darkcomet | 60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063

Analysis

max time kernel
96s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Size

4.6MB
MD5

d35685275d19eba3a22a46003858b4b0
SHA1

196ffdf8fab82a9fe1a268cd6a6897ef331b46bb
SHA256

60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063
SHA512

5e33cd1983d05b9697ef3a0cb4ac8129f53b0156c434dad1398dec6e67b44e5fa82d531741b8afcf32e8106d59d64aeba5e71e53a6dba352d4f89621217374cf
SSDEEP

98304:J6b+fgPSpV+apIEypgOTCqAijHZA65ALrpjiN8:JyBAONp5AijH6AAPpjL

Score

10^/10

darkcomet eski kamarun discovery evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

eski kamarun

haybensenin3.zapto.org:1604

Mutex

DC_MUTEX-4J5WTK5

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
Yf3o5TbGwnLJ
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
5800	attrib.exe
5196	attrib.exe
8224	attrib.exe
10048	attrib.exe
10720	attrib.exe
4452	attrib.exe
11084	attrib.exe
9712	attrib.exe
7604	attrib.exe
1896	attrib.exe
3472	attrib.exe
10624	attrib.exe
13404	attrib.exe
13972	attrib.exe
968	attrib.exe
2668	attrib.exe
9420	attrib.exe
220	attrib.exe
10288	attrib.exe
4440	attrib.exe
7984	attrib.exe
13356	attrib.exe
6968	attrib.exe
8608	attrib.exe
6440	attrib.exe
6084	attrib.exe
8620	attrib.exe
9604	attrib.exe
1236	attrib.exe
14316	attrib.exe
2368	attrib.exe
3136	attrib.exe
12656	attrib.exe
9748	attrib.exe
8248	attrib.exe
10152	attrib.exe
10556	attrib.exe
1744	attrib.exe
9152	attrib.exe
5108	attrib.exe
5856	attrib.exe
1020	attrib.exe
12996	attrib.exe
13176	attrib.exe
6612	attrib.exe
7544	attrib.exe
11448	attrib.exe
11036	attrib.exe
2876	attrib.exe
7188	attrib.exe
7848	attrib.exe
3860	attrib.exe
6256	attrib.exe
4028	attrib.exe
8520	attrib.exe
6052	attrib.exe
3400	attrib.exe
12380	attrib.exe
6440	attrib.exe
9236	attrib.exe
1928	attrib.exe
6704	attrib.exe
7808	attrib.exe
7944	attrib.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	MT2-MULTI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	msdcsc.exe

Deletes itself 1 IoCs

pid	Process
4184	notepad.exe

Executes dropped EXE 64 IoCs

pid	Process
3828	MT2-MULTI.EXE
2768	msdcsc.exe
3064	MT2-MULTI.EXE
4676	msdcsc.exe
4416	MT2-MULTI.EXE
4956	msdcsc.exe
1212	MT2-MULTI.EXE
5092	msdcsc.exe
1124	MT2-MULTI.EXE
3636	msdcsc.exe
3428	MT2-MULTI.EXE
2680	msdcsc.exe
1544	MT2-MULTI.EXE
4184	msdcsc.exe
4988	MT2-MULTI.EXE
992	msdcsc.exe
412	MT2-MULTI.EXE
1276	msdcsc.exe
3596	MT2-MULTI.EXE
2156	msdcsc.exe
2176	MT2-MULTI.EXE
3496	msdcsc.exe
4220	MT2-MULTI.EXE
4548	msdcsc.exe
2680	MT2-MULTI.EXE
4296	msdcsc.exe
2100	MT2-MULTI.EXE
5152	msdcsc.exe
5252	MT2-MULTI.EXE
5500	msdcsc.exe
5576	MT2-MULTI.EXE
5680	msdcsc.exe
5764	MT2-MULTI.EXE
5892	msdcsc.exe
5964	MT2-MULTI.EXE
6068	msdcsc.exe
4280	MT2-MULTI.EXE
5472	msdcsc.exe
5648	MT2-MULTI.EXE
5848	msdcsc.exe
5992	MT2-MULTI.EXE
5160	msdcsc.exe
5276	MT2-MULTI.EXE
4640	msdcsc.exe
5680	MT2-MULTI.EXE
2732	msdcsc.exe
5196	MT2-MULTI.EXE
4640	msdcsc.exe
2984	MT2-MULTI.EXE
5216	msdcsc.exe
6232	MT2-MULTI.EXE
6320	msdcsc.exe
6388	MT2-MULTI.EXE
6500	msdcsc.exe
6584	MT2-MULTI.EXE
6680	msdcsc.exe
6768	MT2-MULTI.EXE
6860	msdcsc.exe
6944	MT2-MULTI.EXE
7036	msdcsc.exe
7132	MT2-MULTI.EXE
6272	msdcsc.exe
6184	MT2-MULTI.EXE
2092	msdcsc.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c84-7.dat	upx
behavioral2/memory/3828-11-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/4416-181-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/1212-244-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/1124-253-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/3828-259-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/3428-261-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/1544-268-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/3064-267-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/4988-276-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/4416-275-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/412-289-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/1212-288-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/3064-287-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/1124-296-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/3596-297-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/3428-304-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/2176-305-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/1544-312-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/4220-313-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/1124-334-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/3428-338-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/4988-339-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/2680-340-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/412-348-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/2100-349-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/3596-356-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/5252-357-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/3064-381-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/412-382-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/2176-385-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/5576-386-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/5764-391-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/4416-390-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/4220-392-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/1212-396-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/2680-397-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/5964-398-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/1124-402-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/2100-403-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/4280-404-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/3428-427-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/5252-429-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/5648-430-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/1544-435-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/5576-436-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/5992-437-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/4988-441-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/5764-442-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/5964-483-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/4280-492-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/5648-500-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral2/memory/5992-510-0x0000000000400000-0x00000000008C5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7668	7572	WerFault.exe	327

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeSecurityPrivilege	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeBackupPrivilege	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeRestorePrivilege	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeShutdownPrivilege	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeDebugPrivilege	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeUndockPrivilege	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: 33	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: 34	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: 35	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: 36	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2768	msdcsc.exe
Token: SeSecurityPrivilege	2768	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2768	msdcsc.exe
Token: SeLoadDriverPrivilege	2768	msdcsc.exe
Token: SeSystemProfilePrivilege	2768	msdcsc.exe
Token: SeSystemtimePrivilege	2768	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2768	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2768	msdcsc.exe
Token: SeCreatePagefilePrivilege	2768	msdcsc.exe
Token: SeBackupPrivilege	2768	msdcsc.exe
Token: SeRestorePrivilege	2768	msdcsc.exe
Token: SeShutdownPrivilege	2768	msdcsc.exe
Token: SeDebugPrivilege	2768	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2768	msdcsc.exe
Token: SeChangeNotifyPrivilege	2768	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2768	msdcsc.exe
Token: SeUndockPrivilege	2768	msdcsc.exe
Token: SeManageVolumePrivilege	2768	msdcsc.exe
Token: SeImpersonatePrivilege	2768	msdcsc.exe
Token: SeCreateGlobalPrivilege	2768	msdcsc.exe
Token: 33	2768	msdcsc.exe
Token: 34	2768	msdcsc.exe
Token: 35	2768	msdcsc.exe
Token: 36	2768	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	4676	msdcsc.exe
Token: SeSecurityPrivilege	4676	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4676	msdcsc.exe
Token: SeLoadDriverPrivilege	4676	msdcsc.exe
Token: SeSystemProfilePrivilege	4676	msdcsc.exe
Token: SeSystemtimePrivilege	4676	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4676	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4676	msdcsc.exe
Token: SeCreatePagefilePrivilege	4676	msdcsc.exe
Token: SeBackupPrivilege	4676	msdcsc.exe
Token: SeRestorePrivilege	4676	msdcsc.exe
Token: SeShutdownPrivilege	4676	msdcsc.exe
Token: SeDebugPrivilege	4676	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4676	msdcsc.exe
Token: SeChangeNotifyPrivilege	4676	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4676	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 3436	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	82
PID 2216 wrote to memory of 3436	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	82
PID 2216 wrote to memory of 3436	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	82
PID 2216 wrote to memory of 3828	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	84
PID 2216 wrote to memory of 3828	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	84
PID 2216 wrote to memory of 3828	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	84
PID 3436 wrote to memory of 3860	3436	cmd.exe	85
PID 3436 wrote to memory of 3860	3436	cmd.exe	85
PID 3436 wrote to memory of 3860	3436	cmd.exe	85
PID 2216 wrote to memory of 4184	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	86
PID 2216 wrote to memory of 4184	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	86
PID 2216 wrote to memory of 4184	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	86
PID 2216 wrote to memory of 4184	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	86
PID 2216 wrote to memory of 4184	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	86
PID 2216 wrote to memory of 4184	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	86
PID 2216 wrote to memory of 4184	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	86
PID 2216 wrote to memory of 4184	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	86
PID 2216 wrote to memory of 4184	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	86
PID 2216 wrote to memory of 4184	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	86
PID 2216 wrote to memory of 4184	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	86
PID 2216 wrote to memory of 4184	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	86
PID 2216 wrote to memory of 4184	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	86
PID 2216 wrote to memory of 4184	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	86
PID 2216 wrote to memory of 4184	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	86
PID 2216 wrote to memory of 4184	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	86
PID 2216 wrote to memory of 4184	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	86
PID 2216 wrote to memory of 2768	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	87
PID 2216 wrote to memory of 2768	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	87
PID 2216 wrote to memory of 2768	2216	d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe	87
PID 3828 wrote to memory of 2488	3828	MT2-MULTI.EXE	88
PID 3828 wrote to memory of 2488	3828	MT2-MULTI.EXE	88
PID 3828 wrote to memory of 2488	3828	MT2-MULTI.EXE	88
PID 2768 wrote to memory of 872	2768	msdcsc.exe	91
PID 2768 wrote to memory of 872	2768	msdcsc.exe	91
PID 2768 wrote to memory of 872	2768	msdcsc.exe	91
PID 2768 wrote to memory of 3064	2768	msdcsc.exe	93
PID 2768 wrote to memory of 3064	2768	msdcsc.exe	93
PID 2768 wrote to memory of 3064	2768	msdcsc.exe	93
PID 2488 wrote to memory of 4012	2488	cmd.exe	94
PID 2488 wrote to memory of 4012	2488	cmd.exe	94
PID 2488 wrote to memory of 4012	2488	cmd.exe	94
PID 872 wrote to memory of 968	872	cmd.exe	95
PID 872 wrote to memory of 968	872	cmd.exe	95
PID 872 wrote to memory of 968	872	cmd.exe	95
PID 2768 wrote to memory of 832	2768	msdcsc.exe	96
PID 2768 wrote to memory of 832	2768	msdcsc.exe	96
PID 2768 wrote to memory of 832	2768	msdcsc.exe	96
PID 2768 wrote to memory of 832	2768	msdcsc.exe	96
PID 2768 wrote to memory of 832	2768	msdcsc.exe	96
PID 2768 wrote to memory of 832	2768	msdcsc.exe	96
PID 2768 wrote to memory of 832	2768	msdcsc.exe	96
PID 2768 wrote to memory of 832	2768	msdcsc.exe	96
PID 2768 wrote to memory of 832	2768	msdcsc.exe	96
PID 2768 wrote to memory of 832	2768	msdcsc.exe	96
PID 2768 wrote to memory of 832	2768	msdcsc.exe	96
PID 2768 wrote to memory of 832	2768	msdcsc.exe	96
PID 2768 wrote to memory of 832	2768	msdcsc.exe	96
PID 2768 wrote to memory of 832	2768	msdcsc.exe	96
PID 2768 wrote to memory of 832	2768	msdcsc.exe	96
PID 2768 wrote to memory of 832	2768	msdcsc.exe	96
PID 2768 wrote to memory of 832	2768	msdcsc.exe	96
PID 2768 wrote to memory of 4676	2768	msdcsc.exe	97
PID 2768 wrote to memory of 4676	2768	msdcsc.exe	97
PID 2768 wrote to memory of 4676	2768	msdcsc.exe	97

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
8248	attrib.exe
2964	attrib.exe
220	attrib.exe
11804	attrib.exe
10288	attrib.exe
6352	attrib.exe
5800	attrib.exe
10368	attrib.exe
11188	attrib.exe
7604	attrib.exe
1020	attrib.exe
7992	attrib.exe
8868	attrib.exe
9236	attrib.exe
12580	attrib.exe
13176	attrib.exe
6792	attrib.exe
12996	attrib.exe
6440	attrib.exe
8308	attrib.exe
9420	attrib.exe
9960	attrib.exe
11180	attrib.exe
5620	attrib.exe
6540	attrib.exe
7648	attrib.exe
4392	attrib.exe
1088	attrib.exe
10624	attrib.exe
7808	attrib.exe
8620	attrib.exe
10548	attrib.exe
13784	attrib.exe
2304	attrib.exe
11448	attrib.exe
6968	attrib.exe
7544	attrib.exe
9604	attrib.exe
12788	attrib.exe
6084	attrib.exe
7368	attrib.exe
3400	attrib.exe
11096	attrib.exe
1236	attrib.exe
13356	attrib.exe
4424	attrib.exe
1896	attrib.exe
2368	attrib.exe
8224	attrib.exe
8424	attrib.exe
9796	attrib.exe
12656	attrib.exe
13608	attrib.exe
14316	attrib.exe
6440	attrib.exe
3472	attrib.exe
3028	attrib.exe
4716	attrib.exe
4428	attrib.exe
7188	attrib.exe
10904	attrib.exe
11268	attrib.exe
4440	attrib.exe
7156	attrib.exe

C:\Users\Admin\AppData\Local\Temp\d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\d35685275d19eba3a22a46003858b4b0_JaffaCakes118.exe" +s +h
    3⤵
    - Sets file to hidden
    PID:3860
- C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
  "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AD95.tmp\Mt2-Multi.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\SysWOW64\xcopy.exe
      xcopy root.eix pack /y
      4⤵
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:4012
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:4184
- C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
  "C:\Windows\system32\MSDCSC\msdcsc.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:872
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      PID:968
- - C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
    "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
    3⤵
    - Executes dropped EXE
    PID:3064
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:832
- - C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe
    "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:4676
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
      4⤵
      PID:3152
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:4452
  - - C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
      "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
      4⤵
      Executes dropped EXE
      PID:4416
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:3092
  - - C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
      "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      PID:4956
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        5⤵
        
        PID:1320
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        6⤵
        Views/modifies file attributes
        
        PID:4392
    - - C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1212
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:2700
    - - C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5092
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        6⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        7⤵
        
        PID:1488
      - C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        6⤵
        Executes dropped EXE
        
        PID:1124
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        
        PID:1216
      - C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        7⤵
        
        PID:32
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        8⤵
        Views/modifies file attributes
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        7⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        7⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        8⤵
        Executes dropped EXE
        
        PID:1544
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        8⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        9⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        10⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        9⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        9⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        9⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        11⤵
        Views/modifies file attributes
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        10⤵
        Executes dropped EXE
        
        PID:412
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        10⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        10⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        11⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        12⤵
        Sets file to hidden
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        11⤵
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        11⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        11⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        12⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        13⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        12⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        12⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        12⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        13⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        14⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        13⤵
        Executes dropped EXE
        
        PID:4220
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        13⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        13⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        14⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        15⤵
        Sets file to hidden
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        14⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        14⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        14⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        15⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        16⤵
        Views/modifies file attributes
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        15⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        16⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        16⤵
        Executes dropped EXE
        
        PID:5252
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        16⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        16⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        17⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        18⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        17⤵
        Executes dropped EXE
        
        PID:5576
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        17⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        17⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        18⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        19⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        18⤵
        Executes dropped EXE
        
        PID:5764
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        18⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        18⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        19⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        20⤵
        Sets file to hidden
        
        PID:6052
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        19⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        19⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:6068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        20⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        21⤵
        Sets file to hidden
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        20⤵
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        20⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        20⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        21⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        22⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        21⤵
        Executes dropped EXE
        
        PID:5648
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        21⤵
        
        PID:764
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        21⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:5716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        23⤵
        Sets file to hidden
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        23⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        24⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        23⤵
        Executes dropped EXE
        
        PID:5276
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        23⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        23⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        24⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        25⤵
        Drops file in System32 directory
        
        PID:5920
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        24⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        25⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        26⤵
        Views/modifies file attributes
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        25⤵
        Executes dropped EXE
        
        PID:5196
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        25⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        27⤵
        Drops file in System32 directory
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        26⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        26⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        27⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        28⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:6256
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        27⤵
        Executes dropped EXE
        
        PID:6232
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        27⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        27⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        28⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        29⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6440
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6388
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        28⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        28⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:6548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        30⤵
        Sets file to hidden
        
        PID:6612
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        29⤵
        Executes dropped EXE
        
        PID:6584
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        29⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        29⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:6680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        30⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        31⤵
        Views/modifies file attributes
        
        PID:6792
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        30⤵
        Executes dropped EXE
        
        PID:6768
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        30⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:6908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        32⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6968
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        31⤵
        Executes dropped EXE
        
        PID:6944
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        31⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        31⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:7036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        32⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        33⤵
        Views/modifies file attributes
        
        PID:7156
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        32⤵
        Executes dropped EXE
        
        PID:7132
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        32⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        32⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:6272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        33⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        34⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6352
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        33⤵
        Executes dropped EXE
        
        PID:6184
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        33⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        33⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:6544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        35⤵
        Drops file in System32 directory
        
        PID:6704
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        34⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:6692
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        34⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:6896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        36⤵
        
        PID:7064
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        35⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        35⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        35⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:6348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        36⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        37⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6704
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        36⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        36⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        36⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:7012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        37⤵
        
        PID:7020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        38⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6540
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        37⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        37⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        37⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        38⤵
        
        PID:7016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        39⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7188
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        38⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        38⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:7256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        39⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        40⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:7368
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        39⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        39⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        39⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:7424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        40⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        41⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:7544
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        40⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        40⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7572 -s 348
        41⤵
        Program crash
        
        PID:7668
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        40⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:7676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        41⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        42⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:7808
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        41⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        41⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        41⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:7880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        42⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        43⤵
        Views/modifies file attributes
        
        PID:7992
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        42⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        42⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        42⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        43⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        44⤵
        
        PID:8172
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        43⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        43⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        43⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:6540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        44⤵
        
        PID:7372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        45⤵
        
        PID:7292
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        44⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        44⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        44⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:7644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        45⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        46⤵
        Sets file to hidden
        
        PID:7848
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        45⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:7704
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        45⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:7896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:8004
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        46⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        46⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        46⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:8068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        47⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        48⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:7648
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        47⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        47⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        47⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:7192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        48⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        49⤵
        Drops file in System32 directory
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        48⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        48⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        48⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        49⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        50⤵
        Sets file to hidden
        
        PID:7944
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        49⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        49⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        49⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        50⤵
        
        PID:4072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        51⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8224
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        50⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        50⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        50⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        51⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        52⤵
        Views/modifies file attributes
        
        PID:8424
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        51⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        51⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        51⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:8488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        52⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        53⤵
        Sets file to hidden
        
        PID:8608
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        52⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        52⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        52⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:8676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        53⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        54⤵
        
        PID:8796
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        53⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        53⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        53⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:8860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        54⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        55⤵
        
        PID:8976
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        54⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:9000
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        54⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:9036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        55⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        56⤵
        
        PID:9160
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:9120
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        55⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        55⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:9212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        56⤵
        
        PID:6052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        57⤵
        
        PID:8316
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        56⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        56⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        56⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:8340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:8304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        58⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8620
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        57⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:5900
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        57⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:8528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        58⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        59⤵
        Views/modifies file attributes
        
        PID:8868
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        58⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        58⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        58⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        59⤵
        
        PID:9048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:9168
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        59⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        59⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        59⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:9080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        60⤵
        
        PID:1080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        61⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8248
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        60⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        60⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        61⤵
        
        PID:8500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        62⤵
        Views/modifies file attributes
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        61⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        61⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Modifies registry class
        
        PID:8528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:9060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        63⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        62⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        62⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        62⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        
        PID:9044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        63⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        64⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6440
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        63⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        63⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        63⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        64⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        65⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:8308
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        64⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        64⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        64⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:7112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        66⤵
        Sets file to hidden
        
        PID:8520
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        65⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        65⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        65⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        66⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        67⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:9236
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        66⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        66⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        66⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:9308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        67⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        68⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:9420
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        67⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        67⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        67⤵
        Checks computer location settings
        Modifies registry class
        
        PID:9488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        68⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        69⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:9604
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        68⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:9632
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        68⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:9672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        69⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        70⤵
        Views/modifies file attributes
        
        PID:9796
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        69⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        69⤵
        
        PID:9812
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        69⤵
        Modifies registry class
        
        PID:9848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        70⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        71⤵
        Views/modifies file attributes
        
        PID:9960
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        70⤵
        
        PID:9936
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        70⤵
        
        PID:9988
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        70⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:10032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:10084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        72⤵
        Sets file to hidden
        
        PID:10152
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        71⤵
        
        PID:10112
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:10176
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        71⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Modifies registry class
        
        PID:10216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        72⤵
        
        PID:9252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        73⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        72⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        72⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        
        PID:9336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:9548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:9508
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        73⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        74⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        75⤵
        Sets file to hidden
        
        PID:9712
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        74⤵
        
        PID:9708
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        74⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        74⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Modifies registry class
        
        PID:10024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        75⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        76⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        75⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:10036
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        75⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        76⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        76⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        76⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        76⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:7608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        77⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        78⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        77⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        77⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        77⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:9808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        79⤵
        Sets file to hidden
        
        PID:10048
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        78⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        78⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        78⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        79⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        80⤵
        Sets file to hidden
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        79⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        79⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        79⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        80⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        81⤵
        Sets file to hidden
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        80⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        80⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        80⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        81⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        82⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        81⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        81⤵
        
        PID:728
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        81⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:8780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        82⤵
        
        PID:9564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        83⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        82⤵
        
        PID:388
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        82⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        82⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        83⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        84⤵
        Views/modifies file attributes
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        83⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        83⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        83⤵
        
        PID:10252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        84⤵
        
        PID:10300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        85⤵
        Views/modifies file attributes
        
        PID:10368
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        84⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        84⤵
        
        PID:10396
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        84⤵
        
        PID:10432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        85⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        86⤵
        Views/modifies file attributes
        
        PID:10548
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        85⤵
        
        PID:10524
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        85⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        85⤵
        
        PID:10608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        86⤵
        
        PID:10668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        87⤵
        Sets file to hidden
        
        PID:10720
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        86⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        86⤵
        
        PID:10748
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        86⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        87⤵
        
        PID:10844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        88⤵
        Views/modifies file attributes
        
        PID:10904
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        87⤵
        
        PID:10880
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        87⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        87⤵
        
        PID:10976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        88⤵
        
        PID:11024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        89⤵
        Sets file to hidden
        
        PID:11084
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        88⤵
        
        PID:11052
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        88⤵
        
        PID:11120
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        88⤵
        
        PID:11160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        89⤵
        
        PID:11208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        90⤵
        
        PID:8252
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        89⤵
        
        PID:11244
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        89⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        89⤵
        
        PID:10380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        90⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        91⤵
        Sets file to hidden
        
        PID:10556
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        90⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        90⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        90⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        91⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        92⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:10624
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        91⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        91⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        91⤵
        
        PID:10912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        92⤵
        
        PID:10812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        93⤵
        Views/modifies file attributes
        
        PID:11096
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        92⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        92⤵
        
        PID:11104
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        92⤵
        
        PID:10996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        93⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        94⤵
        Views/modifies file attributes
        
        PID:11180
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        93⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        93⤵
        
        PID:11168
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        93⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        94⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        95⤵
        
        PID:8624
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        94⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        94⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        94⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        95⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        96⤵
        Sets file to hidden
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        95⤵
        
        PID:10836
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        95⤵
        
        PID:10928
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        95⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        96⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        97⤵
        Views/modifies file attributes
        
        PID:11188
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        96⤵
        
        PID:10996
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        96⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        96⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        97⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        98⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7604
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        97⤵
        
        PID:10904
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        97⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        97⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        98⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        99⤵
        Sets file to hidden
        
        PID:7984
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        98⤵
        
        PID:10280
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        98⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        98⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        99⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        100⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        99⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        99⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        99⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        100⤵
        
        PID:10384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        101⤵
        Views/modifies file attributes
        
        PID:11268
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        100⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        100⤵
        
        PID:11292
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        100⤵
        
        PID:11336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        101⤵
        
        PID:11384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        102⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:11448
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        101⤵
        
        PID:11424
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        101⤵
        
        PID:11468
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        101⤵
        
        PID:11512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        102⤵
        
        PID:11560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        103⤵
        
        PID:11612
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        102⤵
        
        PID:11620
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        102⤵
        
        PID:11656
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        102⤵
        
        PID:11696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        103⤵
        
        PID:11744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        104⤵
        Views/modifies file attributes
        
        PID:11804
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        103⤵
        
        PID:11780
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        103⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        103⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        104⤵
        
        PID:12328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        105⤵
        Sets file to hidden
        
        PID:12380
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        104⤵
        
        PID:12396
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        104⤵
        
        PID:12420
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        104⤵
        
        PID:12460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        105⤵
        
        PID:12508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        106⤵
        Views/modifies file attributes
        
        PID:12580
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        105⤵
        
        PID:12552
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        105⤵
        
        PID:12604
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        105⤵
        
        PID:12640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        106⤵
        
        PID:12716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        107⤵
        Views/modifies file attributes
        
        PID:12788
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        106⤵
        
        PID:12768
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        106⤵
        
        PID:12820
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        106⤵
        
        PID:12872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        107⤵
        
        PID:12928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        108⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:12996
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        107⤵
        
        PID:12980
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        107⤵
        
        PID:13024
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        107⤵
        
        PID:13060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        108⤵
        
        PID:13124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        109⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:13176
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        108⤵
        
        PID:13168
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        108⤵
        
        PID:13204
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        108⤵
        
        PID:13244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        109⤵
        
        PID:13300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        110⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        109⤵
        
        PID:11732
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        109⤵
        
        PID:12392
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        109⤵
        
        PID:12308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        110⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        111⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        110⤵
        
        PID:12580
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        110⤵
        
        PID:12488
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        110⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        111⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        112⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:12656
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        111⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        111⤵
        
        PID:12652
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        111⤵
        
        PID:13000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        112⤵
        
        PID:12912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        113⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        112⤵
        
        PID:216
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        112⤵
        
        PID:13012
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        112⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        113⤵
        
        PID:13088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        114⤵
        Sets file to hidden
        
        PID:9152
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        113⤵
        
        PID:13260
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        113⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        113⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        114⤵
        
        PID:13248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        115⤵
        Views/modifies file attributes
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        114⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        114⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        114⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        115⤵
        
        PID:12888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        116⤵
        
        PID:12788
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        115⤵
        
        PID:12800
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        115⤵
        
        PID:13072
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        115⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        116⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        117⤵
        
        PID:10764
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        116⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        116⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        116⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        117⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        118⤵
        
        PID:8920
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        117⤵
        
        PID:12480
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        117⤵
        
        PID:13272
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        117⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        118⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        119⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        118⤵
        
        PID:12520
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        118⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        118⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        119⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        120⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        119⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        119⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        119⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        120⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        121⤵
        Sets file to hidden
        
        PID:11036
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        120⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        120⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        120⤵
        
        PID:13200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        121⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        122⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:10288
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        121⤵
        
        PID:12568
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        121⤵
        
        PID:12804
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        121⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        122⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        123⤵
        Sets file to hidden
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        122⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        122⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        122⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        123⤵
        
        PID:9600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        124⤵
        Sets file to hidden
        
        PID:9748
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        123⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        123⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        123⤵
        
        PID:9828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        124⤵
        
        PID:13360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        125⤵
        Sets file to hidden
        
        PID:13404
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        124⤵
        
        PID:13412
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        124⤵
        
        PID:13460
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        124⤵
        
        PID:13496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        125⤵
        
        PID:13548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        126⤵
        Views/modifies file attributes
        
        PID:13608
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        125⤵
        
        PID:13584
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        125⤵
        
        PID:13640
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        125⤵
        
        PID:13676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        126⤵
        
        PID:13724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        127⤵
        Views/modifies file attributes
        
        PID:13784
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        126⤵
        
        PID:13752
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        126⤵
        
        PID:13820
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        126⤵
        
        PID:13860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        127⤵
        
        PID:13912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        128⤵
        Sets file to hidden
        
        PID:13972
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        127⤵
        
        PID:13948
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        127⤵
        
        PID:14004
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        127⤵
        
        PID:14044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        128⤵
        
        PID:14092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        129⤵
        
        PID:14152
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        128⤵
        
        PID:14128
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        128⤵
        
        PID:14168
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        128⤵
        
        PID:14212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        129⤵
        
        PID:14264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        130⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:14316
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        129⤵
        
        PID:14308
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        129⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        129⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        130⤵
        
        PID:13440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        131⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:13356
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        130⤵
        
        PID:13336
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        130⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        130⤵
        
        PID:5172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7572 -ip 7572
1⤵
PID:7644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AD95.tmp\Mt2-Multi.bat

Filesize
1017B

MD5
e8418b1de6056eba9bc6ab0c39816d92

SHA1
84f1a312e1e091a6a3a2732dfaadb184925ecf23

SHA256
dc03a6cb5d890b394710e7e7e62078769e022f67fc860ef395c9266cc6e366c3

SHA512
5850e9ae599d8e331cd1de9d588b6141a5fb49535465269e77f48f5f8c502e8031bc8db323c24ea8d4848fc65504ae1fbd6fde668ed14ae1f5671efccdc8215b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE

Filesize
4.0MB

MD5
ccc17e89b056812ed0974d656b1238af

SHA1
3cb7818b697a97a51765849dfdc1d907a53e3b46

SHA256
5665f6c603b8356a61fe90d5d90b0ea945342c90210eccdf4884d1ca88013703

SHA512
67c327330ea33026e447c3b636c86833145e2b9931b423cfa906c4d0423504e7d374f389cb3c1b31cc98e3f235b9e0e14d633b0b7df1f0135b5df71187510601

Download Submit
C:\Users\Admin\AppData\Local\Temp\locale_de.eix

Filesize
5KB

MD5
ecd47ce38514bdcc77261d7999c1fc31

SHA1
2474132673bff0597126066a02aacf93d121df33

SHA256
7de3ed1684a75828b8b018b657377526d3757ec12c3bae23b791397d99725177

SHA512
f444739eba131ead9fb3758866c695da3e9b71fcd17f9a9b6f17a8385eadb2d9c5b525048c2ec79792e6524f2620c73151fc49956335b684756f3dec8e97d800

Download Submit
C:\Users\Admin\AppData\Local\Temp\locale_de.epk

Filesize
4.0MB

MD5
d7f078c90867fcde7c5d8436cc56971c

SHA1
b1f71f7496418a479ceaf584d010b5c33dd8974e

SHA256
90e38a646c07e5ea8456459bee2d07920e48bd916e841f8328372d2971a74c98

SHA512
2b44e4e583c8d6205d1e5532c50d2811bc704455ba89312746084a2a3d5e688c7a12c3fcd5c2031abb6a84a2eb9f8406f1096f1236bcc1496bde07365dbaba13

Download Submit
C:\Users\Admin\AppData\Local\Temp\mod_config.cfg

Filesize
105B

MD5
f856c5b043e95b51974550405aef95af

SHA1
e7e8b5e0000fdb416a46c3d95316520e92c5185e

SHA256
b1bb1ad59ab40011980401ad514b4e7a2adcba56912045afbad090f593fce813

SHA512
e38a84fd7baef517a9cf031c69ce63cb4136de2ec2cf8665d24b9632faf5fed523b73754225c6cce92967ea378f85d21c21e0735dc070891f1a52a57f769927f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mod_config.cfg

Filesize
105B

MD5
54238236c2a531dfcea6f2b8690c33bf

SHA1
9fd2fb1e86cbe123063222aeb8a6f071ca985078

SHA256
6401939607fdc464646a0b077d75fa443582989b50376766f916f87b0c476e93

SHA512
d38dc5f9033f7c0a7bbb76827d2a142703e53a18d743cef4bd2a83679ed902ec0a23c7b89feb469dd3fec8a3b7c3cfacd7d4b493975a9bf75d29adc7b06f6820

Download Submit
C:\Users\Admin\AppData\Local\Temp\root.eix

Filesize
3KB

MD5
bd2a5779cc56ea237fcf3190e3a0c0e8

SHA1
3b017ae3f3e64754f99ab3803560aa154f03d5d6

SHA256
e1be3b513f11f6745da58ca609704591658510dfb58a42fc660f86dae68a4992

SHA512
ee664522f20f364d2d99ebeaedc639d156f96d1674fe0ae20c4b817b0043de471caf5d69ec7a7711aa81e7e1e9237de168f3a45e734f44ca74ce84cdc9fbc65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\root.epk

Filesize
476KB

MD5
052214cae0574f9f9df2ce48b78ef959

SHA1
102819de6e4c81cf3a4d6d95d9913623d0e9b8b1

SHA256
2a517cff369037c935ce1b70d5d2e174b75803d2bcacac32384800687afdb824

SHA512
811b521cd8ebfd824100cc7e7b34111939f17586794abc88351a45dbce87a9e44ff758b62b8ec6ba732da11a827c5af4432a78365096b04d1d4e770621f9a1ca

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
4.6MB

MD5
d35685275d19eba3a22a46003858b4b0

SHA1
196ffdf8fab82a9fe1a268cd6a6897ef331b46bb

SHA256
60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063

SHA512
5e33cd1983d05b9697ef3a0cb4ac8129f53b0156c434dad1398dec6e67b44e5fa82d531741b8afcf32e8106d59d64aeba5e71e53a6dba352d4f89621217374cf

Download Submit
memory/412-348-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/412-382-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/412-289-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/992-294-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/1124-296-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1124-334-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1124-253-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1124-402-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1212-244-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1212-396-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1212-288-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1276-302-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/1544-435-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1544-312-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1544-268-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2100-403-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2100-349-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2156-310-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/2176-305-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2176-385-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2216-109-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/2216-0-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/2680-397-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2680-340-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2680-272-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/2768-177-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/3064-287-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/3064-381-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/3064-267-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/3428-427-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/3428-261-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/3428-338-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/3428-304-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/3496-336-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/3596-356-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/3596-297-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/3636-265-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/3828-11-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/3828-259-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4184-280-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/4184-12-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/4220-392-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4220-313-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4280-404-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4280-492-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4296-353-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/4416-181-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4416-275-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4416-390-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4548-345-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/4676-241-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/4956-248-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/4988-339-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4988-441-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/4988-276-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/5092-258-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/5152-383-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/5160-445-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/5252-357-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/5252-429-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/5472-433-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/5500-389-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/5576-436-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/5576-386-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/5648-500-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/5648-430-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/5680-395-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/5764-391-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/5764-442-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/5848-440-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/5892-401-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/5964-483-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/5964-398-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/5992-437-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/5992-510-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/6068-428-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads