darkcomet | 0198e4ece40cebc1f98328360ca69e4b5386c2ff444596b268eb9af4ff137c97

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Size

650KB
MD5

1d74fad1e7d34e01d3d775528ef60460
SHA1

822bc0882d94ff9b2c6396d97dd6ee7c0d0a7356
SHA256

0198e4ece40cebc1f98328360ca69e4b5386c2ff444596b268eb9af4ff137c97
SHA512

27414da752359560068dc533f53e8c58161f4739194f2bbbc8e2a3e5c9989a3e5dfa2a6c137f8465ade8611d7274da2c20bccfd880622e0484c516c8528b0d1e
SSDEEP

12288:bk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+I:Q0QRWoJEfg0oChGdJQbjPbNW5tYeP+GB

Score

10^/10

darkcomet blowme persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

blowme

90.207.119.46:443

Mutex

AF48NLA

Attributes

InstallPath
\msdcsc.exe
gencode
roqmzCFsJnuf
install
true
offline_keylogger
true
password
blowmeya
persistence
true
reg_key
update

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 42 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe"	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe,C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3020 cmd.exe

pid	process
3020	cmd.exe

Executes dropped EXE 40 IoCs

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

pid	process
2064	msdcsc.exe
2568	msdcsc.exe
2456	msdcsc.exe
2476	msdcsc.exe
1432	msdcsc.exe
1780	msdcsc.exe
1720	msdcsc.exe
536	msdcsc.exe
1120	msdcsc.exe
1632	msdcsc.exe
772	msdcsc.exe
1664	msdcsc.exe
1736	msdcsc.exe
2552	msdcsc.exe
2712	msdcsc.exe
2192	msdcsc.exe
2380	msdcsc.exe
1432	msdcsc.exe
2020	msdcsc.exe
1796	msdcsc.exe
1632	msdcsc.exe
1952	msdcsc.exe
2604	msdcsc.exe
2440	msdcsc.exe
3056	msdcsc.exe
1780	msdcsc.exe
484	msdcsc.exe
2436	msdcsc.exe
2916	msdcsc.exe
2684	msdcsc.exe
2440	msdcsc.exe
2256	msdcsc.exe
1132	msdcsc.exe
2916	msdcsc.exe
1608	msdcsc.exe
800	msdcsc.exe
1792	msdcsc.exe
1976	msdcsc.exe
2276	msdcsc.exe
744	msdcsc.exe

Loads dropped DLL 42 IoCs

Processes:

1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

pid	process
3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
2064	msdcsc.exe
2064	msdcsc.exe
2568	msdcsc.exe
2568	msdcsc.exe
2456	msdcsc.exe
2476	msdcsc.exe
1432	msdcsc.exe
1780	msdcsc.exe
1720	msdcsc.exe
536	msdcsc.exe
1120	msdcsc.exe
1632	msdcsc.exe
772	msdcsc.exe
1664	msdcsc.exe
2552	msdcsc.exe
2712	msdcsc.exe
2192	msdcsc.exe
2380	msdcsc.exe
1432	msdcsc.exe
2020	msdcsc.exe
1796	msdcsc.exe
1632	msdcsc.exe
1952	msdcsc.exe
2604	msdcsc.exe
2440	msdcsc.exe
3056	msdcsc.exe
1780	msdcsc.exe
484	msdcsc.exe
2436	msdcsc.exe
2916	msdcsc.exe
2684	msdcsc.exe
2440	msdcsc.exe
2256	msdcsc.exe
1132	msdcsc.exe
2640	msdcsc.exe
1608	msdcsc.exe
800	msdcsc.exe
1792	msdcsc.exe
1976	msdcsc.exe
2276	msdcsc.exe

Adds Run key to start application 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe"	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\\\roqmzCFsJnuf\\msdcsc.exe"	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 42 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2020	PING.EXE
2500	PING.EXE
2292	PING.EXE
568	PING.EXE
2948	PING.EXE
1720	PING.EXE
988	PING.EXE
1796	PING.EXE
1056	PING.EXE
2252	PING.EXE
2544	PING.EXE
840	PING.EXE
1780	PING.EXE
2692	PING.EXE
2400	PING.EXE
2832	PING.EXE
1544	PING.EXE
2872	PING.EXE
2240	PING.EXE
1496	PING.EXE
2932	PING.EXE
788	PING.EXE
2268	PING.EXE
2076	PING.EXE
1640	PING.EXE
2600	PING.EXE
2604	PING.EXE
2276	PING.EXE
2072	PING.EXE
2516	PING.EXE
1452	PING.EXE
1132	PING.EXE
2348	PING.EXE
1704	PING.EXE
1460	PING.EXE
1744	PING.EXE
1168	PING.EXE
3052	PING.EXE
1580	PING.EXE
2036	PING.EXE
2200	PING.EXE
884	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exemsdcsc.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeSecurityPrivilege	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeBackupPrivilege	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeRestorePrivilege	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeShutdownPrivilege	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeDebugPrivilege	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeUndockPrivilege	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: 33	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: 34	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: 35	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2064	msdcsc.exe
Token: SeSecurityPrivilege	2064	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2064	msdcsc.exe
Token: SeLoadDriverPrivilege	2064	msdcsc.exe
Token: SeSystemProfilePrivilege	2064	msdcsc.exe
Token: SeSystemtimePrivilege	2064	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2064	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2064	msdcsc.exe
Token: SeCreatePagefilePrivilege	2064	msdcsc.exe
Token: SeBackupPrivilege	2064	msdcsc.exe
Token: SeRestorePrivilege	2064	msdcsc.exe
Token: SeShutdownPrivilege	2064	msdcsc.exe
Token: SeDebugPrivilege	2064	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2064	msdcsc.exe
Token: SeChangeNotifyPrivilege	2064	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2064	msdcsc.exe
Token: SeUndockPrivilege	2064	msdcsc.exe
Token: SeManageVolumePrivilege	2064	msdcsc.exe
Token: SeImpersonatePrivilege	2064	msdcsc.exe
Token: SeCreateGlobalPrivilege	2064	msdcsc.exe
Token: 33	2064	msdcsc.exe
Token: 34	2064	msdcsc.exe
Token: 35	2064	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2568	msdcsc.exe
Token: SeSecurityPrivilege	2568	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2568	msdcsc.exe
Token: SeLoadDriverPrivilege	2568	msdcsc.exe
Token: SeSystemProfilePrivilege	2568	msdcsc.exe
Token: SeSystemtimePrivilege	2568	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2568	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2568	msdcsc.exe
Token: SeCreatePagefilePrivilege	2568	msdcsc.exe
Token: SeBackupPrivilege	2568	msdcsc.exe
Token: SeRestorePrivilege	2568	msdcsc.exe
Token: SeShutdownPrivilege	2568	msdcsc.exe
Token: SeDebugPrivilege	2568	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2568	msdcsc.exe
Token: SeChangeNotifyPrivilege	2568	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2568	msdcsc.exe
Token: SeUndockPrivilege	2568	msdcsc.exe
Token: SeManageVolumePrivilege	2568	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.execmd.exemsdcsc.execmd.exemsdcsc.execmd.exemsdcsc.execmd.exemsdcsc.execmd.exemsdcsc.exe

description	pid	process	target process
PID 3068 wrote to memory of 3020	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe	cmd.exe
PID 3068 wrote to memory of 3020	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe	cmd.exe
PID 3068 wrote to memory of 3020	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe	cmd.exe
PID 3068 wrote to memory of 3020	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe	cmd.exe
PID 3020 wrote to memory of 2500	3020	cmd.exe	PING.EXE
PID 3020 wrote to memory of 2500	3020	cmd.exe	PING.EXE
PID 3020 wrote to memory of 2500	3020	cmd.exe	PING.EXE
PID 3020 wrote to memory of 2500	3020	cmd.exe	PING.EXE
PID 3068 wrote to memory of 2064	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe	msdcsc.exe
PID 3068 wrote to memory of 2064	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe	msdcsc.exe
PID 3068 wrote to memory of 2064	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe	msdcsc.exe
PID 3068 wrote to memory of 2064	3068	1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe	msdcsc.exe
PID 2064 wrote to memory of 2564	2064	msdcsc.exe	cmd.exe
PID 2064 wrote to memory of 2564	2064	msdcsc.exe	cmd.exe
PID 2064 wrote to memory of 2564	2064	msdcsc.exe	cmd.exe
PID 2064 wrote to memory of 2564	2064	msdcsc.exe	cmd.exe
PID 2564 wrote to memory of 2076	2564	cmd.exe	PING.EXE
PID 2564 wrote to memory of 2076	2564	cmd.exe	PING.EXE
PID 2564 wrote to memory of 2076	2564	cmd.exe	PING.EXE
PID 2564 wrote to memory of 2076	2564	cmd.exe	PING.EXE
PID 2064 wrote to memory of 2568	2064	msdcsc.exe	msdcsc.exe
PID 2064 wrote to memory of 2568	2064	msdcsc.exe	msdcsc.exe
PID 2064 wrote to memory of 2568	2064	msdcsc.exe	msdcsc.exe
PID 2064 wrote to memory of 2568	2064	msdcsc.exe	msdcsc.exe
PID 2568 wrote to memory of 2676	2568	msdcsc.exe	cmd.exe
PID 2568 wrote to memory of 2676	2568	msdcsc.exe	cmd.exe
PID 2568 wrote to memory of 2676	2568	msdcsc.exe	cmd.exe
PID 2568 wrote to memory of 2676	2568	msdcsc.exe	cmd.exe
PID 2676 wrote to memory of 2400	2676	cmd.exe	PING.EXE
PID 2676 wrote to memory of 2400	2676	cmd.exe	PING.EXE
PID 2676 wrote to memory of 2400	2676	cmd.exe	PING.EXE
PID 2676 wrote to memory of 2400	2676	cmd.exe	PING.EXE
PID 2568 wrote to memory of 2456	2568	msdcsc.exe	msdcsc.exe
PID 2568 wrote to memory of 2456	2568	msdcsc.exe	msdcsc.exe
PID 2568 wrote to memory of 2456	2568	msdcsc.exe	msdcsc.exe
PID 2568 wrote to memory of 2456	2568	msdcsc.exe	msdcsc.exe
PID 2456 wrote to memory of 2808	2456	msdcsc.exe	cmd.exe
PID 2456 wrote to memory of 2808	2456	msdcsc.exe	cmd.exe
PID 2456 wrote to memory of 2808	2456	msdcsc.exe	cmd.exe
PID 2456 wrote to memory of 2808	2456	msdcsc.exe	cmd.exe
PID 2808 wrote to memory of 2832	2808	cmd.exe	PING.EXE
PID 2808 wrote to memory of 2832	2808	cmd.exe	PING.EXE
PID 2808 wrote to memory of 2832	2808	cmd.exe	PING.EXE
PID 2808 wrote to memory of 2832	2808	cmd.exe	PING.EXE
PID 2456 wrote to memory of 2476	2456	msdcsc.exe	msdcsc.exe
PID 2456 wrote to memory of 2476	2456	msdcsc.exe	msdcsc.exe
PID 2456 wrote to memory of 2476	2456	msdcsc.exe	msdcsc.exe
PID 2456 wrote to memory of 2476	2456	msdcsc.exe	msdcsc.exe
PID 2476 wrote to memory of 1276	2476	msdcsc.exe	cmd.exe
PID 2476 wrote to memory of 1276	2476	msdcsc.exe	cmd.exe
PID 2476 wrote to memory of 1276	2476	msdcsc.exe	cmd.exe
PID 2476 wrote to memory of 1276	2476	msdcsc.exe	cmd.exe
PID 2476 wrote to memory of 1432	2476	msdcsc.exe	msdcsc.exe
PID 2476 wrote to memory of 1432	2476	msdcsc.exe	msdcsc.exe
PID 2476 wrote to memory of 1432	2476	msdcsc.exe	msdcsc.exe
PID 2476 wrote to memory of 1432	2476	msdcsc.exe	msdcsc.exe
PID 1276 wrote to memory of 2292	1276	cmd.exe	PING.EXE
PID 1276 wrote to memory of 2292	1276	cmd.exe	PING.EXE
PID 1276 wrote to memory of 2292	1276	cmd.exe	PING.EXE
PID 1276 wrote to memory of 2292	1276	cmd.exe	PING.EXE
PID 1432 wrote to memory of 2648	1432	msdcsc.exe	cmd.exe
PID 1432 wrote to memory of 2648	1432	msdcsc.exe	cmd.exe
PID 1432 wrote to memory of 2648	1432	msdcsc.exe	cmd.exe
PID 1432 wrote to memory of 2648	1432	msdcsc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
3⤵
- Runs ping.exe
PID:2500

C:\Users\Admin\AppData\Roaming\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\msdcsc.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\msdcsc.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
4⤵
- Runs ping.exe
PID:2076

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
5⤵
- Runs ping.exe
PID:2400

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
6⤵
- Runs ping.exe
PID:2832

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
7⤵
- Runs ping.exe
PID:2292

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
7⤵
PID:2648

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
8⤵
- Runs ping.exe
PID:2348

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
8⤵
PID:2028

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
9⤵
- Runs ping.exe
PID:2252

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
9⤵
PID:1856

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
10⤵
- Runs ping.exe
PID:2072

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
10⤵
PID:1800

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
11⤵
- Runs ping.exe
PID:1704

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
11⤵
PID:448

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
12⤵
- Runs ping.exe
PID:1460

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
12⤵
PID:1288

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
13⤵
- Runs ping.exe
PID:788

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
13⤵
PID:2332

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
14⤵
- Runs ping.exe
PID:568

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
13⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
14⤵
PID:1560

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
15⤵
- Runs ping.exe
PID:1744

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
PID:1736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
15⤵
PID:240

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
16⤵
- Runs ping.exe
PID:1640

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
15⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
16⤵
PID:3068

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
17⤵
- Runs ping.exe
PID:2516

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
17⤵
PID:2688

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
18⤵
- Runs ping.exe
PID:2544

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
17⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
18⤵
PID:2456

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
19⤵
- Runs ping.exe
PID:2948

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
19⤵
PID:2664

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
20⤵
- Runs ping.exe
PID:2036

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
19⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
20⤵
PID:2244

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
21⤵
- Runs ping.exe
PID:1720

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
21⤵
PID:2908

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
22⤵
- Runs ping.exe
PID:1544

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
21⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
22⤵
PID:1696

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
23⤵
- Runs ping.exe
PID:2872

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
23⤵
PID:1200

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
24⤵
- Runs ping.exe
PID:840

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
23⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
24⤵
PID:1788

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
25⤵
- Runs ping.exe
PID:2600

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
25⤵
PID:2700

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
26⤵
- Runs ping.exe
PID:2200

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
25⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
26⤵
PID:1224

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
27⤵
- Runs ping.exe
PID:2240

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
26⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:3056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
27⤵
PID:2944

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
28⤵
- Runs ping.exe
PID:1496

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
27⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
28⤵
PID:2524

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
29⤵
- Runs ping.exe
PID:988

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
28⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
29⤵
PID:3028

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
30⤵
- Runs ping.exe
PID:1796

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
29⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
30⤵
PID:2888

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
31⤵
- Runs ping.exe
PID:1452

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
30⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
31⤵
PID:1716

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
32⤵
- Runs ping.exe
PID:2604

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
31⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
32⤵
PID:2784

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
33⤵
- Runs ping.exe
PID:1168

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
32⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
33⤵
PID:2848

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
34⤵
- Runs ping.exe
PID:3052

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
33⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
34⤵
PID:752

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
35⤵
- Runs ping.exe
PID:2020

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
34⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
35⤵
PID:2004

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
36⤵
- Runs ping.exe
PID:2932

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
35⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
PID:2916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
36⤵
PID:1772

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
37⤵
- Runs ping.exe
PID:1580

C:\Users\Admin\AppData\Roaming\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\msdcsc.exe"
36⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
PID:2640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\msdcsc.exe"
37⤵
PID:1960

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
38⤵
- Runs ping.exe
PID:1780

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
37⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
38⤵
PID:536

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
39⤵
- Runs ping.exe
PID:2692

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
38⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
39⤵
PID:2376

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
40⤵
- Runs ping.exe
PID:2268

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
39⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
40⤵
PID:2640

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
41⤵
- Runs ping.exe
PID:884

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
40⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\roqmzCFsJnuf\msdcsc.exe"
41⤵
PID:1460

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
42⤵
- Runs ping.exe
PID:1056

C:\Users\Admin\AppData\Roaming\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\msdcsc.exe"
41⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\msdcsc.exe"
42⤵
PID:1792

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
43⤵
- Runs ping.exe
PID:1132

C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
42⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
PID:744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Roaming\roqmzCFsJnuf\msdcsc.exe"
43⤵
PID:1428

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
44⤵
- Runs ping.exe
PID:2276

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\msdcsc.exe
Filesize
650KB

MD5
1d74fad1e7d34e01d3d775528ef60460

SHA1
822bc0882d94ff9b2c6396d97dd6ee7c0d0a7356

SHA256
0198e4ece40cebc1f98328360ca69e4b5386c2ff444596b268eb9af4ff137c97

SHA512
27414da752359560068dc533f53e8c58161f4739194f2bbbc8e2a3e5c9989a3e5dfa2a6c137f8465ade8611d7274da2c20bccfd880622e0484c516c8528b0d1e

Download Submit
memory/484-257-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/536-95-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/744-343-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/772-124-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/800-319-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1120-105-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1132-295-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1432-186-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1432-65-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1608-312-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1632-114-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1632-215-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1664-134-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1720-84-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1736-138-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1780-74-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1780-250-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1792-326-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1796-207-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1952-222-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1976-333-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2020-196-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2064-23-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2192-167-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2256-288-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2276-340-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2380-177-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2436-264-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2440-236-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2440-281-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2456-45-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2476-54-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2552-146-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2568-35-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2604-229-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2640-305-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2684-274-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2712-156-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2916-298-0x00000000777D0000-0x00000000778CA000-memory.dmp

Filesize
1000KB

Download
memory/2916-296-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2916-297-0x00000000778D0000-0x00000000779EF000-memory.dmp

Filesize
1.1MB

Download
memory/2916-267-0x00000000777D0000-0x00000000778CA000-memory.dmp

Filesize
1000KB

Download
memory/2916-265-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2916-266-0x00000000778D0000-0x00000000779EF000-memory.dmp

Filesize
1.1MB

Download
memory/3056-243-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/3068-0-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/3068-11-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads