darkcomet | 60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063

Analysis

max time kernel
73s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Size

4.6MB
MD5

d35685275d19eba3a22a46003858b4b0
SHA1

196ffdf8fab82a9fe1a268cd6a6897ef331b46bb
SHA256

60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063
SHA512

5e33cd1983d05b9697ef3a0cb4ac8129f53b0156c434dad1398dec6e67b44e5fa82d531741b8afcf32e8106d59d64aeba5e71e53a6dba352d4f89621217374cf
SSDEEP

98304:J6b+fgPSpV+apIEypgOTCqAijHZA65ALrpjiN8:JyBAONp5AijH6AAPpjL

Score

10^/10

darkcomet eski kamarun discovery evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

eski kamarun

haybensenin3.zapto.org:1604

Mutex

DC_MUTEX-4J5WTK5

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
Yf3o5TbGwnLJ
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1560	attrib.exe
4048	attrib.exe
4436	attrib.exe
8492	attrib.exe
2780	attrib.exe
5148	attrib.exe
5728	attrib.exe
6968	attrib.exe
8284	attrib.exe
8604	attrib.exe
8396	attrib.exe
5672	attrib.exe
3704	attrib.exe
5980	attrib.exe
9116	attrib.exe
2960	attrib.exe
4788	attrib.exe
4144	attrib.exe
5740	attrib.exe
6716	attrib.exe
7352	attrib.exe
7236	attrib.exe
9080	attrib.exe
4940	attrib.exe
9540	attrib.exe
592	attrib.exe
1880	attrib.exe
4880	attrib.exe
5124	attrib.exe
6344	attrib.exe
6368	attrib.exe
8740	attrib.exe
1596	attrib.exe
4212	attrib.exe
4428	attrib.exe
4940	attrib.exe
4972	attrib.exe
8036	attrib.exe
2476	attrib.exe
2000	attrib.exe
1528	attrib.exe
4264	attrib.exe
4528	attrib.exe
8572	attrib.exe
9152	attrib.exe
1444	attrib.exe
8308	attrib.exe
3384	attrib.exe
3980	attrib.exe
4380	attrib.exe
5892	attrib.exe
5336	attrib.exe
8844	attrib.exe
2408	attrib.exe
3680	attrib.exe
5104	attrib.exe
6400	attrib.exe
8012	attrib.exe
8688	attrib.exe
3692	attrib.exe
5288	attrib.exe
5976	attrib.exe
7052	attrib.exe
9112	attrib.exe

Deletes itself 1 IoCs

pid	Process
2888	notepad.exe

Executes dropped EXE 64 IoCs

pid	Process
2012	MT2-MULTI.EXE
2820	msdcsc.exe
2624	MT2-MULTI.EXE
288	msdcsc.exe
824	MT2-MULTI.EXE
1004	msdcsc.exe
1396	MT2-MULTI.EXE
2212	msdcsc.exe
2368	MT2-MULTI.EXE
2100	msdcsc.exe
2788	MT2-MULTI.EXE
2584	msdcsc.exe
1784	MT2-MULTI.EXE
2752	msdcsc.exe
2440	MT2-MULTI.EXE
944	msdcsc.exe
1992	MT2-MULTI.EXE
2680	msdcsc.exe
2504	MT2-MULTI.EXE
772	msdcsc.exe
2760	MT2-MULTI.EXE
2856	msdcsc.exe
1568	MT2-MULTI.EXE
2976	msdcsc.exe
2228	MT2-MULTI.EXE
1584	msdcsc.exe
2324	MT2-MULTI.EXE
1676	msdcsc.exe
332	MT2-MULTI.EXE
2960	msdcsc.exe
1692	MT2-MULTI.EXE
408	msdcsc.exe
2856	MT2-MULTI.EXE
2316	msdcsc.exe
2744	MT2-MULTI.EXE
1504	msdcsc.exe
1716	MT2-MULTI.EXE
2576	msdcsc.exe
1388	MT2-MULTI.EXE
2040	msdcsc.exe
2668	MT2-MULTI.EXE
2996	msdcsc.exe
2688	MT2-MULTI.EXE
1672	msdcsc.exe
2152	MT2-MULTI.EXE
2452	msdcsc.exe
2884	MT2-MULTI.EXE
1504	msdcsc.exe
1880	MT2-MULTI.EXE
1560	msdcsc.exe
1696	MT2-MULTI.EXE
2008	msdcsc.exe
1908	MT2-MULTI.EXE
2472	msdcsc.exe
904	MT2-MULTI.EXE
2184	msdcsc.exe
2984	MT2-MULTI.EXE
2132	msdcsc.exe
2580	MT2-MULTI.EXE
2472	msdcsc.exe
772	MT2-MULTI.EXE
3060	msdcsc.exe
1792	MT2-MULTI.EXE
3096	msdcsc.exe

Loads dropped DLL 64 IoCs

pid	Process
2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
2820	msdcsc.exe
2820	msdcsc.exe
2820	msdcsc.exe
288	msdcsc.exe
288	msdcsc.exe
288	msdcsc.exe
1004	msdcsc.exe
1004	msdcsc.exe
1004	msdcsc.exe
2212	msdcsc.exe
2212	msdcsc.exe
2212	msdcsc.exe
2100	msdcsc.exe
2100	msdcsc.exe
2100	msdcsc.exe
2584	msdcsc.exe
2584	msdcsc.exe
2584	msdcsc.exe
2752	msdcsc.exe
2752	msdcsc.exe
2752	msdcsc.exe
944	msdcsc.exe
944	msdcsc.exe
944	msdcsc.exe
2680	msdcsc.exe
2680	msdcsc.exe
2680	msdcsc.exe
772	msdcsc.exe
772	msdcsc.exe
772	msdcsc.exe
2856	msdcsc.exe
2856	msdcsc.exe
2856	msdcsc.exe
2976	msdcsc.exe
2976	msdcsc.exe
2976	msdcsc.exe
1584	msdcsc.exe
1584	msdcsc.exe
1584	msdcsc.exe
1676	msdcsc.exe
1676	msdcsc.exe
1676	msdcsc.exe
2960	msdcsc.exe
2960	msdcsc.exe
2960	msdcsc.exe
408	msdcsc.exe
408	msdcsc.exe
408	msdcsc.exe
2316	msdcsc.exe
2316	msdcsc.exe
2316	msdcsc.exe
1504	msdcsc.exe
1504	msdcsc.exe
1504	msdcsc.exe
2576	msdcsc.exe
2576	msdcsc.exe
2576	msdcsc.exe
2040	msdcsc.exe
2040	msdcsc.exe
2040	msdcsc.exe
2996	msdcsc.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016399-9.dat	upx
behavioral1/memory/2012-10-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2624-42-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/824-141-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/1396-187-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2012-185-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2624-218-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2368-226-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2788-268-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/1784-308-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/1396-310-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2440-347-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2368-348-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2788-389-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/1992-395-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/1784-433-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2504-438-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2440-582-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/1992-741-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2504-850-0x0000000000400000-0x00000000008C5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeSecurityPrivilege	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeBackupPrivilege	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeRestorePrivilege	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeShutdownPrivilege	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeUndockPrivilege	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: 33	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: 34	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: 35	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2820	msdcsc.exe
Token: SeSecurityPrivilege	2820	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2820	msdcsc.exe
Token: SeLoadDriverPrivilege	2820	msdcsc.exe
Token: SeSystemProfilePrivilege	2820	msdcsc.exe
Token: SeSystemtimePrivilege	2820	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2820	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2820	msdcsc.exe
Token: SeCreatePagefilePrivilege	2820	msdcsc.exe
Token: SeBackupPrivilege	2820	msdcsc.exe
Token: SeRestorePrivilege	2820	msdcsc.exe
Token: SeShutdownPrivilege	2820	msdcsc.exe
Token: SeDebugPrivilege	2820	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2820	msdcsc.exe
Token: SeChangeNotifyPrivilege	2820	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2820	msdcsc.exe
Token: SeUndockPrivilege	2820	msdcsc.exe
Token: SeManageVolumePrivilege	2820	msdcsc.exe
Token: SeImpersonatePrivilege	2820	msdcsc.exe
Token: SeCreateGlobalPrivilege	2820	msdcsc.exe
Token: 33	2820	msdcsc.exe
Token: 34	2820	msdcsc.exe
Token: 35	2820	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	288	msdcsc.exe
Token: SeSecurityPrivilege	288	msdcsc.exe
Token: SeTakeOwnershipPrivilege	288	msdcsc.exe
Token: SeLoadDriverPrivilege	288	msdcsc.exe
Token: SeSystemProfilePrivilege	288	msdcsc.exe
Token: SeSystemtimePrivilege	288	msdcsc.exe
Token: SeProfSingleProcessPrivilege	288	msdcsc.exe
Token: SeIncBasePriorityPrivilege	288	msdcsc.exe
Token: SeCreatePagefilePrivilege	288	msdcsc.exe
Token: SeBackupPrivilege	288	msdcsc.exe
Token: SeRestorePrivilege	288	msdcsc.exe
Token: SeShutdownPrivilege	288	msdcsc.exe
Token: SeDebugPrivilege	288	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	288	msdcsc.exe
Token: SeChangeNotifyPrivilege	288	msdcsc.exe
Token: SeRemoteShutdownPrivilege	288	msdcsc.exe
Token: SeUndockPrivilege	288	msdcsc.exe
Token: SeManageVolumePrivilege	288	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2076	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2076	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2076	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2076	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2012	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2012	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2012	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2012	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	32
PID 2076 wrote to memory of 2676	2076	cmd.exe	33
PID 2076 wrote to memory of 2676	2076	cmd.exe	33
PID 2076 wrote to memory of 2676	2076	cmd.exe	33
PID 2076 wrote to memory of 2676	2076	cmd.exe	33
PID 2384 wrote to memory of 2888	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2888	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2888	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2888	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2888	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2888	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2888	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2888	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2888	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2888	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2888	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2888	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2888	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2888	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2888	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2888	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2888	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2888	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2820	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	35
PID 2384 wrote to memory of 2820	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	35
PID 2384 wrote to memory of 2820	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	35
PID 2384 wrote to memory of 2820	2384	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	35
PID 2820 wrote to memory of 2632	2820	msdcsc.exe	36
PID 2820 wrote to memory of 2632	2820	msdcsc.exe	36
PID 2820 wrote to memory of 2632	2820	msdcsc.exe	36
PID 2820 wrote to memory of 2632	2820	msdcsc.exe	36
PID 2820 wrote to memory of 2624	2820	msdcsc.exe	37
PID 2820 wrote to memory of 2624	2820	msdcsc.exe	37
PID 2820 wrote to memory of 2624	2820	msdcsc.exe	37
PID 2820 wrote to memory of 2624	2820	msdcsc.exe	37
PID 2624 wrote to memory of 584	2624	MT2-MULTI.EXE	39
PID 2624 wrote to memory of 584	2624	MT2-MULTI.EXE	39
PID 2624 wrote to memory of 584	2624	MT2-MULTI.EXE	39
PID 2624 wrote to memory of 584	2624	MT2-MULTI.EXE	39
PID 2820 wrote to memory of 1096	2820	msdcsc.exe	40
PID 2820 wrote to memory of 1096	2820	msdcsc.exe	40
PID 2820 wrote to memory of 1096	2820	msdcsc.exe	40
PID 2820 wrote to memory of 1096	2820	msdcsc.exe	40
PID 2820 wrote to memory of 1096	2820	msdcsc.exe	40
PID 2820 wrote to memory of 1096	2820	msdcsc.exe	40
PID 2820 wrote to memory of 1096	2820	msdcsc.exe	40
PID 2820 wrote to memory of 1096	2820	msdcsc.exe	40
PID 2820 wrote to memory of 1096	2820	msdcsc.exe	40
PID 2820 wrote to memory of 1096	2820	msdcsc.exe	40
PID 2820 wrote to memory of 1096	2820	msdcsc.exe	40
PID 2820 wrote to memory of 1096	2820	msdcsc.exe	40
PID 2820 wrote to memory of 1096	2820	msdcsc.exe	40
PID 2820 wrote to memory of 1096	2820	msdcsc.exe	40
PID 2820 wrote to memory of 1096	2820	msdcsc.exe	40
PID 2820 wrote to memory of 1096	2820	msdcsc.exe	40
PID 2820 wrote to memory of 1096	2820	msdcsc.exe	40
PID 2820 wrote to memory of 1096	2820	msdcsc.exe	40

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2864	attrib.exe
4316	attrib.exe
4788	attrib.exe
5452	attrib.exe
6464	attrib.exe
5976	attrib.exe
6588	attrib.exe
7008	attrib.exe
2000	attrib.exe
3464	attrib.exe
3536	attrib.exe
3636	attrib.exe
3680	attrib.exe
5024	attrib.exe
4608	attrib.exe
8096	attrib.exe
7920	attrib.exe
1680	attrib.exe
4264	attrib.exe
8036	attrib.exe
8744	attrib.exe
6344	attrib.exe
1796	attrib.exe
2864	attrib.exe
4940	attrib.exe
6032	attrib.exe
5580	attrib.exe
6264	attrib.exe
6056	attrib.exe
7184	attrib.exe
5784	attrib.exe
8396	attrib.exe
2476	attrib.exe
3256	attrib.exe
5932	attrib.exe
6216	attrib.exe
7472	attrib.exe
8512	attrib.exe
8688	attrib.exe
2472	attrib.exe
4428	attrib.exe
4880	attrib.exe
4788	attrib.exe
5892	attrib.exe
5408	attrib.exe
9320	attrib.exe
1208	attrib.exe
3704	attrib.exe
4440	attrib.exe
5524	attrib.exe
5296	attrib.exe
7272	attrib.exe
8284	attrib.exe
2780	attrib.exe
8568	attrib.exe
2676	attrib.exe
1596	attrib.exe
592	attrib.exe
1880	attrib.exe
5124	attrib.exe
5532	attrib.exe
5408	attrib.exe
7472	attrib.exe
1560	attrib.exe

C:\Users\Admin\AppData\Local\Temp\d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe" +s +h
    3⤵
    - Views/modifies file attributes
    PID:2676
- C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
  "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - Deletes itself
  PID:2888
- C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
  "C:\Windows\system32\MSDCSC\msdcsc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
    3⤵
    PID:2632
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
      4⤵
      PID:1964
- - C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
    "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\BB15.tmp\Mt2-Multi.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:584
    - - C:\Windows\SysWOW64\xcopy.exe
        
        xcopy root.eix pack /y
        5⤵
        Enumerates system info in registry
        
        PID:1152
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe
    "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:288
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
      4⤵
      PID:2300
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
      "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:824
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
      "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      PID:1004
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        5⤵
        
        PID:1440
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        6⤵
        Views/modifies file attributes
        
        PID:1796
    - - C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        5⤵
        Executes dropped EXE
        
        PID:1396
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:2180
    - - C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2212
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        6⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:592
      - C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        6⤵
        Executes dropped EXE
        
        PID:2368
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        
        PID:1588
      - C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        7⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        8⤵
        Views/modifies file attributes
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        7⤵
        Executes dropped EXE
        
        PID:2788
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        8⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        9⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        8⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        8⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        8⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        10⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        9⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        9⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        10⤵
        
        PID:968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        11⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        10⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        10⤵
        
        PID:792
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        10⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        12⤵
        Sets file to hidden
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        11⤵
        Executes dropped EXE
        
        PID:2504
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        11⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        11⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        12⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        13⤵
        Drops file in System32 directory
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        12⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        12⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        13⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        14⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        13⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        13⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        13⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        14⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        15⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        14⤵
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        14⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        14⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        15⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        16⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        15⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        16⤵
        
        PID:636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        17⤵
        Sets file to hidden
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        16⤵
        Executes dropped EXE
        
        PID:332
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        16⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        17⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        18⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        17⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        17⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        18⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        19⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        18⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        18⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        19⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        20⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        19⤵
        Executes dropped EXE
        
        PID:2744
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        19⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        19⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        20⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        21⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        20⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        20⤵
        
        PID:864
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        20⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        21⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        22⤵
        Views/modifies file attributes
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        21⤵
        Executes dropped EXE
        
        PID:1388
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        21⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        22⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        22⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        22⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        23⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        24⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        23⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        23⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        23⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        24⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        24⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        24⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        25⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        26⤵
        Drops file in System32 directory
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        25⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        25⤵
        
        PID:628
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        25⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        27⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        26⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        26⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        26⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        27⤵
        
        PID:820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        28⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        27⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        27⤵
        
        PID:844
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        27⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        28⤵
        
        PID:676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        29⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        28⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        28⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        29⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        30⤵
        Drops file in System32 directory
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        29⤵
        Executes dropped EXE
        
        PID:904
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        29⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        30⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        31⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        30⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        30⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        30⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        31⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        31⤵
        Executes dropped EXE
        
        PID:2580
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        31⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        31⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        32⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        33⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        32⤵
        Executes dropped EXE
        
        PID:772
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        32⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        32⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        34⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        33⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        33⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        33⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        34⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        35⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        34⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        34⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        35⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        36⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        35⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        35⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        35⤵
        Modifies WinLogon for persistence
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        36⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        37⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        36⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        36⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        36⤵
        Adds Run key to start application
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        37⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        37⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        38⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        39⤵
        Sets file to hidden
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        38⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        38⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        39⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        40⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        39⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        39⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        39⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        40⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        41⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        40⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        40⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        41⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        42⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        41⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        41⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        41⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        42⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        43⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        42⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        42⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        42⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        43⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        44⤵
        Views/modifies file attributes
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        43⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        43⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        43⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        44⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        45⤵
        Views/modifies file attributes
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        44⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        44⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        44⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        45⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        46⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        45⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        45⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        45⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        46⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        46⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        46⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        46⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        47⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        48⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        47⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        47⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        47⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        48⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        49⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        48⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        48⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        48⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        49⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        50⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        49⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        49⤵
        
        PID:812
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        49⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        50⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        51⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        50⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        50⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        50⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        51⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        52⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        51⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        51⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        53⤵
        Views/modifies file attributes
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        52⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        52⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        52⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        53⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        54⤵
        Drops file in System32 directory
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        53⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        53⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        53⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        54⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        55⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        54⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        54⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        54⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        55⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        56⤵
        Views/modifies file attributes
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        55⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        55⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        55⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        56⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        57⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        56⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        56⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        56⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        57⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        58⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        57⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        57⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        57⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        58⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        59⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        58⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        59⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        60⤵
        Views/modifies file attributes
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        59⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        59⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        59⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        61⤵
        Sets file to hidden
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        60⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        60⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        62⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        61⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        61⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        61⤵
        Adds Run key to start application
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        62⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        63⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        62⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        62⤵
        Modifies WinLogon for persistence
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        63⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        64⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        63⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        63⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        64⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        65⤵
        Sets file to hidden
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        64⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        64⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        64⤵
        Adds Run key to start application
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        65⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        66⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        65⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        65⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        65⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        66⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        67⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        66⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        66⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        66⤵
        Modifies WinLogon for persistence
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        67⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        68⤵
        Views/modifies file attributes
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        67⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        67⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        67⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        68⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        68⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        68⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        68⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        69⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        70⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        69⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        69⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        69⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        70⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        71⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        70⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        70⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        71⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        72⤵
        Sets file to hidden
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        71⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        71⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        71⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        72⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        72⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        72⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        74⤵
        Sets file to hidden
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        73⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        74⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        75⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        74⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        74⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        76⤵
        Views/modifies file attributes
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        75⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        75⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        75⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        76⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        77⤵
        Sets file to hidden
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        76⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        76⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        76⤵
        Adds Run key to start application
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        77⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        78⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        77⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        77⤵
        Modifies WinLogon for persistence
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        79⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        78⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        78⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        79⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        80⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        79⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        79⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        79⤵
        Modifies WinLogon for persistence
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        80⤵
        
        PID:292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        81⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        80⤵
        
        PID:724
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        80⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        80⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        81⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        82⤵
        Sets file to hidden
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        81⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        82⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        83⤵
        Views/modifies file attributes
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        82⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        82⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        82⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        83⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        84⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        83⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        83⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        83⤵
        Modifies WinLogon for persistence
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        84⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        85⤵
        Views/modifies file attributes
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        84⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        84⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        84⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        85⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        86⤵
        Views/modifies file attributes
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        85⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        85⤵
        Adds Run key to start application
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        86⤵
        
        PID:548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        87⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        86⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        86⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        86⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        87⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        88⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        87⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        87⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        87⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        88⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        89⤵
        
        PID:5232
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        88⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        88⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        88⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        89⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        90⤵
        Views/modifies file attributes
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        89⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        89⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        89⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        90⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        91⤵
        Sets file to hidden
        
        PID:5672
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        90⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        90⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        90⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        91⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        92⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5892
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        91⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        91⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        91⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        92⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        93⤵
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        92⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        92⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        92⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        93⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        94⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        93⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        93⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        93⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        94⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        95⤵
        Views/modifies file attributes
        
        PID:5524
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        94⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        94⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        94⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        95⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        96⤵
        Views/modifies file attributes
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        95⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        95⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        95⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        96⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        97⤵
        Views/modifies file attributes
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        96⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        96⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        96⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        97⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        98⤵
        Sets file to hidden
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        97⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        97⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        97⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        98⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        99⤵
        Views/modifies file attributes
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        98⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        98⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        98⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        99⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        100⤵
        Views/modifies file attributes
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        99⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        99⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        99⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        100⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        101⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        100⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        100⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        100⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        101⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        102⤵
        Sets file to hidden
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        101⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        101⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        101⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        102⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        103⤵
        Sets file to hidden
        
        PID:5980
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        102⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        102⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        102⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        103⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        104⤵
        Views/modifies file attributes
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        103⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        103⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        103⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        104⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        105⤵
        Sets file to hidden
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        104⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        104⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        104⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        105⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        106⤵
        Views/modifies file attributes
        
        PID:5532
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        105⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        105⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        105⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        106⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        107⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        106⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        106⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        106⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        107⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        108⤵
        Sets file to hidden
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        107⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        107⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        107⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        108⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        109⤵
        Sets file to hidden
        
        PID:5740
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        108⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        108⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        108⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        109⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        110⤵
        Views/modifies file attributes
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        109⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        109⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        109⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        110⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        111⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        110⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        110⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        110⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        111⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        112⤵
        Views/modifies file attributes
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        111⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        111⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        111⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        112⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        113⤵
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        112⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        112⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        112⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        113⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        114⤵
        Views/modifies file attributes
        
        PID:6264
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        113⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        113⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        113⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        114⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        115⤵
        
        PID:6492
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        114⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        114⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        114⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        115⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        116⤵
        Sets file to hidden
        
        PID:6716
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        115⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        115⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        115⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        116⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        117⤵
        
        PID:6932
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        116⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        116⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        116⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        117⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        118⤵
        
        PID:7152
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        117⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        117⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        117⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        118⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        119⤵
        
        PID:6312
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        118⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        118⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        118⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        119⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        120⤵
        
        PID:6580
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        119⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        119⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        119⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        120⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        121⤵
        
        PID:6836
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        120⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        120⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        120⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        121⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        122⤵
        
        PID:6892
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        121⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        121⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        121⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        122⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        123⤵
        Sets file to hidden
        
        PID:6344
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        122⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        122⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        122⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        123⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        124⤵
        Views/modifies file attributes
        
        PID:6464
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        123⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        123⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        123⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        124⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        125⤵
        Sets file to hidden
        
        PID:6968
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        124⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        124⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        124⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        125⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        126⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        125⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        125⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        125⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        126⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        127⤵
        Views/modifies file attributes
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        126⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        126⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        126⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        127⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        128⤵
        Views/modifies file attributes
        
        PID:7008
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        127⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        127⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        127⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        128⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        129⤵
        Sets file to hidden
        
        PID:6368
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        128⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        128⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        128⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        129⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        130⤵
        
        PID:6528
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        129⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        129⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        129⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        130⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        131⤵
        
        PID:6988
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        130⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        130⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        130⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        131⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        132⤵
        
        PID:6128
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        131⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        131⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        131⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        132⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        133⤵
        Sets file to hidden
        
        PID:7052
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        132⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        132⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        132⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        133⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        134⤵
        
        PID:7124
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        133⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        133⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        133⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        134⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        135⤵
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        134⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        134⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        134⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        135⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        136⤵
        Views/modifies file attributes
        
        PID:6588
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        135⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        135⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        135⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        136⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        137⤵
        Sets file to hidden
        
        PID:6400
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        136⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        136⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        136⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        137⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        138⤵
        
        PID:6648
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        137⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        137⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        137⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        138⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        139⤵
        Views/modifies file attributes
        
        PID:6216
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        138⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        138⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        138⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        139⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        140⤵
        
        PID:7284
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        139⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        139⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        139⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        140⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        141⤵
        
        PID:7512
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        140⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        140⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        140⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        141⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        142⤵
        
        PID:7740
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        141⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        141⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        141⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        142⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        143⤵
        
        PID:7980
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        142⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        142⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        142⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        143⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        144⤵
        
        PID:6608
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        143⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        143⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        143⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        144⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        145⤵
        Sets file to hidden
        
        PID:7352
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        144⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        144⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        144⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        145⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        146⤵
        
        PID:7616
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        145⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        145⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        145⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        146⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        147⤵
        
        PID:7868
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        146⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        146⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        146⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        147⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        148⤵
        
        PID:7936
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        147⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        147⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        147⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        148⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        149⤵
        
        PID:7376
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        148⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        148⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        148⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        149⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        150⤵
        Views/modifies file attributes
        
        PID:7472
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        149⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        149⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        149⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        150⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        151⤵
        
        PID:8028
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        150⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        150⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        150⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        151⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        152⤵
        Views/modifies file attributes
        
        PID:8096
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        151⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        151⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        151⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        152⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        153⤵
        Views/modifies file attributes
        
        PID:7472
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        152⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        152⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        152⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        153⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        154⤵
        
        PID:7820
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        153⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        153⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        153⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        154⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        155⤵
        Views/modifies file attributes
        
        PID:7272
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        154⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        154⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        154⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        155⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        156⤵
        Views/modifies file attributes
        
        PID:8036
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        155⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        155⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        155⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        156⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        157⤵
        
        PID:7696
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        156⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        156⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        156⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        157⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        158⤵
        Sets file to hidden
        
        PID:8036
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        157⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        157⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        157⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        158⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        159⤵
        
        PID:7236
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        158⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        158⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        158⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        159⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        160⤵
        Views/modifies file attributes
        
        PID:6344
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        159⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        159⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        159⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        160⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        161⤵
        Sets file to hidden
        
        PID:8012
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        160⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        160⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        160⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        161⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        162⤵
        
        PID:7288
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        161⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        161⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        161⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        162⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        163⤵
        
        PID:7024
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        162⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        162⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        162⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        163⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        164⤵
        Sets file to hidden
        
        PID:7236
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        163⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        163⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        163⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        164⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        165⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8284
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        164⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        164⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        164⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        165⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        166⤵
        Views/modifies file attributes
        
        PID:8512
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        165⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        165⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        165⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        166⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        167⤵
        Sets file to hidden
        
        PID:8740
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        166⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        166⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        166⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        167⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        168⤵
        
        PID:8956
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        167⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        167⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        167⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        168⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        169⤵
        
        PID:9180
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        168⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        168⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        168⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        169⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        170⤵
        Sets file to hidden
        
        PID:8308
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        169⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        169⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        169⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        170⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        171⤵
        Views/modifies file attributes
        
        PID:8568
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        170⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        170⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        170⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        171⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        172⤵
        
        PID:8852
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        171⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        171⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        171⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        172⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        173⤵
        Sets file to hidden
        
        PID:9080
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        172⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        172⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        172⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        173⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        174⤵
        Sets file to hidden
        
        PID:9116
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        173⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        173⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        173⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        174⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        175⤵
        Sets file to hidden
        
        PID:8604
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        174⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        174⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        174⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        175⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        176⤵
        
        PID:8688
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        175⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        175⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        175⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        176⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        177⤵
        Views/modifies file attributes
        
        PID:7184
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        176⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        176⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        176⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        177⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        178⤵
        Views/modifies file attributes
        
        PID:7920
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        177⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        177⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        177⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        178⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        179⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8688
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        178⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        178⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        178⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        179⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        180⤵
        Sets file to hidden
        
        PID:9112
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        179⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        179⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        179⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        180⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        181⤵
        
        PID:8572
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        180⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        180⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        180⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        181⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        182⤵
        Sets file to hidden
        
        PID:8844
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        181⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        181⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        181⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        182⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        183⤵
        Sets file to hidden
        
        PID:8492
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        182⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        182⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        182⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        183⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        184⤵
        Views/modifies file attributes
        
        PID:8744
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        183⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        183⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        183⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        184⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        185⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8396
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        184⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        184⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        184⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        185⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        186⤵
        
        PID:8884
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        185⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        185⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        185⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        186⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        187⤵
        Sets file to hidden
        
        PID:8572
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        186⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        186⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        186⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        187⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        188⤵
        
        PID:8672
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        187⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        187⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        187⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        188⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        189⤵
        
        PID:8908
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        188⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        188⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        188⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        189⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        190⤵
        Sets file to hidden
        
        PID:9152
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        189⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        189⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        189⤵
        
        PID:9252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        190⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        191⤵
        Views/modifies file attributes
        
        PID:9320
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        190⤵
        
        PID:9300
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        190⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        190⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        191⤵
        
        PID:9500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        192⤵
        Sets file to hidden
        
        PID:9540
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        191⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        191⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        191⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        192⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        193⤵
        
        PID:9760
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        192⤵
        
        PID:9740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14565062737092367001418972331-2011118560-168797429-39926953-18484454311727295756"
1⤵
PID:2780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "863814721-10372615751072241108945079221-3610509801409092018-1728510313-966626265"
1⤵
PID:2112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6909908241084362522-693627770455263950-2024499988-17566368615171246901126494566"
1⤵
PID:3096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5783421216844196141202244579-530637557-713644394-42472751127392540106900129"
1⤵
PID:3116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1025871419-104843994-1226760935380928069-7714104412131931360-6907293051751704176"
1⤵
PID:4460

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2082137383845249880-1062833722-4058240-9555173232795289541838512325194262216"
1⤵
PID:4880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1021638213-131064579457709827-13714032141124641473-1508731728-299469958-1814732933"
1⤵
PID:4116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "635229759693815305-18198440341031559678-1592872058596268949-1023971562-1510119953"
1⤵
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BB15.tmp\Mt2-Multi.bat

Filesize
1017B

MD5
e8418b1de6056eba9bc6ab0c39816d92

SHA1
84f1a312e1e091a6a3a2732dfaadb184925ecf23

SHA256
dc03a6cb5d890b394710e7e7e62078769e022f67fc860ef395c9266cc6e366c3

SHA512
5850e9ae599d8e331cd1de9d588b6141a5fb49535465269e77f48f5f8c502e8031bc8db323c24ea8d4848fc65504ae1fbd6fde668ed14ae1f5671efccdc8215b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE

Filesize
4.0MB

MD5
ccc17e89b056812ed0974d656b1238af

SHA1
3cb7818b697a97a51765849dfdc1d907a53e3b46

SHA256
5665f6c603b8356a61fe90d5d90b0ea945342c90210eccdf4884d1ca88013703

SHA512
67c327330ea33026e447c3b636c86833145e2b9931b423cfa906c4d0423504e7d374f389cb3c1b31cc98e3f235b9e0e14d633b0b7df1f0135b5df71187510601

Download Submit
C:\Users\Admin\AppData\Local\Temp\locale_de.eix

Filesize
5KB

MD5
ecd47ce38514bdcc77261d7999c1fc31

SHA1
2474132673bff0597126066a02aacf93d121df33

SHA256
7de3ed1684a75828b8b018b657377526d3757ec12c3bae23b791397d99725177

SHA512
f444739eba131ead9fb3758866c695da3e9b71fcd17f9a9b6f17a8385eadb2d9c5b525048c2ec79792e6524f2620c73151fc49956335b684756f3dec8e97d800

Download Submit
C:\Users\Admin\AppData\Local\Temp\locale_de.epk

Filesize
4.0MB

MD5
d7f078c90867fcde7c5d8436cc56971c

SHA1
b1f71f7496418a479ceaf584d010b5c33dd8974e

SHA256
90e38a646c07e5ea8456459bee2d07920e48bd916e841f8328372d2971a74c98

SHA512
2b44e4e583c8d6205d1e5532c50d2811bc704455ba89312746084a2a3d5e688c7a12c3fcd5c2031abb6a84a2eb9f8406f1096f1236bcc1496bde07365dbaba13

Download Submit
C:\Users\Admin\AppData\Local\Temp\mod_config.cfg

Filesize
105B

MD5
f856c5b043e95b51974550405aef95af

SHA1
e7e8b5e0000fdb416a46c3d95316520e92c5185e

SHA256
b1bb1ad59ab40011980401ad514b4e7a2adcba56912045afbad090f593fce813

SHA512
e38a84fd7baef517a9cf031c69ce63cb4136de2ec2cf8665d24b9632faf5fed523b73754225c6cce92967ea378f85d21c21e0735dc070891f1a52a57f769927f

Download Submit
C:\Users\Admin\AppData\Local\Temp\root.eix

Filesize
3KB

MD5
bd2a5779cc56ea237fcf3190e3a0c0e8

SHA1
3b017ae3f3e64754f99ab3803560aa154f03d5d6

SHA256
e1be3b513f11f6745da58ca609704591658510dfb58a42fc660f86dae68a4992

SHA512
ee664522f20f364d2d99ebeaedc639d156f96d1674fe0ae20c4b817b0043de471caf5d69ec7a7711aa81e7e1e9237de168f3a45e734f44ca74ce84cdc9fbc65a

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
4.6MB

MD5
d35685275d19eba3a22a46003858b4b0

SHA1
196ffdf8fab82a9fe1a268cd6a6897ef331b46bb

SHA256
60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063

SHA512
5e33cd1983d05b9697ef3a0cb4ac8129f53b0156c434dad1398dec6e67b44e5fa82d531741b8afcf32e8106d59d64aeba5e71e53a6dba352d4f89621217374cf

Download Submit
memory/288-140-0x0000000003F20000-0x00000000043E5000-memory.dmp

Filesize
4.8MB

Download
memory/772-474-0x0000000003F20000-0x00000000043E5000-memory.dmp

Filesize
4.8MB

Download
memory/824-141-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/944-390-0x0000000003ED0000-0x0000000004395000-memory.dmp

Filesize
4.8MB

Download
memory/1004-186-0x0000000004140000-0x0000000004605000-memory.dmp

Filesize
4.8MB

Download
memory/1396-187-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1396-310-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1784-433-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1784-308-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1992-395-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1992-741-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2012-185-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2012-10-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2100-267-0x0000000003EE0000-0x00000000043A5000-memory.dmp

Filesize
4.8MB

Download
memory/2212-225-0x0000000004140000-0x0000000004605000-memory.dmp

Filesize
4.8MB

Download
memory/2368-226-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2368-348-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2384-0-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2384-8-0x0000000004170000-0x0000000004635000-memory.dmp

Filesize
4.8MB

Download
memory/2384-34-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/2440-347-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2440-582-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2504-850-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2504-438-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2584-307-0x0000000003F10000-0x00000000043D5000-memory.dmp

Filesize
4.8MB

Download
memory/2624-42-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2624-218-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2680-437-0x00000000040E0000-0x00000000045A5000-memory.dmp

Filesize
4.8MB

Download
memory/2788-389-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2788-268-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2820-41-0x0000000003F20000-0x00000000043E5000-memory.dmp

Filesize
4.8MB

Download
memory/2820-131-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/2888-25-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2888-11-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads