darkcomet | 60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063

Analysis

max time kernel
60s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Size

4.6MB
MD5

d35685275d19eba3a22a46003858b4b0
SHA1

196ffdf8fab82a9fe1a268cd6a6897ef331b46bb
SHA256

60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063
SHA512

5e33cd1983d05b9697ef3a0cb4ac8129f53b0156c434dad1398dec6e67b44e5fa82d531741b8afcf32e8106d59d64aeba5e71e53a6dba352d4f89621217374cf
SSDEEP

98304:J6b+fgPSpV+apIEypgOTCqAijHZA65ALrpjiN8:JyBAONp5AijH6AAPpjL

Score

10^/10

darkcomet eski kamarun discovery evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

eski kamarun

haybensenin3.zapto.org:1604

Mutex

DC_MUTEX-4J5WTK5

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
Yf3o5TbGwnLJ
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2868	attrib.exe
3168	attrib.exe
4000	attrib.exe
6092	attrib.exe
7568	attrib.exe
3640	attrib.exe
5312	attrib.exe
7856	attrib.exe
3316	attrib.exe
5204	attrib.exe
6968	attrib.exe
2400	attrib.exe
3912	attrib.exe
5372	attrib.exe
7020	attrib.exe
7332	attrib.exe
992	attrib.exe
1408	attrib.exe
4516	attrib.exe
272	attrib.exe
5080	attrib.exe
7284	attrib.exe
7508	attrib.exe
6696	attrib.exe
5300	attrib.exe
2060	attrib.exe
5076	attrib.exe
4540	attrib.exe
5432	attrib.exe
6132	attrib.exe
5796	attrib.exe
3504	attrib.exe
4588	attrib.exe
7648	attrib.exe
5648	attrib.exe
7768	attrib.exe
2488	attrib.exe
1608	attrib.exe
2360	attrib.exe
1776	attrib.exe
3920	attrib.exe
6488	attrib.exe
5672	attrib.exe
6252	attrib.exe
1968	attrib.exe
6468	attrib.exe
7672	attrib.exe
2024	attrib.exe
272	attrib.exe
5764	attrib.exe
6556	attrib.exe
6868	attrib.exe
3120	attrib.exe
4112	attrib.exe
6004	attrib.exe
2524	attrib.exe
2988	attrib.exe
3404	attrib.exe
4116	attrib.exe
5992	attrib.exe
7220	attrib.exe
1960	attrib.exe
2904	attrib.exe
2292	attrib.exe

Deletes itself 1 IoCs

pid	Process
2516	notepad.exe

Executes dropped EXE 64 IoCs

pid	Process
2160	MT2-MULTI.EXE
2492	msdcsc.exe
2884	MT2-MULTI.EXE
2744	msdcsc.exe
2384	MT2-MULTI.EXE
1208	msdcsc.exe
1212	MT2-MULTI.EXE
2304	msdcsc.exe
2200	MT2-MULTI.EXE
2976	msdcsc.exe
2820	MT2-MULTI.EXE
1996	msdcsc.exe
1316	MT2-MULTI.EXE
592	msdcsc.exe
2448	MT2-MULTI.EXE
2284	msdcsc.exe
1968	MT2-MULTI.EXE
2124	msdcsc.exe
2024	MT2-MULTI.EXE
3012	msdcsc.exe
1680	MT2-MULTI.EXE
3044	msdcsc.exe
1816	MT2-MULTI.EXE
2588	msdcsc.exe
2340	MT2-MULTI.EXE
2720	msdcsc.exe
2440	MT2-MULTI.EXE
2060	msdcsc.exe
2080	MT2-MULTI.EXE
1776	msdcsc.exe
2924	MT2-MULTI.EXE
1600	msdcsc.exe
2488	MT2-MULTI.EXE
1980	msdcsc.exe
2712	MT2-MULTI.EXE
1516	msdcsc.exe
484	MT2-MULTI.EXE
2564	msdcsc.exe
3056	MT2-MULTI.EXE
2156	msdcsc.exe
2760	MT2-MULTI.EXE
2060	msdcsc.exe
1636	MT2-MULTI.EXE
2388	msdcsc.exe
2588	MT2-MULTI.EXE
1536	msdcsc.exe
1564	MT2-MULTI.EXE
3008	msdcsc.exe
2988	MT2-MULTI.EXE
1656	msdcsc.exe
1728	MT2-MULTI.EXE
2752	msdcsc.exe
536	MT2-MULTI.EXE
2612	msdcsc.exe
2892	MT2-MULTI.EXE
1040	msdcsc.exe
2408	MT2-MULTI.EXE
2172	msdcsc.exe
2152	MT2-MULTI.EXE
1408	msdcsc.exe
2612	MT2-MULTI.EXE
884	msdcsc.exe
1156	MT2-MULTI.EXE
3112	msdcsc.exe

Loads dropped DLL 64 IoCs

pid	Process
1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
2492	msdcsc.exe
2492	msdcsc.exe
2492	msdcsc.exe
2744	msdcsc.exe
2744	msdcsc.exe
2744	msdcsc.exe
1208	msdcsc.exe
1208	msdcsc.exe
1208	msdcsc.exe
2304	msdcsc.exe
2304	msdcsc.exe
2304	msdcsc.exe
2976	msdcsc.exe
2976	msdcsc.exe
2976	msdcsc.exe
1996	msdcsc.exe
1996	msdcsc.exe
1996	msdcsc.exe
592	msdcsc.exe
592	msdcsc.exe
592	msdcsc.exe
2284	msdcsc.exe
2284	msdcsc.exe
2284	msdcsc.exe
2124	msdcsc.exe
2124	msdcsc.exe
2124	msdcsc.exe
3012	msdcsc.exe
3012	msdcsc.exe
3012	msdcsc.exe
3044	msdcsc.exe
3044	msdcsc.exe
3044	msdcsc.exe
2588	msdcsc.exe
2588	msdcsc.exe
2588	msdcsc.exe
2720	msdcsc.exe
2720	msdcsc.exe
2720	msdcsc.exe
2060	msdcsc.exe
2060	msdcsc.exe
2060	msdcsc.exe
1776	msdcsc.exe
1776	msdcsc.exe
1776	msdcsc.exe
1600	msdcsc.exe
1600	msdcsc.exe
1600	msdcsc.exe
1980	msdcsc.exe
1980	msdcsc.exe
1980	msdcsc.exe
1516	msdcsc.exe
1516	msdcsc.exe
1516	msdcsc.exe
2564	msdcsc.exe
2564	msdcsc.exe
2564	msdcsc.exe
2156	msdcsc.exe
2156	msdcsc.exe
2156	msdcsc.exe
2060	msdcsc.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\Yf3o5TbGwnLJ\\Yf3o5TbGwnLJ\\msdcsc.exe"	msdcsc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\	msdcsc.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000019377-9.dat	upx
behavioral1/memory/2160-10-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2884-98-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2492-96-0x0000000004210000-0x00000000046D5000-memory.dmp	upx
behavioral1/memory/2384-145-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/1212-190-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2160-225-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2200-229-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2884-268-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2820-267-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2384-300-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/1316-311-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/1212-347-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2448-351-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2200-387-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2820-392-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/1968-391-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2024-430-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/1316-480-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2448-643-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/1968-748-0x0000000000400000-0x00000000008C5000-memory.dmp	upx
behavioral1/memory/2024-848-0x0000000000400000-0x00000000008C5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT2-MULTI.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: SeSecurityPrivilege	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: SeTakeOwnershipPrivilege	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: SeLoadDriverPrivilege	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: SeSystemProfilePrivilege	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: SeSystemtimePrivilege	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: SeProfSingleProcessPrivilege	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: SeIncBasePriorityPrivilege	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: SeCreatePagefilePrivilege	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: SeBackupPrivilege	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: SeRestorePrivilege	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: SeShutdownPrivilege	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: SeDebugPrivilege	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: SeSystemEnvironmentPrivilege	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: SeChangeNotifyPrivilege	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: SeRemoteShutdownPrivilege	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: SeUndockPrivilege	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: SeManageVolumePrivilege	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: SeImpersonatePrivilege	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: SeCreateGlobalPrivilege	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: 33	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: 34	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: 35	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
Token: SeIncreaseQuotaPrivilege	2492	msdcsc.exe
Token: SeSecurityPrivilege	2492	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2492	msdcsc.exe
Token: SeLoadDriverPrivilege	2492	msdcsc.exe
Token: SeSystemProfilePrivilege	2492	msdcsc.exe
Token: SeSystemtimePrivilege	2492	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2492	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2492	msdcsc.exe
Token: SeCreatePagefilePrivilege	2492	msdcsc.exe
Token: SeBackupPrivilege	2492	msdcsc.exe
Token: SeRestorePrivilege	2492	msdcsc.exe
Token: SeShutdownPrivilege	2492	msdcsc.exe
Token: SeDebugPrivilege	2492	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2492	msdcsc.exe
Token: SeChangeNotifyPrivilege	2492	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2492	msdcsc.exe
Token: SeUndockPrivilege	2492	msdcsc.exe
Token: SeManageVolumePrivilege	2492	msdcsc.exe
Token: SeImpersonatePrivilege	2492	msdcsc.exe
Token: SeCreateGlobalPrivilege	2492	msdcsc.exe
Token: 33	2492	msdcsc.exe
Token: 34	2492	msdcsc.exe
Token: 35	2492	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2744	msdcsc.exe
Token: SeSecurityPrivilege	2744	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2744	msdcsc.exe
Token: SeLoadDriverPrivilege	2744	msdcsc.exe
Token: SeSystemProfilePrivilege	2744	msdcsc.exe
Token: SeSystemtimePrivilege	2744	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2744	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2744	msdcsc.exe
Token: SeCreatePagefilePrivilege	2744	msdcsc.exe
Token: SeBackupPrivilege	2744	msdcsc.exe
Token: SeRestorePrivilege	2744	msdcsc.exe
Token: SeShutdownPrivilege	2744	msdcsc.exe
Token: SeDebugPrivilege	2744	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2744	msdcsc.exe
Token: SeChangeNotifyPrivilege	2744	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2744	msdcsc.exe
Token: SeUndockPrivilege	2744	msdcsc.exe
Token: SeManageVolumePrivilege	2744	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2432	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	30
PID 1996 wrote to memory of 2432	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	30
PID 1996 wrote to memory of 2432	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	30
PID 1996 wrote to memory of 2432	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	30
PID 1996 wrote to memory of 2160	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	32
PID 1996 wrote to memory of 2160	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	32
PID 1996 wrote to memory of 2160	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	32
PID 1996 wrote to memory of 2160	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	32
PID 2432 wrote to memory of 2488	2432	cmd.exe	33
PID 2432 wrote to memory of 2488	2432	cmd.exe	33
PID 2432 wrote to memory of 2488	2432	cmd.exe	33
PID 2432 wrote to memory of 2488	2432	cmd.exe	33
PID 1996 wrote to memory of 2516	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	34
PID 1996 wrote to memory of 2516	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	34
PID 1996 wrote to memory of 2516	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	34
PID 1996 wrote to memory of 2516	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	34
PID 1996 wrote to memory of 2516	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	34
PID 1996 wrote to memory of 2516	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	34
PID 1996 wrote to memory of 2516	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	34
PID 1996 wrote to memory of 2516	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	34
PID 1996 wrote to memory of 2516	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	34
PID 1996 wrote to memory of 2516	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	34
PID 1996 wrote to memory of 2516	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	34
PID 1996 wrote to memory of 2516	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	34
PID 1996 wrote to memory of 2516	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	34
PID 1996 wrote to memory of 2516	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	34
PID 1996 wrote to memory of 2516	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	34
PID 1996 wrote to memory of 2516	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	34
PID 1996 wrote to memory of 2516	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	34
PID 1996 wrote to memory of 2516	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	34
PID 2160 wrote to memory of 2768	2160	MT2-MULTI.EXE	35
PID 2160 wrote to memory of 2768	2160	MT2-MULTI.EXE	35
PID 2160 wrote to memory of 2768	2160	MT2-MULTI.EXE	35
PID 2160 wrote to memory of 2768	2160	MT2-MULTI.EXE	35
PID 2768 wrote to memory of 2144	2768	cmd.exe	37
PID 2768 wrote to memory of 2144	2768	cmd.exe	37
PID 2768 wrote to memory of 2144	2768	cmd.exe	37
PID 2768 wrote to memory of 2144	2768	cmd.exe	37
PID 1996 wrote to memory of 2492	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	38
PID 1996 wrote to memory of 2492	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	38
PID 1996 wrote to memory of 2492	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	38
PID 1996 wrote to memory of 2492	1996	60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe	38
PID 2492 wrote to memory of 3028	2492	msdcsc.exe	39
PID 2492 wrote to memory of 3028	2492	msdcsc.exe	39
PID 2492 wrote to memory of 3028	2492	msdcsc.exe	39
PID 2492 wrote to memory of 3028	2492	msdcsc.exe	39
PID 2492 wrote to memory of 2884	2492	msdcsc.exe	41
PID 2492 wrote to memory of 2884	2492	msdcsc.exe	41
PID 2492 wrote to memory of 2884	2492	msdcsc.exe	41
PID 2492 wrote to memory of 2884	2492	msdcsc.exe	41
PID 3028 wrote to memory of 2192	3028	cmd.exe	70
PID 3028 wrote to memory of 2192	3028	cmd.exe	70
PID 3028 wrote to memory of 2192	3028	cmd.exe	70
PID 3028 wrote to memory of 2192	3028	cmd.exe	70
PID 2492 wrote to memory of 1296	2492	msdcsc.exe	43
PID 2492 wrote to memory of 1296	2492	msdcsc.exe	43
PID 2492 wrote to memory of 1296	2492	msdcsc.exe	43
PID 2492 wrote to memory of 1296	2492	msdcsc.exe	43
PID 2492 wrote to memory of 1296	2492	msdcsc.exe	43
PID 2492 wrote to memory of 1296	2492	msdcsc.exe	43
PID 2492 wrote to memory of 1296	2492	msdcsc.exe	43
PID 2492 wrote to memory of 1296	2492	msdcsc.exe	43
PID 2492 wrote to memory of 1296	2492	msdcsc.exe	43
PID 2492 wrote to memory of 1296	2492	msdcsc.exe	43

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2088	attrib.exe
5992	attrib.exe
7284	attrib.exe
3316	attrib.exe
7136	attrib.exe
6392	attrib.exe
5076	attrib.exe
5204	attrib.exe
5764	attrib.exe
568	attrib.exe
6488	attrib.exe
3640	attrib.exe
3588	attrib.exe
3820	attrib.exe
5080	attrib.exe
3860	attrib.exe
4084	attrib.exe
5372	attrib.exe
8504	attrib.exe
1608	attrib.exe
552	attrib.exe
5684	attrib.exe
6132	attrib.exe
6252	attrib.exe
8280	attrib.exe
3464	attrib.exe
6640	attrib.exe
7992	attrib.exe
7672	attrib.exe
8172	attrib.exe
7332	attrib.exe
2024	attrib.exe
3348	attrib.exe
4516	attrib.exe
6616	attrib.exe
6828	attrib.exe
5300	attrib.exe
8012	attrib.exe
7768	attrib.exe
2904	attrib.exe
2988	attrib.exe
2188	attrib.exe
1536	attrib.exe
3784	attrib.exe
4728	attrib.exe
7900	attrib.exe
7648	attrib.exe
3012	attrib.exe
1408	attrib.exe
5876	attrib.exe
848	attrib.exe
5796	attrib.exe
7060	attrib.exe
1064	attrib.exe
2868	attrib.exe
4420	attrib.exe
7020	attrib.exe
6388	attrib.exe
7500	attrib.exe
2752	attrib.exe
1952	attrib.exe
3232	attrib.exe
3392	attrib.exe
580	attrib.exe

C:\Users\Admin\AppData\Local\Temp\60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
"C:\Users\Admin\AppData\Local\Temp\60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe" +s +h
    3⤵
    - Sets file to hidden
    PID:2488
- C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
  "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\A7D3.tmp\Mt2-Multi.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\xcopy.exe
      xcopy root.eix pack /y
      4⤵
      Enumerates system info in registry
      PID:2144
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - Deletes itself
  PID:2516
- C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
  "C:\Windows\system32\MSDCSC\msdcsc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
      4⤵
      PID:2192
- - C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
    "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2884
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe
    "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
      4⤵
      PID:1792
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
      "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2384
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
      "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      PID:1208
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        5⤵
        
        PID:2164
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        6⤵
        Sets file to hidden
        
        PID:1968
    - - C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        5⤵
        Executes dropped EXE
        
        PID:1212
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:968
    - - C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2304
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        6⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2024
      - C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        6⤵
        Executes dropped EXE
        
        PID:2200
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        
        PID:788
      - C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        7⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        8⤵
        Drops file in System32 directory
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        7⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        7⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        8⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        9⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        8⤵
        Executes dropped EXE
        
        PID:1316
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        8⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        10⤵
        Drops file in System32 directory
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        9⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        9⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        9⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        10⤵
        
        PID:624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        11⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        10⤵
        Executes dropped EXE
        
        PID:1968
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        10⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        10⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        11⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        12⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        11⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        11⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        11⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        12⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        13⤵
        Sets file to hidden
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        12⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        12⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        13⤵
        
        PID:964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        14⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        13⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        13⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        13⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        14⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        15⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        14⤵
        Executes dropped EXE
        
        PID:2340
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        14⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        15⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        16⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        15⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        15⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        15⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        17⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        16⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        16⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        17⤵
        
        PID:628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        18⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        17⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        17⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        18⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        19⤵
        Views/modifies file attributes
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        18⤵
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        18⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        19⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        20⤵
        Views/modifies file attributes
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        19⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        19⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        20⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        21⤵
        Sets file to hidden
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        20⤵
        Executes dropped EXE
        
        PID:484
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        20⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        21⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        22⤵
        Views/modifies file attributes
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        21⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        21⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        23⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        22⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        22⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        22⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        23⤵
        
        PID:444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        24⤵
        Sets file to hidden
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        23⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        23⤵
        
        PID:944
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        23⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        24⤵
        
        PID:308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        25⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        24⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        24⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        24⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        25⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        26⤵
        Views/modifies file attributes
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        25⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        25⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        25⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        26⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        27⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        26⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        26⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        26⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        28⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        27⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        27⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        27⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        28⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        29⤵
        Sets file to hidden
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        28⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        28⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        30⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        29⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        29⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        30⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        31⤵
        Views/modifies file attributes
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        30⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        30⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        30⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        31⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        32⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        31⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        31⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        31⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        32⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        33⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        32⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        33⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        34⤵
        Sets file to hidden
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        33⤵
        
        PID:772
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        33⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        34⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        35⤵
        Sets file to hidden
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        34⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        34⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        34⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        35⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        36⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        35⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        35⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        36⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        37⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        36⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        36⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        36⤵
        Modifies WinLogon for persistence
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        37⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        38⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        37⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        37⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        37⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        38⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        39⤵
        Views/modifies file attributes
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        38⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        38⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        38⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        39⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        39⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        39⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        39⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        40⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        41⤵
        Sets file to hidden
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        40⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        40⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        40⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        41⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        41⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        41⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        42⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        43⤵
        Drops file in System32 directory
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        42⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        42⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        42⤵
        Modifies WinLogon for persistence
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        43⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        44⤵
        Views/modifies file attributes
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        43⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        43⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        43⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        44⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        45⤵
        Views/modifies file attributes
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        44⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        44⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        44⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        46⤵
        Sets file to hidden
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        45⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        45⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        45⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        46⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        47⤵
        Sets file to hidden
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        46⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        46⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        46⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        47⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        48⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        47⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        47⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        47⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        48⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        49⤵
        Sets file to hidden
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        48⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        48⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        48⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        49⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        50⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        49⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        49⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        49⤵
        Adds Run key to start application
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        50⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        51⤵
        Views/modifies file attributes
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        50⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        50⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        51⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        52⤵
        Views/modifies file attributes
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        51⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        51⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        51⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        52⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        53⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        52⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        52⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        52⤵
        Modifies WinLogon for persistence
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        53⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        54⤵
        Views/modifies file attributes
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        53⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        53⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        53⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        54⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        54⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        54⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        54⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        55⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        56⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        55⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:3132
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        55⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        56⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        57⤵
        Views/modifies file attributes
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        56⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        56⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        56⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        57⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        58⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        57⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        57⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        58⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        59⤵
        Views/modifies file attributes
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        58⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        58⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        58⤵
        Adds Run key to start application
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        59⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        60⤵
        Drops file in System32 directory
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        59⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        59⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        59⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        60⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        61⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        60⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        60⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        62⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        61⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        61⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        61⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        62⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        63⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        62⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        62⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        62⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        63⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        64⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        63⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        63⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        63⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        64⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        64⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        64⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        64⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        65⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        66⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        65⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        65⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        66⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        67⤵
        Views/modifies file attributes
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        66⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        66⤵
        Adds Run key to start application
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        67⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        68⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        67⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        67⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        67⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        68⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        69⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        68⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        68⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        70⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        69⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        69⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        70⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        71⤵
        Sets file to hidden
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        70⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        70⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        71⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        72⤵
        Sets file to hidden
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        71⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        71⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        71⤵
        Modifies WinLogon for persistence
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        72⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        72⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        73⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        74⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        73⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        73⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        74⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        75⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        74⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        74⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        74⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        75⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        75⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        75⤵
        Modifies WinLogon for persistence
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        76⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        77⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        76⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        76⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        77⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        77⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        77⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        78⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        79⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        78⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        78⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        78⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        79⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        80⤵
        Sets file to hidden
        Drops file in System32 directory
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        79⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        79⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        80⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        81⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        80⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        80⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        80⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        81⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        82⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        81⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        81⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        81⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        82⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        83⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        82⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        82⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        82⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        83⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        84⤵
        Sets file to hidden
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        83⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        83⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        83⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        84⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        85⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        84⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        84⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        84⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        85⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        86⤵
        Sets file to hidden
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        85⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        85⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        85⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        86⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        87⤵
        Sets file to hidden
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        86⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        86⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        86⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        87⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        88⤵
        Views/modifies file attributes
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        87⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        87⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        87⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        88⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        89⤵
        Sets file to hidden
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        88⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        88⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        88⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        89⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        90⤵
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        89⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        89⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        89⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        90⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        91⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        90⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        90⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        90⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        91⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        92⤵
        Sets file to hidden
        
        PID:5672
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        91⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        91⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        91⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        92⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        93⤵
        Sets file to hidden
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        92⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        92⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        92⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        93⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        94⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        93⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        93⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        93⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        94⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        95⤵
        Views/modifies file attributes
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        94⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        94⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        94⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        95⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        96⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        95⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        95⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        95⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        96⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        97⤵
        Views/modifies file attributes
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        96⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        96⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        96⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        97⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        98⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        97⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        97⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        97⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        98⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        99⤵
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        98⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        98⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        98⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        99⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        100⤵
        Views/modifies file attributes
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        99⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        99⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        99⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        100⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        101⤵
        Views/modifies file attributes
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        100⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        100⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        100⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        101⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        102⤵
        
        PID:5380
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        101⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        101⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        101⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        102⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        103⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        102⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        102⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        102⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        103⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        104⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        103⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        103⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        103⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        104⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        105⤵
        
        PID:5948
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        104⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        104⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        104⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        105⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        106⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        105⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        105⤵
        
        PID:848
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        105⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        106⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        107⤵
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        106⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        106⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        106⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        107⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        108⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        107⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        107⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        107⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        108⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        109⤵
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        108⤵
        
        PID:568
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        108⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        108⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        109⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        110⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5992
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        109⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        109⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        109⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        110⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        111⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        110⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        110⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        110⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        111⤵
        
        PID:952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        112⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        111⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        111⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        111⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        112⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        113⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        112⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        112⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        112⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        113⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        114⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6252
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        113⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        113⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        113⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        114⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        115⤵
        Sets file to hidden
        
        PID:6468
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        114⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        114⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        114⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        115⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        116⤵
        Sets file to hidden
        
        PID:6696
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        115⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        115⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        115⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        116⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        117⤵
        
        PID:6920
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        116⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        116⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        116⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        117⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        118⤵
        Views/modifies file attributes
        
        PID:7136
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        117⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        117⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        117⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        118⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        119⤵
        
        PID:6288
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        118⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        118⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        118⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        119⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        120⤵
        Sets file to hidden
        
        PID:6556
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        119⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        119⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        119⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        120⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        121⤵
        
        PID:6816
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        120⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        120⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        120⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        121⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        122⤵
        Views/modifies file attributes
        
        PID:7060
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        121⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        121⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        121⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        122⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        123⤵
        
        PID:6328
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        122⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        122⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        122⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        123⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        124⤵
        Views/modifies file attributes
        
        PID:6616
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        123⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        123⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        123⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        124⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        125⤵
        Sets file to hidden
        
        PID:6968
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        124⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        124⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        124⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        125⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        126⤵
        Sets file to hidden
        
        PID:6868
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        125⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        125⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        125⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        126⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        127⤵
        
        PID:6560
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        126⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        126⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        126⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        127⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        128⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7020
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        127⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        127⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        127⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        128⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        129⤵
        Views/modifies file attributes
        
        PID:6392
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        128⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        128⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        128⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        129⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        130⤵
        Views/modifies file attributes
        
        PID:6828
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        129⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        129⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        129⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        130⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        131⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6488
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        130⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        130⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        130⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        131⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        132⤵
        
        PID:7020
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        131⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        131⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        131⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        132⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        133⤵
        Views/modifies file attributes
        
        PID:6388
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        132⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        132⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        132⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        133⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        134⤵
        
        PID:6892
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        133⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        133⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        133⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        134⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        135⤵
        
        PID:6396
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        134⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        134⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        134⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        135⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        136⤵
        Views/modifies file attributes
        
        PID:6640
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        135⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        135⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        135⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        136⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        137⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5300
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        136⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        136⤵
        
        PID:936
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        136⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        137⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        138⤵
        Sets file to hidden
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        137⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        137⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        137⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        138⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        139⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7284
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        138⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        138⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        138⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        139⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        140⤵
        Views/modifies file attributes
        
        PID:7500
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        139⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        139⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        139⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        140⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        141⤵
        
        PID:7720
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        140⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        140⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        140⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        141⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        142⤵
        
        PID:7948
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        141⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        141⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        141⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        142⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        143⤵
        Views/modifies file attributes
        
        PID:8172
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        142⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        142⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        142⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        143⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        144⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7332
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        143⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        143⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        143⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        144⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        145⤵
        Sets file to hidden
        
        PID:7568
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        144⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        144⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        144⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        145⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        146⤵
        Sets file to hidden
        
        PID:7856
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        145⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        145⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        145⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        146⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        147⤵
        Views/modifies file attributes
        
        PID:7900
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        146⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        146⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        146⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        147⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        148⤵
        
        PID:7352
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        147⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        147⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        147⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        148⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        149⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7648
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        148⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        148⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        148⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        149⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        150⤵
        Views/modifies file attributes
        
        PID:7992
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        149⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        149⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        149⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        150⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        151⤵
        
        PID:7176
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        150⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        150⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        150⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        151⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        152⤵
        
        PID:6700
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        151⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        151⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        151⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        152⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        153⤵
        Views/modifies file attributes
        
        PID:8012
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        152⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        152⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        152⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        153⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        154⤵
        Sets file to hidden
        
        PID:7220
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        153⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        153⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        153⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        154⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        155⤵
        
        PID:7768
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        154⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        154⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        154⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        155⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        156⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7672
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        155⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        155⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        155⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        156⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        157⤵
        
        PID:7508
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        156⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        156⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        156⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        157⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        158⤵
        
        PID:8004
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        157⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        157⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        157⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        158⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        159⤵
        
        PID:8088
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        158⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        158⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        158⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        159⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        160⤵
        
        PID:6864
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        159⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        159⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        159⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        160⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        161⤵
        Sets file to hidden
        
        PID:7508
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        160⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        160⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        160⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        161⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        162⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7768
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        161⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        161⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        161⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        162⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        163⤵
        
        PID:7456
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        162⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        162⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        162⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        163⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        164⤵
        Views/modifies file attributes
        
        PID:8280
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        163⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        163⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"
        163⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        164⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h
        165⤵
        Views/modifies file attributes
        
        PID:8504
        
        C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"
        164⤵
        
        PID:8488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-924450168-441683927-574237555-1197510602-2062658427-187726047-1443919976-895761656"
1⤵
PID:2192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "332329827128340747911437936831444518399-946875195117149977419391607561264717364"
1⤵
PID:2524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12499627211198484275-2680162421482210564427507221-17743443426875385-282727020"
1⤵
PID:3012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-28361197216323351274487410011766035454-2073867718-30058522212604669171507048065"
1⤵
PID:2564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1001044632236678898-83193545544604574-21455337561738107234973968687-1802348255"
1⤵
PID:1516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1835453588-2826099281448471629675890266737085177-56076619-1730648987-1346452131"
1⤵
PID:2956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "713205674-612584010750793892-15760967971891992249-10952282410499454761164982365"
1⤵
PID:1952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9026523847989173991906734076-400735682-64357292096245278-875264844-2100274902"
1⤵
PID:1980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-103139734818522887605370341261189970979-1974850666-627042845-1162227417-191191258"
1⤵
PID:3572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1328095216270013664-177896732079662026711633711-1884501405-12538080591892752729"
1⤵
PID:3232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "931992071802580167718281571-19595063378956981391419883310-6123808961526910262"
1⤵
PID:884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8589654961928845292-613917259-18789827441109987474-46647458369910805-2028769253"
1⤵
PID:2188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-992436898-609301892-16845659731540583286-233187040-2112082551551630569-1484439967"
1⤵
PID:4492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1671917124-1631283987-12945706491920309244681065900-5585234431838252883-1179467951"
1⤵
PID:272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15086768131234485195-844145131679008704-148658525327248910-12489922111118966651"
1⤵
PID:4976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "872048584-579382242158072052407938227-17054536922030082469599584379-972898010"
1⤵
PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A7D3.tmp\Mt2-Multi.bat

Filesize
1017B

MD5
e8418b1de6056eba9bc6ab0c39816d92

SHA1
84f1a312e1e091a6a3a2732dfaadb184925ecf23

SHA256
dc03a6cb5d890b394710e7e7e62078769e022f67fc860ef395c9266cc6e366c3

SHA512
5850e9ae599d8e331cd1de9d588b6141a5fb49535465269e77f48f5f8c502e8031bc8db323c24ea8d4848fc65504ae1fbd6fde668ed14ae1f5671efccdc8215b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE

Filesize
4.0MB

MD5
ccc17e89b056812ed0974d656b1238af

SHA1
3cb7818b697a97a51765849dfdc1d907a53e3b46

SHA256
5665f6c603b8356a61fe90d5d90b0ea945342c90210eccdf4884d1ca88013703

SHA512
67c327330ea33026e447c3b636c86833145e2b9931b423cfa906c4d0423504e7d374f389cb3c1b31cc98e3f235b9e0e14d633b0b7df1f0135b5df71187510601

Download Submit
C:\Users\Admin\AppData\Local\Temp\locale_de.eix

Filesize
5KB

MD5
ecd47ce38514bdcc77261d7999c1fc31

SHA1
2474132673bff0597126066a02aacf93d121df33

SHA256
7de3ed1684a75828b8b018b657377526d3757ec12c3bae23b791397d99725177

SHA512
f444739eba131ead9fb3758866c695da3e9b71fcd17f9a9b6f17a8385eadb2d9c5b525048c2ec79792e6524f2620c73151fc49956335b684756f3dec8e97d800

Download Submit
C:\Users\Admin\AppData\Local\Temp\locale_de.epk

Filesize
4.0MB

MD5
d7f078c90867fcde7c5d8436cc56971c

SHA1
b1f71f7496418a479ceaf584d010b5c33dd8974e

SHA256
90e38a646c07e5ea8456459bee2d07920e48bd916e841f8328372d2971a74c98

SHA512
2b44e4e583c8d6205d1e5532c50d2811bc704455ba89312746084a2a3d5e688c7a12c3fcd5c2031abb6a84a2eb9f8406f1096f1236bcc1496bde07365dbaba13

Download Submit
C:\Users\Admin\AppData\Local\Temp\mod_config.cfg

Filesize
105B

MD5
f856c5b043e95b51974550405aef95af

SHA1
e7e8b5e0000fdb416a46c3d95316520e92c5185e

SHA256
b1bb1ad59ab40011980401ad514b4e7a2adcba56912045afbad090f593fce813

SHA512
e38a84fd7baef517a9cf031c69ce63cb4136de2ec2cf8665d24b9632faf5fed523b73754225c6cce92967ea378f85d21c21e0735dc070891f1a52a57f769927f

Download Submit
\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
4.6MB

MD5
d35685275d19eba3a22a46003858b4b0

SHA1
196ffdf8fab82a9fe1a268cd6a6897ef331b46bb

SHA256
60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063

SHA512
5e33cd1983d05b9697ef3a0cb4ac8129f53b0156c434dad1398dec6e67b44e5fa82d531741b8afcf32e8106d59d64aeba5e71e53a6dba352d4f89621217374cf

Download Submit
memory/592-350-0x0000000004140000-0x0000000004605000-memory.dmp

Filesize
4.8MB

Download
memory/1208-189-0x0000000004050000-0x0000000004515000-memory.dmp

Filesize
4.8MB

Download
memory/1212-347-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1212-190-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1316-480-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1316-311-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1968-391-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1968-748-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/1996-89-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/1996-0-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1996-310-0x00000000041E0000-0x00000000046A5000-memory.dmp

Filesize
4.8MB

Download
memory/1996-8-0x0000000004060000-0x0000000004525000-memory.dmp

Filesize
4.8MB

Download
memory/2024-430-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2024-848-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2124-429-0x0000000003FA0000-0x0000000004465000-memory.dmp

Filesize
4.8MB

Download
memory/2160-225-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2160-10-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2200-229-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2200-387-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2284-390-0x0000000004040000-0x0000000004505000-memory.dmp

Filesize
4.8MB

Download
memory/2304-228-0x0000000004140000-0x0000000004605000-memory.dmp

Filesize
4.8MB

Download
memory/2384-300-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2384-145-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2448-351-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2448-643-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2492-138-0x0000000000400000-0x00000000008A9000-memory.dmp

Filesize
4.7MB

Download
memory/2492-96-0x0000000004210000-0x00000000046D5000-memory.dmp

Filesize
4.8MB

Download
memory/2516-33-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2516-15-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2744-144-0x00000000041D0000-0x0000000004695000-memory.dmp

Filesize
4.8MB

Download
memory/2820-392-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2820-267-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2884-268-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2884-98-0x0000000000400000-0x00000000008C5000-memory.dmp

Filesize
4.8MB

Download
memory/2976-266-0x0000000003F90000-0x0000000004455000-memory.dmp

Filesize
4.8MB

Download
memory/3012-481-0x0000000004020000-0x00000000044E5000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads