darkcomet | e607408e4c002676eb8c7f1a61f5a2c1d2c52b262ca98f71e5218297ccc96bc1

Analysis

max time kernel
22s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Size

660KB
MD5

a39e406a9096eafa928a424f806c7282
SHA1

1e5ab6834818e098b27c1c0ed616a8456ee40dcc
SHA256

e607408e4c002676eb8c7f1a61f5a2c1d2c52b262ca98f71e5218297ccc96bc1
SHA512

b373670d309f7787b7a64d0db7bacd8bfb4d9695a96c9cc10d190b78ea0c3947954a1dcd4be352eb193a3c377f3c51f34387833d16c0f3b79d4189611a4839b5
SSDEEP

12288:UXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452UY:CnAw2WWeFcfbP9VPSPMTSPL/rWvzq4JI

Score

10^/10

darkcomet bygolge discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

ByGolge

haybensenin3.zapto.org:1604

Mutex

DC_MUTEX-NXLR9FFS8Z5SQ8W8S5F5T5G5H5Y9Y8Y4H5G2A2S5DQ8W7Z92NNG2YZ1Q

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
MBzeYmsBiawB
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4120	attrib.exe
14832	Process not Found
16204	Process not Found
17676	Process not Found
3772	attrib.exe
7836	attrib.exe
17984	Process not Found
16796	Process not Found
4948	attrib.exe
6392	attrib.exe
6484	attrib.exe
5700	attrib.exe
10316	Process not Found
11464	Process not Found
12092	Process not Found
17624	Process not Found
836	attrib.exe
9184	attrib.exe
9968	attrib.exe
18096	Process not Found
5084	attrib.exe
11316	Process not Found
2852	attrib.exe
10520	Process not Found
12640	Process not Found
13772	Process not Found
13856	Process not Found
16992	Process not Found
18912	Process not Found
9884	attrib.exe
10916	Process not Found
13448	Process not Found
2160	attrib.exe
10636	Process not Found
14268	Process not Found
3564	attrib.exe
4604	attrib.exe
2632	attrib.exe
2304	attrib.exe
10188	attrib.exe
12888	Process not Found
14384	Process not Found
15204	Process not Found
13864	Process not Found
12956	Process not Found
17880	Process not Found
6484	attrib.exe
13892	Process not Found
2872	attrib.exe
2716	attrib.exe
7212	attrib.exe
10372	Process not Found
17280	Process not Found
18924	Process not Found
6496	attrib.exe
6604	attrib.exe
12436	Process not Found
17108	Process not Found
1568	attrib.exe
3576	attrib.exe
10716	Process not Found
5580	attrib.exe
6516	attrib.exe
8416	attrib.exe

Deletes itself 1 IoCs

pid	Process
2252	notepad.exe

Executes dropped EXE 64 IoCs

pid	Process
2156	msdcsc.exe
2608	msdcsc.exe
1740	msdcsc.exe
2772	msdcsc.exe
900	msdcsc.exe
2460	msdcsc.exe
2312	msdcsc.exe
2680	msdcsc.exe
2600	msdcsc.exe
1748	msdcsc.exe
2936	msdcsc.exe
532	msdcsc.exe
1932	msdcsc.exe
2596	msdcsc.exe
828	msdcsc.exe
1092	msdcsc.exe
900	msdcsc.exe
532	msdcsc.exe
2852	msdcsc.exe
1740	msdcsc.exe
1476	msdcsc.exe
1996	msdcsc.exe
2856	msdcsc.exe
2544	msdcsc.exe
560	msdcsc.exe
2632	msdcsc.exe
1788	msdcsc.exe
2748	msdcsc.exe
2672	msdcsc.exe
2588	msdcsc.exe
1592	msdcsc.exe
2288	msdcsc.exe
1968	msdcsc.exe
2272	msdcsc.exe
2720	msdcsc.exe
2500	msdcsc.exe
712	msdcsc.exe
2164	msdcsc.exe
2496	msdcsc.exe
2172	msdcsc.exe
3140	msdcsc.exe
3352	msdcsc.exe
3548	msdcsc.exe
3756	msdcsc.exe
3972	msdcsc.exe
2720	msdcsc.exe
3348	msdcsc.exe
3376	msdcsc.exe
3828	msdcsc.exe
4064	msdcsc.exe
3228	msdcsc.exe
3492	msdcsc.exe
3740	msdcsc.exe
4056	msdcsc.exe
3296	msdcsc.exe
3632	msdcsc.exe
3952	msdcsc.exe
4088	msdcsc.exe
3412	msdcsc.exe
3756	msdcsc.exe
3432	msdcsc.exe
3820	msdcsc.exe
3952	msdcsc.exe
3932	msdcsc.exe

Loads dropped DLL 64 IoCs

pid	Process
2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
2156	msdcsc.exe
2156	msdcsc.exe
2608	msdcsc.exe
2608	msdcsc.exe
1740	msdcsc.exe
1740	msdcsc.exe
2772	msdcsc.exe
2772	msdcsc.exe
900	msdcsc.exe
900	msdcsc.exe
2460	msdcsc.exe
2460	msdcsc.exe
2312	msdcsc.exe
2312	msdcsc.exe
2680	msdcsc.exe
2680	msdcsc.exe
2600	msdcsc.exe
2600	msdcsc.exe
1748	msdcsc.exe
1748	msdcsc.exe
2936	msdcsc.exe
2936	msdcsc.exe
532	msdcsc.exe
532	msdcsc.exe
1932	msdcsc.exe
1932	msdcsc.exe
2596	msdcsc.exe
2596	msdcsc.exe
828	msdcsc.exe
828	msdcsc.exe
1092	msdcsc.exe
1092	msdcsc.exe
900	msdcsc.exe
900	msdcsc.exe
532	msdcsc.exe
532	msdcsc.exe
2852	msdcsc.exe
2852	msdcsc.exe
1740	msdcsc.exe
1740	msdcsc.exe
1476	msdcsc.exe
1476	msdcsc.exe
1996	msdcsc.exe
1996	msdcsc.exe
2856	msdcsc.exe
2856	msdcsc.exe
2544	msdcsc.exe
2544	msdcsc.exe
560	msdcsc.exe
560	msdcsc.exe
2632	msdcsc.exe
2632	msdcsc.exe
1788	msdcsc.exe
1788	msdcsc.exe
2748	msdcsc.exe
2748	msdcsc.exe
2672	msdcsc.exe
2672	msdcsc.exe
2588	msdcsc.exe
2588	msdcsc.exe
1592	msdcsc.exe
1592	msdcsc.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\MBzeYmsBiawB\\MBzeYmsBiawB\\msdcsc.exe"	msdcsc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\msdcsc.exe	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: SeSecurityPrivilege	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: SeBackupPrivilege	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: SeRestorePrivilege	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: SeShutdownPrivilege	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: SeDebugPrivilege	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: SeUndockPrivilege	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: 33	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: 34	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: 35	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2156	msdcsc.exe
Token: SeSecurityPrivilege	2156	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2156	msdcsc.exe
Token: SeLoadDriverPrivilege	2156	msdcsc.exe
Token: SeSystemProfilePrivilege	2156	msdcsc.exe
Token: SeSystemtimePrivilege	2156	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2156	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2156	msdcsc.exe
Token: SeCreatePagefilePrivilege	2156	msdcsc.exe
Token: SeBackupPrivilege	2156	msdcsc.exe
Token: SeRestorePrivilege	2156	msdcsc.exe
Token: SeShutdownPrivilege	2156	msdcsc.exe
Token: SeDebugPrivilege	2156	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2156	msdcsc.exe
Token: SeChangeNotifyPrivilege	2156	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2156	msdcsc.exe
Token: SeUndockPrivilege	2156	msdcsc.exe
Token: SeManageVolumePrivilege	2156	msdcsc.exe
Token: SeImpersonatePrivilege	2156	msdcsc.exe
Token: SeCreateGlobalPrivilege	2156	msdcsc.exe
Token: 33	2156	msdcsc.exe
Token: 34	2156	msdcsc.exe
Token: 35	2156	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2608	msdcsc.exe
Token: SeSecurityPrivilege	2608	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2608	msdcsc.exe
Token: SeLoadDriverPrivilege	2608	msdcsc.exe
Token: SeSystemProfilePrivilege	2608	msdcsc.exe
Token: SeSystemtimePrivilege	2608	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2608	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2608	msdcsc.exe
Token: SeCreatePagefilePrivilege	2608	msdcsc.exe
Token: SeBackupPrivilege	2608	msdcsc.exe
Token: SeRestorePrivilege	2608	msdcsc.exe
Token: SeShutdownPrivilege	2608	msdcsc.exe
Token: SeDebugPrivilege	2608	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2608	msdcsc.exe
Token: SeChangeNotifyPrivilege	2608	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2608	msdcsc.exe
Token: SeUndockPrivilege	2608	msdcsc.exe
Token: SeManageVolumePrivilege	2608	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 316	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	28
PID 2444 wrote to memory of 316	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	28
PID 2444 wrote to memory of 316	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	28
PID 2444 wrote to memory of 316	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	28
PID 2444 wrote to memory of 2252	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	29
PID 2444 wrote to memory of 2252	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	29
PID 2444 wrote to memory of 2252	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	29
PID 2444 wrote to memory of 2252	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	29
PID 2444 wrote to memory of 2252	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	29
PID 2444 wrote to memory of 2252	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	29
PID 2444 wrote to memory of 2252	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	29
PID 2444 wrote to memory of 2252	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	29
PID 2444 wrote to memory of 2252	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	29
PID 2444 wrote to memory of 2252	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	29
PID 2444 wrote to memory of 2252	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	29
PID 2444 wrote to memory of 2252	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	29
PID 2444 wrote to memory of 2252	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	29
PID 2444 wrote to memory of 2252	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	29
PID 2444 wrote to memory of 2252	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	29
PID 2444 wrote to memory of 2252	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	29
PID 2444 wrote to memory of 2252	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	29
PID 2444 wrote to memory of 2252	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	29
PID 316 wrote to memory of 2384	316	cmd.exe	31
PID 316 wrote to memory of 2384	316	cmd.exe	31
PID 316 wrote to memory of 2384	316	cmd.exe	31
PID 316 wrote to memory of 2384	316	cmd.exe	31
PID 2444 wrote to memory of 2156	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	32
PID 2444 wrote to memory of 2156	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	32
PID 2444 wrote to memory of 2156	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	32
PID 2444 wrote to memory of 2156	2444	a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe	32
PID 2156 wrote to memory of 1936	2156	msdcsc.exe	33
PID 2156 wrote to memory of 1936	2156	msdcsc.exe	33
PID 2156 wrote to memory of 1936	2156	msdcsc.exe	33
PID 2156 wrote to memory of 1936	2156	msdcsc.exe	33
PID 2156 wrote to memory of 1992	2156	msdcsc.exe	34
PID 2156 wrote to memory of 1992	2156	msdcsc.exe	34
PID 2156 wrote to memory of 1992	2156	msdcsc.exe	34
PID 2156 wrote to memory of 1992	2156	msdcsc.exe	34
PID 2156 wrote to memory of 1992	2156	msdcsc.exe	34
PID 2156 wrote to memory of 1992	2156	msdcsc.exe	34
PID 2156 wrote to memory of 1992	2156	msdcsc.exe	34
PID 2156 wrote to memory of 1992	2156	msdcsc.exe	34
PID 2156 wrote to memory of 1992	2156	msdcsc.exe	34
PID 2156 wrote to memory of 1992	2156	msdcsc.exe	34
PID 2156 wrote to memory of 1992	2156	msdcsc.exe	34
PID 2156 wrote to memory of 1992	2156	msdcsc.exe	34
PID 2156 wrote to memory of 1992	2156	msdcsc.exe	34
PID 2156 wrote to memory of 1992	2156	msdcsc.exe	34
PID 2156 wrote to memory of 1992	2156	msdcsc.exe	34
PID 2156 wrote to memory of 1992	2156	msdcsc.exe	34
PID 2156 wrote to memory of 1992	2156	msdcsc.exe	34
PID 2156 wrote to memory of 1992	2156	msdcsc.exe	34
PID 1936 wrote to memory of 2632	1936	cmd.exe	36
PID 1936 wrote to memory of 2632	1936	cmd.exe	36
PID 1936 wrote to memory of 2632	1936	cmd.exe	36
PID 1936 wrote to memory of 2632	1936	cmd.exe	36
PID 2156 wrote to memory of 2608	2156	msdcsc.exe	37
PID 2156 wrote to memory of 2608	2156	msdcsc.exe	37
PID 2156 wrote to memory of 2608	2156	msdcsc.exe	37
PID 2156 wrote to memory of 2608	2156	msdcsc.exe	37
PID 2608 wrote to memory of 2328	2608	msdcsc.exe	38
PID 2608 wrote to memory of 2328	2608	msdcsc.exe	38
PID 2608 wrote to memory of 2328	2608	msdcsc.exe	38
PID 2608 wrote to memory of 2328	2608	msdcsc.exe	38

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2992	attrib.exe
10076	attrib.exe
14992	Process not Found
748	attrib.exe
5652	attrib.exe
7624	attrib.exe
12248	Process not Found
19164	Process not Found
16628	Process not Found
18860	Process not Found
7020	attrib.exe
12224	Process not Found
12048	Process not Found
14792	Process not Found
1716	attrib.exe
2288	attrib.exe
4256	attrib.exe
5360	attrib.exe
6612	attrib.exe
9136	attrib.exe
15080	Process not Found
17876	Process not Found
16204	Process not Found
17636	Process not Found
2632	attrib.exe
3352	attrib.exe
9220	attrib.exe
2208	Process not Found
11348	Process not Found
15596	Process not Found
20136	Process not Found
5792	attrib.exe
16844	Process not Found
16664	Process not Found
4832	attrib.exe
4072	attrib.exe
10404	Process not Found
11316	Process not Found
13640	Process not Found
16332	Process not Found
13384	Process not Found
18752	Process not Found
8308	attrib.exe
9396	attrib.exe
10116	attrib.exe
16372	Process not Found
19264	Process not Found
4564	attrib.exe
7348	attrib.exe
9848	Process not Found
10736	Process not Found
17256	Process not Found
4468	attrib.exe
15188	Process not Found
16828	Process not Found
16632	Process not Found
19108	Process not Found
19500	Process not Found
5172	attrib.exe
9656	Process not Found
12988	Process not Found
16400	Process not Found
17636	Process not Found
17864	Process not Found

C:\Users\Admin\AppData\Local\Temp\a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe" +s +h
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\a39e406a9096eafa928a424f806c7282_JaffaCakes118.exe" +s +h
    3⤵
    PID:2384
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - Deletes itself
  PID:2252
- C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
  "C:\Windows\system32\MSDCSC\msdcsc.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2632
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1992
- - C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\msdcsc.exe
    "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\msdcsc.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\msdcsc.exe" +s +h
      4⤵
      PID:2328
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\msdcsc.exe" +s +h
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1548
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
      "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      PID:1740
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        5⤵
        
        PID:1616
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        6⤵
        
        PID:2696
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:1680
    - - C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2772
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        6⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        7⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1716
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        
        PID:2904
      - C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        7⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        8⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        7⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        9⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        8⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        8⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        10⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        9⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        10⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        11⤵
        Sets file to hidden
        
        PID:1568
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        10⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        10⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        11⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        12⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        11⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        11⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        12⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        13⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        12⤵
        
        PID:776
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        12⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        14⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        13⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        13⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        14⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        15⤵
        Views/modifies file attributes
        
        PID:2288
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        14⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        16⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        15⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        15⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        16⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        17⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        16⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        18⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        17⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        17⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        18⤵
        
        PID:620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        19⤵
        Sets file to hidden
        
        PID:2160
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        18⤵
        
        PID:908
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        18⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        19⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        20⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        19⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        20⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        21⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        20⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        20⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        21⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        22⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        21⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        22⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        23⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        22⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        22⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        23⤵
        
        PID:780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        24⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        24⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        25⤵
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        24⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        24⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        25⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        26⤵
        Sets file to hidden
        
        PID:2852
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        25⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        25⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        26⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        27⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        26⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        26⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        27⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        28⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        27⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        27⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        28⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        29⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        28⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        28⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        30⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        29⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        29⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        30⤵
        
        PID:904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        31⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        30⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        30⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        31⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        32⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        31⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        31⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        32⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        33⤵
        Sets file to hidden
        
        PID:2716
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        32⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        32⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        34⤵
        Views/modifies file attributes
        
        PID:2992
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        33⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        33⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        34⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        35⤵
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        34⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        34⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        35⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        35⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        37⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        38⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        37⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        37⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        38⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        39⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        38⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        38⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        39⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        40⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        39⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        41⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        40⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        42⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        41⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        41⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        43⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        42⤵
        
        PID:940
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        42⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        43⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        44⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        43⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        43⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        44⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        45⤵
        Sets file to hidden
        
        PID:3576
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        44⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        44⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        45⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        46⤵
        Sets file to hidden
        
        PID:3772
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        45⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        45⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        46⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        47⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:3808
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        46⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        47⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        48⤵
        Views/modifies file attributes
        
        PID:748
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        47⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        48⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        49⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        48⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        48⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        50⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        49⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        49⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        50⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        51⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        50⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        50⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        51⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        52⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        51⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        51⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        52⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        53⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        52⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        53⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        54⤵
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        53⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        53⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        54⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        55⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        54⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        55⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        56⤵
        Drops file in System32 directory
        
        PID:3852
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        55⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        55⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        56⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        57⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        56⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        56⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        57⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        58⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        57⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        57⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        58⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        59⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        58⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        59⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        60⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        59⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        59⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        60⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        61⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        60⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        61⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        62⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        61⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        61⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        63⤵
        Drops file in System32 directory
        
        PID:3416
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        62⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        62⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        63⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        64⤵
        Drops file in System32 directory
        
        PID:3564
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        63⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        64⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        65⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        64⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        65⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        66⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        65⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        65⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        66⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        67⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        66⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        66⤵
        Modifies WinLogon for persistence
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:784
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        67⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        67⤵
        Modifies WinLogon for persistence
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        68⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        68⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        68⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        70⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        69⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        69⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        70⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        70⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        70⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        71⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        71⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        71⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        72⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        73⤵
        Views/modifies file attributes
        
        PID:3352
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        72⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        72⤵
        Modifies WinLogon for persistence
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        73⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        74⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        73⤵
        
        PID:784
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        73⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        74⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        74⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        74⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        75⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        76⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        76⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        77⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        76⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        76⤵
        Adds Run key to start application
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        77⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        78⤵
        Sets file to hidden
        
        PID:4948
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        77⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        77⤵
        Modifies WinLogon for persistence
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        78⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        78⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        78⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        79⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        80⤵
        Views/modifies file attributes
        
        PID:4256
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        79⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        79⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        80⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        81⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        80⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        80⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        81⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        82⤵
        Views/modifies file attributes
        
        PID:4564
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        81⤵
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        82⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        83⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        82⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        83⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        83⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        83⤵
        Drops file in System32 directory
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        84⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        84⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        84⤵
        Adds Run key to start application
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        86⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        85⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        85⤵
        Adds Run key to start application
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        86⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        87⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        86⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        86⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        87⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        88⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        87⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        87⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        88⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        88⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        88⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        89⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        90⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        89⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        89⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        90⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        91⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        90⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        90⤵
        Modifies WinLogon for persistence
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        92⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        91⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        91⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        92⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        93⤵
        Views/modifies file attributes
        
        PID:4832
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        92⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        92⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        93⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        94⤵
        Views/modifies file attributes
        
        PID:4072
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        93⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        93⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        94⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        95⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        94⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        95⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        96⤵
        Sets file to hidden
        
        PID:5084
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        95⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        95⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        96⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        97⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        96⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        96⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        97⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        98⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        97⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        97⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        98⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        99⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        98⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        98⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        99⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        100⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        99⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        99⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        100⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        101⤵
        Views/modifies file attributes
        
        PID:4468
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        100⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        100⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        101⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        102⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        101⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        101⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        102⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        103⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        102⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        102⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        103⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        104⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        103⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        103⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        104⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        105⤵
        Sets file to hidden
        
        PID:4604
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        104⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        104⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        105⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        106⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        105⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        105⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        106⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        107⤵
        Views/modifies file attributes
        
        PID:5360
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        106⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        106⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        107⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        108⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        107⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        107⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        108⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        109⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        108⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        108⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        109⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        110⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        109⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        109⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        110⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        111⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        110⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        110⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        111⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        112⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        111⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        111⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        112⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        113⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        112⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        112⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        113⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        114⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        113⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        113⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        114⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        115⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        114⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        114⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        115⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        116⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        115⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        115⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        116⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        117⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        116⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        116⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        117⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        118⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        117⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        117⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        118⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        119⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        118⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        118⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        119⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        120⤵
        Views/modifies file attributes
        
        PID:5172
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        119⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        119⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        120⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        121⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        120⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        120⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        121⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        122⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        121⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        121⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        122⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        123⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        122⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        122⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        123⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        124⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        123⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        123⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        124⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        125⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        124⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        124⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        125⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        126⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        125⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        125⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        126⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        127⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        126⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        126⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        127⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        128⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        127⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        127⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        128⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        129⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        128⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        128⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        129⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        130⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        129⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        129⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        130⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        131⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        130⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        130⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        131⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        132⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        131⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        131⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        132⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        133⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        132⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        132⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        133⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        134⤵
        Views/modifies file attributes
        
        PID:5792
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        133⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        133⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        134⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        135⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        134⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        134⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        135⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        136⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        135⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        135⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        136⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        137⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        136⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        136⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        137⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        138⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        137⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        137⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        138⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        139⤵
        Sets file to hidden
        
        PID:6392
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        138⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        138⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        139⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        140⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        139⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        139⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        140⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        141⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        140⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        140⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        141⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        142⤵
        Views/modifies file attributes
        
        PID:7020
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        141⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        141⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        142⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        143⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        142⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        142⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        143⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        144⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        143⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        143⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        144⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        145⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        144⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        144⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        145⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        146⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        145⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        145⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        146⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        147⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        146⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        146⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        147⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        148⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        147⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        147⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        148⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        149⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        148⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        148⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        149⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        150⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        149⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        149⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        150⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        151⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        150⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        150⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        151⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        152⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        151⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        151⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        152⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        153⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        152⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        152⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        153⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        154⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        153⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        153⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        154⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        155⤵
        Sets file to hidden
        
        PID:5580
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        154⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        154⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        155⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        156⤵
        Sets file to hidden
        
        PID:6496
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        155⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        155⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        156⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        157⤵
        Sets file to hidden
        
        PID:6604
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        156⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        156⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        157⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        158⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        157⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        157⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        158⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        159⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        158⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        158⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        159⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        160⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        159⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        159⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        160⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        161⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        160⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        160⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        161⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        162⤵
        Views/modifies file attributes
        
        PID:5652
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        161⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        161⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        162⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        163⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        162⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        162⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        163⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        164⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        163⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        163⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        164⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        165⤵
        Views/modifies file attributes
        
        PID:6612
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        164⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        164⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        165⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        166⤵
        Sets file to hidden
        
        PID:6484
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        165⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        165⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        166⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        167⤵
        Sets file to hidden
        
        PID:5700
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        166⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        166⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        167⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        168⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        167⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        167⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        168⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        169⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        168⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        168⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        169⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        170⤵
        Sets file to hidden
        
        PID:7212
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        169⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        169⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        170⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        171⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        170⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        170⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        171⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        172⤵
        Views/modifies file attributes
        
        PID:7624
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        171⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        171⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        172⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        173⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        172⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        172⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        173⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        174⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        173⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        173⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        174⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        175⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        174⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        174⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        175⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        176⤵
        Views/modifies file attributes
        
        PID:7348
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        175⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        175⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        176⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        177⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        176⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        176⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        177⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        178⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        177⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        177⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        178⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        179⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        178⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        178⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        179⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        180⤵
        Sets file to hidden
        
        PID:6516
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        179⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        179⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        180⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        181⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        180⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        180⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        181⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        182⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        181⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        181⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        182⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        183⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        182⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        182⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        183⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        184⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        183⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        183⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        184⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        185⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        184⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        184⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        185⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        186⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        185⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        185⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        186⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        187⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        186⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        186⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        187⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        188⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        187⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        187⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        188⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        189⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        188⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        188⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        189⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        190⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        189⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        189⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        190⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        191⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        190⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        190⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        191⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        192⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        191⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        191⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        192⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        193⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        192⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        192⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        193⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        194⤵
        Sets file to hidden
        
        PID:6484
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        193⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        193⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        194⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        195⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        194⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        194⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        195⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        196⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        195⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        195⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        196⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        197⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        196⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        196⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        197⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        198⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        197⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        197⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        198⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        199⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        198⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        198⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        199⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        200⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        199⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        199⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        200⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        201⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        200⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        200⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        201⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        202⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        201⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        201⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        202⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        203⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        202⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        202⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        203⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        204⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        203⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        203⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        204⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        205⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        204⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        204⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        205⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        206⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        205⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        205⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        206⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        207⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        206⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        206⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        207⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        208⤵
        Sets file to hidden
        
        PID:8416
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        207⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        207⤵
        
        PID:8396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        208⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        209⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        208⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        208⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        209⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        210⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        209⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        209⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        210⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        211⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        210⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        210⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        211⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        212⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        211⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        211⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        212⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        213⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        212⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        212⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        213⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        214⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        213⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        213⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        214⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        215⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        214⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        214⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        215⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        216⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        215⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        215⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        216⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        217⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        216⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        216⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        217⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        218⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        217⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        217⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        218⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        219⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        218⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        218⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        219⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        220⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        219⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        219⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        220⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        221⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        220⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        220⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        221⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        222⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        221⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        221⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        222⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        223⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        222⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        222⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        223⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        224⤵
        Views/modifies file attributes
        
        PID:9136
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        223⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        223⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        224⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        225⤵
        Views/modifies file attributes
        
        PID:8308
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        224⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        224⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        225⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        226⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        225⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        225⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        226⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        227⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        226⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        226⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        227⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        228⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        227⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        227⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        228⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        229⤵
        Sets file to hidden
        
        PID:9184
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        228⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        228⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        229⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        230⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        229⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        229⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        230⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        231⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        230⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        230⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        231⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        232⤵
        Sets file to hidden
        
        PID:7836
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        231⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        231⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        232⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        233⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        232⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        232⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        233⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        234⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        233⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        233⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        234⤵
        
        PID:9308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        235⤵
        
        PID:9652
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        234⤵
        
        PID:9316
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        234⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        235⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        236⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        235⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        235⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        236⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        237⤵
        
        PID:9888
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        236⤵
        
        PID:9732
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        236⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        237⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        238⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        237⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        237⤵
        
        PID:10108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        238⤵
        
        PID:10136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        239⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        238⤵
        
        PID:10144
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        238⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        239⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        240⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        239⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        239⤵
        
        PID:9428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        240⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        241⤵
        
        PID:9700
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        240⤵
        
        PID:9460
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        240⤵
        
        PID:9668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        241⤵
        
        PID:9500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        242⤵
        
        PID:9708
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        241⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        241⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        242⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        243⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        242⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        242⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        243⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        244⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        243⤵
        
        PID:10212
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        243⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        244⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        245⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        244⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        244⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        245⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        246⤵
        Sets file to hidden
        
        PID:9884
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        245⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        245⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        246⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        247⤵
        Sets file to hidden
        
        PID:9968
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        246⤵
        
        PID:9888
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        246⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        247⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        248⤵
        Views/modifies file attributes
        
        PID:9396
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        247⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        247⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        248⤵
        
        PID:9224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        249⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        248⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        248⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        249⤵
        
        PID:9768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        250⤵
        Views/modifies file attributes
        
        PID:10116
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        249⤵
        
        PID:9756
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        249⤵
        
        PID:10104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        250⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        251⤵
        Sets file to hidden
        
        PID:10188
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        250⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        250⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        251⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        252⤵
        Views/modifies file attributes
        
        PID:9220
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        251⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        251⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        252⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe" +s +h
        253⤵
        Views/modifies file attributes
        
        PID:10076
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        252⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\MBzeYmsBiawB\MBzeYmsBiawB\msdcsc.exe"
        252⤵
        
        PID:9820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11491339151930182651-6523040191588517722-822337327-741128994-956835161-1736264810"
1⤵
PID:2772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15088739191771531322-46082859281790610114310935835194243531877387439502877619"
1⤵
PID:1568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-612182703-88109079-601522931657545971-1131473924-814399295-1259279571-1515415280"
1⤵
PID:2680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-967914727-691513571466099355284172801-301183444-1591146871-4175649821570266366"
1⤵
PID:2304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4275122421875071538656342290-689000978-376325743-1038419786-1979760254-263616050"
1⤵
PID:900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1003329611-16547365521341632490-11548021637500560-548518601-1026247978993749151"
1⤵
PID:836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2043244264744800224-1184605973371037345-443452230-506961047-1483253601-946467741"
1⤵
PID:748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "427472727-2427873841657268916663477337-130952032-1295499069568037896296242880"
1⤵
PID:3780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1953319856237960740-803551727-1712086793339317962-192224839103560580218729111"
1⤵
PID:3416

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "155356439-1605077480-732498297-1329567112125111661-1383485690-1664717464249657616"
1⤵
PID:3632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-964312114159925011713485580631931489936-1508334281-5592609592095448632-68242060"
1⤵
PID:3852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1990765203-1926130881460055650985202271-1515711782-212674302-565908684-209320753"
1⤵
PID:4336

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2052803300-20886306001806379671659239263-1644775494-15030172821149615989-1252768778"
1⤵
PID:4548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-85970822317280209931934099878-1081195225100847421564294138712566131828535764"
1⤵
PID:4932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "905444132124078897-582943309-1803736866-948870883-11144941517554196011088445802"
1⤵
PID:4744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1816019996465517368-1795642878-14709898061540835192644699748-9421361031496402673"
1⤵
PID:3652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1640433096-6853171691091397976-168012119-15722729705677106752006020516-234000997"
1⤵
PID:4444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2044225694-52224004-1586262955-898203998552302987-2112456933-10409745581137054640"
1⤵
PID:3756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-885013339-625081147110705582-1712105829-1097794576-16067145491110633401-1540550379"
1⤵
PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
660KB

MD5
a39e406a9096eafa928a424f806c7282

SHA1
1e5ab6834818e098b27c1c0ed616a8456ee40dcc

SHA256
e607408e4c002676eb8c7f1a61f5a2c1d2c52b262ca98f71e5218297ccc96bc1

SHA512
b373670d309f7787b7a64d0db7bacd8bfb4d9695a96c9cc10d190b78ea0c3947954a1dcd4be352eb193a3c377f3c51f34387833d16c0f3b79d4189611a4839b5

Download Submit
memory/2156-68-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2252-3-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2252-17-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2444-0-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2444-26-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads