID:5920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        149⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        150⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        150⤵
        Views/modifies file attributes
        
        PID:5732
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        149⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        149⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        
        PID:4996
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        150⤵
        Adds Run key to start application
        
        PID:5484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        151⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        152⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        151⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        152⤵
        Views/modifies file attributes
        
        PID:5268
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        151⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        151⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        152⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        153⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        154⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:5516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        154⤵
        Views/modifies file attributes
        
        PID:5976
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        153⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        153⤵
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        
        PID:4528
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        154⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        155⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        156⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        155⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        156⤵
        Views/modifies file attributes
        
        PID:5272
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        155⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        155⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        
        PID:5228
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        156⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:5976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        157⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        158⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        157⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        158⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        157⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        157⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        
        PID:5884
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        158⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        159⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        160⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        159⤵
        
        PID:524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        160⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        159⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        159⤵
        Identifies Wine through registry keys
        
        PID:5660
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        160⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:5788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        162⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        161⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        162⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        161⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        161⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        
        PID:6196
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        162⤵
        Adds Run key to start application
        
        PID:6324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        163⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        164⤵
        Views/modifies file attributes
        
        PID:6588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        163⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        164⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        163⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        163⤵
        Checks whether UAC is enabled
        
        PID:6596
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        164⤵
        Modifies WinLogon for persistence
        
        PID:6728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        165⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        166⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        165⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        166⤵
        Sets file to hidden
        
        PID:6996
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        165⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        165⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        
        PID:7004
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        166⤵
        Adds Run key to start application
        
        PID:7132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        167⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        168⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        167⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        168⤵
        Sets file to hidden
        
        PID:6208
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        167⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        167⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        168⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        169⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        170⤵
        Views/modifies file attributes
        
        PID:6660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        169⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        170⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        169⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        169⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        
        PID:6668
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        170⤵
        Adds Run key to start application
        
        PID:6868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        171⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        172⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        171⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        172⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        171⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        171⤵
        Checks whether UAC is enabled
        
        PID:7088
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        172⤵
        Adds Run key to start application
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        173⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        174⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        173⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        174⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        173⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        173⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Identifies Wine through registry keys
        
        PID:6504
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        174⤵
        Modifies WinLogon for persistence
        
        PID:6448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        175⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        176⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        175⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        176⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        175⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        175⤵
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        
        PID:7128
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        176⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        177⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        178⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        177⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        178⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        177⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        177⤵
        Drops file in System32 directory
        
        PID:6508
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        178⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:6592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        179⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        180⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        179⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        180⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        179⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:7108
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        180⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        181⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        182⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:6224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        182⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:6244
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        181⤵
        Identifies Wine through registry keys
        
        PID:2456
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        182⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:6732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        184⤵
        Sets file to hidden
        
        PID:7128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        183⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        184⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        183⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        183⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7112
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        184⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:6368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        185⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:6888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        185⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        186⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        185⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        185⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Drops file in System32 directory
        
        PID:6976
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        186⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:7108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        188⤵
        Views/modifies file attributes
        
        PID:7000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:5724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        188⤵
        Sets file to hidden
        
        PID:6820
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        187⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        187⤵
        Checks BIOS information in registry
        Identifies Wine through registry keys
        
        PID:6740
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        188⤵
        Adds Run key to start application
        
        PID:6920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:7008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        190⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        189⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        190⤵
        Views/modifies file attributes
        
        PID:948
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        189⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        189⤵
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        Drops file in System32 directory
        
        PID:7120
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        190⤵
        Adds Run key to start application
        
        PID:6380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        191⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        192⤵
        Views/modifies file attributes
        
        PID:5620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        191⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        192⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        191⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        191⤵
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        
        PID:7152
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        192⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        193⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        194⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:6840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        193⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        194⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        193⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        193⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:6164
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        194⤵
        Modifies WinLogon for persistence
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        195⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        196⤵
        Sets file to hidden
        
        PID:5448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        195⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        196⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:6256
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        195⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        195⤵
        Checks BIOS information in registry
        
        PID:6512
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        196⤵
        Modifies WinLogon for persistence
        
        PID:6856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        197⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        198⤵
        Sets file to hidden
        
        PID:6676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        197⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        198⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        197⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        197⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        
        PID:7028
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        198⤵
        Modifies WinLogon for persistence
        
        PID:5172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        199⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        200⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        199⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        200⤵
        Sets file to hidden
        
        PID:6372
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        199⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        199⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks whether UAC is enabled
        
        PID:6544
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        200⤵
        Modifies WinLogon for persistence
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        201⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        202⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        201⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        202⤵
        Sets file to hidden
        
        PID:7416
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        201⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        201⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        
        PID:7424
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        202⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        203⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        204⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:7640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        204⤵
        Sets file to hidden
        
        PID:7812
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        203⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        203⤵
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        
        PID:7828
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        204⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:7956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        205⤵
        System Location Discovery: System Language Discovery
        
        PID:8028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        206⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        205⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        206⤵
        Sets file to hidden
        
        PID:7120
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        205⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        205⤵
        Checks whether UAC is enabled
        
        PID:5680
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        206⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:7284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        207⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        208⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        207⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        208⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        207⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        207⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks whether UAC is enabled
        
        PID:7524
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        208⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        209⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        210⤵
        Views/modifies file attributes
        
        PID:8004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        209⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        210⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:7984
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        209⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        209⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        
        PID:7544
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        210⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:6908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        211⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        212⤵
        Views/modifies file attributes
        
        PID:7420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        211⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        212⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        211⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        211⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        
        PID:7212
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        212⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:7540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        213⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        214⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        213⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        214⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        213⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        213⤵
        Identifies Wine through registry keys
        
        PID:7932
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        214⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:8120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        215⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        216⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        215⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        216⤵
        Views/modifies file attributes
        
        PID:7960
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        215⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        215⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        
        PID:6508
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        216⤵
        Modifies WinLogon for persistence
        System Location Discovery: System Language Discovery
        
        PID:7204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        217⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        218⤵
        Views/modifies file attributes
        
        PID:7604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        217⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        218⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        217⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        217⤵
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        
        PID:6660
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        218⤵
        Adds Run key to start application
        
        PID:8084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:7316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        220⤵
        Views/modifies file attributes
        
        PID:7152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        219⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        220⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        219⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        219⤵
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:7552
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        220⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:7744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        221⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        222⤵
        Sets file to hidden
        
        PID:7756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        221⤵
        System Location Discovery: System Language Discovery
        
        PID:7880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        222⤵
        Views/modifies file attributes
        
        PID:7980
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        221⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        221⤵
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:8076
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        222⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:6584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        223⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        224⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        223⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        224⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        223⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        223⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        
        PID:7948
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        224⤵
        Adds Run key to start application
        
        PID:7780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        225⤵
        System Location Discovery: System Language Discovery
        
        PID:7376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        226⤵
        Views/modifies file attributes
        
        PID:7512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        225⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        226⤵
        Views/modifies file attributes
        
        PID:7516
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        225⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        225⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        
        PID:7496
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        226⤵
        Adds Run key to start application
        
        PID:7736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        227⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        228⤵
        Views/modifies file attributes
        
        PID:7960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        227⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        228⤵
        Sets file to hidden
        
        PID:8076
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        227⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        227⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        
        PID:7464
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        228⤵
        Adds Run key to start application
        
        PID:7900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        229⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        230⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        229⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        230⤵
        Views/modifies file attributes
        
        PID:7960
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        229⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        229⤵
        Checks BIOS information in registry
        
        PID:3052
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        230⤵
        Modifies WinLogon for persistence
        
        PID:7876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        231⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        232⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        231⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        232⤵
        Views/modifies file attributes
        
        PID:7848
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        231⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        231⤵
        Identifies Wine through registry keys
        
        PID:8160
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        232⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        233⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        234⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        233⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        234⤵
        Sets file to hidden
        
        PID:7492
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        233⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        233⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        
        PID:8116
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        234⤵
        Adds Run key to start application
        
        PID:7848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        235⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        236⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        235⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        236⤵
        Views/modifies file attributes
        
        PID:7756
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        235⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        235⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        
        PID:8020
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        236⤵
        Drops file in System32 directory
        
        PID:7336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        237⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        238⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        237⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        238⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        237⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        237⤵
        Checks whether UAC is enabled
        
        PID:7656
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        238⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        239⤵
        System Location Discovery: System Language Discovery
        
        PID:7696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        240⤵
        Views/modifies file attributes
        
        PID:8264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        239⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        240⤵
        Drops file in System32 directory
        
        PID:8252
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        239⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        239⤵
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        
        PID:8272
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        240⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:8396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        241⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        242⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        241⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        242⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        241⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        241⤵
        Checks BIOS information in registry
        Drops file in System32 directory
        
        PID:8672
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        242⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        243⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        244⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        243⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        244⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:9092
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        243⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        243⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Checks whether UAC is enabled
        
        PID:9072
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        244⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:9208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        245⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        246⤵
        Sets file to hidden
        
        PID:8360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        245⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        246⤵
        Views/modifies file attributes
        
        PID:8352
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        245⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        245⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks whether UAC is enabled
        
        PID:8368
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        246⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:8564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        247⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe" +s +h
        248⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        247⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4" +s +h
        248⤵
        Sets file to hidden
        
        PID:8696
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        247⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe
        
        "C:\Windows\system32\MR9sLp0UQRG4\MR9sLp0UQRG4\taskhost.exe"
        247⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Identifies Wine through registry keys
        
        PID:8848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\SysWOW64\taskhost.exe

Filesize
993KB

MD5
4424ff327fc46ccbf1e122212df6f6c0

SHA1
b1d555f699b5c1f04cf05b5a09f7c03195275b71

SHA256
34699231be16c5d6a5e12d69fa97ae4c2e8c243894d6f22feb6d8c0686a99f0b

SHA512
91c752aa8d6e5f27f783f16c518ea41c3d3cd1d11eb610447a4b268ffa280489c51ca70ed46b4797aa5d8f8d581e98f6e97c45a62b4ac25fe9b5b7429846d9cf

Download Submit
memory/272-342-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/272-301-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/304-864-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/324-897-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/324-912-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/380-139-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/380-180-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/380-181-0x0000000003DF0000-0x0000000003F8E000-memory.dmp

Filesize
1.6MB

Download
memory/380-340-0x0000000003DF0000-0x0000000003F8E000-memory.dmp

Filesize
1.6MB

Download
memory/400-251-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/400-287-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/644-800-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/644-766-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/876-17-0x0000000004900000-0x0000000004A9E000-memory.dmp

Filesize
1.6MB

Download
memory/876-12-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/876-0-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/876-4-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/876-5-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/876-1-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/876-20-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/908-601-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/908-599-0x0000000005590000-0x000000000572E000-memory.dmp

Filesize
1.6MB

Download
memory/908-564-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1056-896-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1056-861-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1156-945-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1156-943-0x0000000005850000-0x00000000059EE000-memory.dmp

Filesize
1.6MB

Download
memory/1156-909-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1228-666-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/1364-548-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1544-357-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/1568-462-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/1612-563-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/1672-408-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/1672-393-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/1884-201-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/1884-183-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/1916-79-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1916-114-0x0000000005630000-0x00000000057CE000-memory.dmp

Filesize
1.6MB

Download
memory/1916-122-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1916-77-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2024-137-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-701-0x00000000053A0000-0x000000000553E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-703-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2124-667-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2176-443-0x0000000005710000-0x00000000058AE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-596-0x0000000005710000-0x00000000058AE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-445-0x0000000005710000-0x00000000058AE000-memory.dmp

Filesize
1.6MB

Download
memory/2176-444-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2340-497-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2340-459-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2348-513-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2348-498-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2492-358-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2492-391-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2540-289-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-305-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2572-650-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2572-752-0x0000000005690000-0x000000000582E000-memory.dmp

Filesize
1.6MB

Download
memory/2632-62-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2632-78-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2648-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2648-15-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2648-18-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2648-8-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2648-21-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2648-16-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2648-23-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2648-24-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2648-25-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2648-6-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2648-22-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2648-59-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2648-196-0x00000000054A0000-0x000000000563E000-memory.dmp

Filesize
1.6MB

Download
memory/2648-10-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2648-61-0x00000000054A0000-0x000000000563E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-615-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2700-718-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2700-704-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2800-29-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2800-49-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2804-237-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2804-235-0x0000000005600000-0x000000000579E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-198-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2808-801-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2808-815-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-253-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/2868-1091-0x00000000057C0000-0x000000000595E000-memory.dmp

Filesize
1.6MB

Download
memory/2868-813-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2868-849-0x00000000057C0000-0x000000000595E000-memory.dmp

Filesize
1.6MB

Download
memory/2868-848-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3008-751-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3024-768-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download
memory/3024-753-0x0000000000400000-0x000000000059E000-memory.dmp

Filesize
1.6MB

Download