Windows Analysis Report
nwVe0gplCc.exe

Overview

General Information

Sample name: nwVe0gplCc.exe
renamed because original name is a hash value
Original sample name: 0339f68638bc40495d8b049bc8def331.bin.exe
Analysis ID: 1430646
MD5: 0339f68638bc40495d8b049bc8def331
SHA1: bacce3177bee1879b70f494670c2ea353135ccc8
SHA256: 3677070874e81e997c23f5a5a6279d60ef0e73617f9a2fdf4622c06f1958ee02
Tags: exeprg
Infos:

Detection

Zues
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Zues
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: nwVe0gplCc.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Windows\SysWOW64\ntos.exe Avira: detection malicious, Label: TR/Spy.Agent.42498
Multi AV Scanner detection for submitted file
Source: nwVe0gplCc.exe ReversingLabs: Detection: 94%
Machine Learning detection for dropped file
Source: C:\Windows\SysWOW64\ntos.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: nwVe0gplCc.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0041C00B CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_0041C00B
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_00409D19 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_00409D19
Uses 32bit PE files
Source: nwVe0gplCc.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0041C0C3 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose, 0_2_0041C0C3
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0041DCCB lstrcpyW,lstrcatW,FindFirstFileW,FindFirstFileW,FindClose,WaitForSingleObject, 0_2_0041DCCB
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_00406C9E ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose, 0_2_00406C9E
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0041D959 PathCombineW,FindClose,PathCombineW,Sleep,PathCombineW,FindFirstFileW,WaitForSingleObject, 0_2_0041D959
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_00409DD1 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose, 0_2_00409DD1
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0040B9D9 lstrcpyW,lstrcatW,FindFirstFileW,FindFirstFileW,FindClose,WaitForSingleObject, 0_2_0040B9D9
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0040B667 PathCombineW,FindClose,PathCombineW,Sleep,PathCombineW,FindFirstFileW,WaitForSingleObject, 0_2_0040B667
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_00415EDE PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose, 0_2_00415EDE
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_00403BEC PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose, 0_2_00403BEC
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_00418F90 ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose, 0_2_00418F90
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_00417C33 HttpQueryInfoA,CreateFileW,WaitForSingleObject,InternetReadFile,WriteFile,FlushFileBuffers,CloseHandle, 0_2_00417C33
Source: nwVe0gplCc.exe, 00000000.00000002.3243321217.00000000007CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onlineeast#.bankofamerica.com/cgi-bin/ias/

E-Banking Fraud
barindex
Yara detected Zues
Source: Yara match File source: 00000000.00000002.3243321217.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nwVe0gplCc.exe PID: 1360, type: MEMORYSTR
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0041CD7B OpenProcess,OpenProcessToken,DuplicateTokenEx,CloseHandle,CloseHandle,CreateProcessAsUserW,CloseHandle,CreateProcessW,CloseHandle,CloseHandle, 0_2_0041CD7B
Creates files inside the system directory
Source: C:\Users\user\Desktop\nwVe0gplCc.exe File created: C:\Windows\SysWOW64\ntos.exe Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe File created: C:\Windows\SysWOW64\ntos.exe:Zone.Identifier:$DATA Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0041B54B 0_2_0041B54B
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_00409259 0_2_00409259
Uses 32bit PE files
Source: nwVe0gplCc.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: nwVe0gplCc.exe Static PE information: Section: .dwp ZLIB complexity 0.9919577205882353
Source: ntos.exe.0.dr Static PE information: Section: .dwp ZLIB complexity 0.9919577205882353
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/2@0/0
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_00415492 CertOpenSystemStoreW,PFXExportCertStore,PFXExportCertStore,GetSystemTime,wnsprintfW,CertDuplicateCertificateContext,CertDeleteCRLFromStore,CertEnumCertificatesInStore,CertCloseStore, 0_2_00415492
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_004031A0 CertOpenSystemStoreW,PFXExportCertStore,PFXExportCertStore,GetSystemTime,wnsprintfW,CertDuplicateCertificateContext,CertDeleteCRLFromStore,CertEnumCertificatesInStore,CertCloseStore, 0_2_004031A0
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0040A517 GetCurrentProcessId,GetProcAddress,SetErrorMode,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,GetUserDefaultUILanguage, 0_2_0040A517
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0041C809 GetCurrentProcessId,GetProcAddress,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetUserDefaultUILanguage, 0_2_0041C809
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0040A8B2 CreateToolhelp32Snapshot,GetUserNameW,lstrcpyW,SHGetSpecialFolderPathW,Process32FirstW,lstrcmpiW,OpenProcess,K32GetModuleFileNameExW,PathCombineW,lstrcmpiW,lstrcmpiW,CloseHandle,Process32NextW,CloseHandle,CloseHandle,CloseHandle, 0_2_0040A8B2
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_004180B0 CoCreateInstance, 0_2_004180B0
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Mutant created: \Sessions\1\BaseNamedObjects\__SYSTEM__91C38905__
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: nwVe0gplCc.exe ReversingLabs: Detection: 94%
Source: C:\Users\user\Desktop\nwVe0gplCc.exe File read: C:\Users\user\Desktop\nwVe0gplCc.exe Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Section loaded: ntmarta.dll Jump to behavior
Source: nwVe0gplCc.exe Static file information: File size 4896768 > 1048576
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_004094EF LoadLibraryA,GetProcAddress, 0_2_004094EF
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .pwz
PE file contains sections with non-standard names
Source: nwVe0gplCc.exe Static PE information: section name: .dwp
Source: nwVe0gplCc.exe Static PE information: section name: .ryf
Source: nwVe0gplCc.exe Static PE information: section name: .avozuj
Source: nwVe0gplCc.exe Static PE information: section name: .pwz
Source: ntos.exe.0.dr Static PE information: section name: .dwp
Source: ntos.exe.0.dr Static PE information: section name: .ryf
Source: ntos.exe.0.dr Static PE information: section name: .avozuj
Source: ntos.exe.0.dr Static PE information: section name: .pwz
Drops PE files
Source: C:\Users\user\Desktop\nwVe0gplCc.exe File created: C:\Windows\SysWOW64\ntos.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\nwVe0gplCc.exe File created: C:\Windows\SysWOW64\ntos.exe Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon userinit Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_00419474 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrcmpiW, 0_2_00419474
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Window / User API: threadDelayed 4756 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\ntos.exe Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Evasive API call chain: GetSystemTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\nwVe0gplCc.exe API coverage: 6.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\nwVe0gplCc.exe TID: 7032 Thread sleep count: 4756 > 30 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe TID: 7032 Thread sleep time: -95120s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Thread sleep count: Count: 4756 delay: -20 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0041C0C3 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose, 0_2_0041C0C3
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0041DCCB lstrcpyW,lstrcatW,FindFirstFileW,FindFirstFileW,FindClose,WaitForSingleObject, 0_2_0041DCCB
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_00406C9E ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose, 0_2_00406C9E
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0041D959 PathCombineW,FindClose,PathCombineW,Sleep,PathCombineW,FindFirstFileW,WaitForSingleObject, 0_2_0041D959
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_00409DD1 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose, 0_2_00409DD1
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0040B9D9 lstrcpyW,lstrcatW,FindFirstFileW,FindFirstFileW,FindClose,WaitForSingleObject, 0_2_0040B9D9
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0040B667 PathCombineW,FindClose,PathCombineW,Sleep,PathCombineW,FindFirstFileW,WaitForSingleObject, 0_2_0040B667
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_00415EDE PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose, 0_2_00415EDE
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_00403BEC PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose, 0_2_00403BEC
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_00418F90 ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose, 0_2_00418F90
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_004094EF LoadLibraryA,GetProcAddress, 0_2_004094EF
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0040A4E3 GetProcessHeap, 0_2_0040A4E3
Enables debug privileges
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 400000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 400000 protect: page read and write Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 401000 protect: page read and write Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 40F000 protect: page read and write Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 411000 protect: page read and write Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 413000 protect: page read and write Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18230000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18230000 protect: page read and write Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18231000 protect: page read and write Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1823F000 protect: page read and write Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18241000 protect: page read and write Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18243000 protect: page read and write Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18260000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18290000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 182C0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 182F0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18320000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18350000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18380000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 183B0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 183E0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18410000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18440000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18470000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 184A0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 184D0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18500000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18530000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18560000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18590000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 185C0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 185F0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18620000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18650000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18680000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 186B0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 186E0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18710000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18740000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18770000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 187A0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 187D0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18800000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18830000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18860000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18890000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 188C0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 188F0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18920000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18950000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18980000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 189B0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 189E0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18A10000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18A40000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18A70000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18AA0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18AD0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18B00000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18B30000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18B60000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18B90000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18BC0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18BF0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18C20000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18C50000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18C80000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18CB0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18CE0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18D10000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18D40000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18D70000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18DA0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18DD0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18E00000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18E30000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18E60000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18E90000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18EC0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18EF0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18F20000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18F50000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18F80000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18FB0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 18FE0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19010000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19040000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19070000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 190A0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 190D0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19100000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19130000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19160000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19190000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 191C0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 191F0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19220000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19250000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19280000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 192B0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 192E0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19310000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19340000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19370000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 193A0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 193D0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19400000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19430000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19460000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19490000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 194C0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 194F0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19520000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19550000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19580000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 195B0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 195E0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19610000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19640000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19670000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 196A0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 196D0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19700000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19730000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19760000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19790000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 197C0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 197F0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19820000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19850000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19880000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 198B0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 198E0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19910000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19940000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19970000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 199A0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 199D0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19A00000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19A30000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19A60000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19A90000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19AC0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19AF0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19B20000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19B50000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19B80000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19BB0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19BE0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19C10000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19C40000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19C70000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19CA0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19CD0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19D00000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19D30000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19D60000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19D90000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19DC0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19DF0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19E20000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19E50000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19E80000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19EB0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19EE0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19F10000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19F40000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19F70000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19FA0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 19FD0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A000000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A030000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A060000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A090000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A0C0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A0F0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A120000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A150000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A180000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A1B0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A1E0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A210000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A240000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A270000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A2A0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A2D0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A300000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A330000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A360000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A390000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A3C0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A3F0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A420000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A450000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A480000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A4B0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A4E0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A510000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A540000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A570000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A5A0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A5D0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A600000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A630000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A660000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A690000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A6C0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A6F0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A720000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A750000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A780000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A7B0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A7E0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A810000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A840000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A870000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A8A0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A8D0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A900000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A930000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A960000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A990000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A9C0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1A9F0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AA20000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AA50000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AA80000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AAB0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AAE0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AB10000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AB40000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AB70000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1ABA0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1ABD0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AC00000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AC30000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AC60000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AC90000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1ACC0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1ACF0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AD20000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AD50000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AD80000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1ADB0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1ADE0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AE10000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AE40000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AE70000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AEA0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AED0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AF00000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AF30000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AF60000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AF90000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AFC0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1AFF0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B020000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B050000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B080000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B0B0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B0E0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B110000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B140000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B170000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B1A0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B1D0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B200000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B230000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B260000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B290000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B2C0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B2F0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B320000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B350000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B380000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B3B0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B3E0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B410000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B440000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B470000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B4A0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B4D0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B500000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B530000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B560000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B590000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B5C0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B5F0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B620000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B650000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B680000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B6B0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B6E0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B710000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B740000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B770000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B7A0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B7D0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B800000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B830000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B860000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B890000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B8C0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B8F0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B920000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B950000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B980000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B9B0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1B9E0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BA10000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BA40000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BA70000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BAA0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BAD0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BB00000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BB30000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BB60000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BB90000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BBC0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BBF0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BC20000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BC50000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BC80000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BCB0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BCE0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BD10000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BD40000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BD70000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BDA0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BDD0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BE00000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BE30000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BE60000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BE90000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BEC0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BEF0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BF20000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BF50000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BF80000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BFB0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1BFE0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C010000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C040000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C070000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C0A0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C0D0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C100000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C130000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C160000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C190000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C1C0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C1F0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C220000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C250000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C280000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C2B0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C2E0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C310000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C340000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C370000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C3A0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C3D0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C400000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C430000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C460000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C490000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C4C0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C4F0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C520000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C550000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C580000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C5B0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C5E0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C610000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C640000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C670000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C6A0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C6D0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C700000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C730000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C760000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C790000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C7C0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C7F0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C820000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C850000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C880000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C8B0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C8E0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C910000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C940000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C970000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C9A0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1C9D0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CA00000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CA30000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CA60000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CA90000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CAC0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CAF0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CB20000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CB50000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CB80000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CBB0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CBE0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CC10000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CC40000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CC70000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CCA0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CCD0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CD00000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CD30000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CD60000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CD90000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CDC0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CDF0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CE20000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CE50000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CE80000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CEB0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CEE0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CF10000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CF40000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CF70000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CFA0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1CFD0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D000000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D030000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D060000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D090000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D0C0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D0F0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D120000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D150000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D180000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D1B0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D1E0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D210000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D240000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D270000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D2A0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D2D0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D300000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D330000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D360000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D390000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D3C0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D3F0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D420000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D450000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D480000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D4B0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D4E0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D510000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D540000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D570000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D5A0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D5D0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D600000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D630000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D660000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D690000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D6C0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D6F0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D720000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D750000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D780000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D7B0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D7E0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D810000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D840000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D870000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D8A0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D8D0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D900000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D930000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D960000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D990000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D9C0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1D9F0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1DA20000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1DA50000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1DA80000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1DAB0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1DAE0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1DB10000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1DB40000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1DB70000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1DBA0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1DBD0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1DC00000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1DC30000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1DC60000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1DC90000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1DCC0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1DCF0000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1DD20000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1DD50000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1DD80000 protect: page no access Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 1DDB0000 protect: page no access Jump to behavior
Changes memory attributes in foreign processes to executable or writable
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory protected: C:\Windows\System32\winlogon.exe base: 400000 protect: page readonly Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory protected: C:\Windows\System32\winlogon.exe base: 401000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory protected: C:\Windows\System32\winlogon.exe base: 40F000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory protected: C:\Windows\System32\winlogon.exe base: 411000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory protected: C:\Windows\System32\winlogon.exe base: 413000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory protected: C:\Windows\System32\winlogon.exe base: 18230000 protect: page readonly Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory protected: C:\Windows\System32\winlogon.exe base: 18231000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory protected: C:\Windows\System32\winlogon.exe base: 1823F000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory protected: C:\Windows\System32\winlogon.exe base: 18241000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory protected: C:\Windows\System32\winlogon.exe base: 18243000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18230000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18260000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18290000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 182C0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 182F0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18320000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18350000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18380000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 183B0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 183E0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18410000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18440000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18470000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 184A0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 184D0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18500000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18530000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18560000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18590000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 185C0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 185F0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18620000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18650000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18680000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 186B0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 186E0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18710000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18740000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18770000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 187A0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 187D0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18800000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18830000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18860000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18890000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 188C0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 188F0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18920000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18950000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18980000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 189B0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 189E0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18A10000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18A40000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18A70000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18AA0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18AD0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B00000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B30000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B60000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B90000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18BC0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18BF0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18C20000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18C50000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18C80000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18CB0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18CE0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18D10000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18D40000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18D70000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18DA0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18DD0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E00000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E30000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E60000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E90000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18EC0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18EF0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18F20000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18F50000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18F80000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18FB0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18FE0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19010000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19040000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19070000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 190A0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 190D0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19100000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19130000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19160000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19190000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 191C0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 191F0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19220000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19250000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19280000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 192B0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 192E0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19310000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19340000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19370000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 193A0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 193D0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19430000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19460000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19490000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 194C0000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 40F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 411000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 413000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18230000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18231000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1823F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18241000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18243000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18260000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18261000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1826F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18271000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18273000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18290000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18291000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1829F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 182A1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 182A3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 182C0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 182C1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 182CF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 182D1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 182D3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 182F0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 182F1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 182FF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18301000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18303000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18320000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18321000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1832F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18331000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18333000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18350000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18351000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1835F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18361000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18363000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18380000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18381000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1838F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18391000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18393000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 183B0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 183B1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 183BF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 183C1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 183C3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 183E0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 183E1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 183EF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 183F1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 183F3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18410000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18411000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1841F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18421000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18423000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18440000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18441000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1844F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18451000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18453000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18470000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18471000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1847F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18481000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18483000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 184A0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 184A1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 184AF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 184B1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 184B3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 184D0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 184D1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 184DF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 184E1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 184E3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18500000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18501000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1850F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18511000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18513000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18530000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18531000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1853F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18541000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18543000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18560000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18561000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1856F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18571000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18573000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18590000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18591000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1859F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 185A1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 185A3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 185C0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 185C1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 185CF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 185D1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 185D3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 185F0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 185F1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 185FF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18601000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18603000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18620000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18621000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1862F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18631000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18633000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18650000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18651000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1865F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18661000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18663000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18680000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18681000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1868F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18691000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18693000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 186B0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 186B1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 186BF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 186C1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 186C3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 186E0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 186E1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 186EF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 186F1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 186F3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18710000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18711000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1871F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18721000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18723000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18740000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18741000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1874F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18751000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18753000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18770000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18771000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1877F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18781000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18783000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 187A0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 187A1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 187AF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 187B1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 187B3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 187D0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 187D1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 187DF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 187E1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 187E3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18800000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18801000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1880F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18811000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18813000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18830000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18831000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1883F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18841000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18843000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18860000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18861000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1886F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18871000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18873000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18890000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18891000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1889F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 188A1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 188A3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 188C0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 188C1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 188CF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 188D1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 188D3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 188F0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 188F1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 188FF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18901000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18903000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18920000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18921000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1892F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18931000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18933000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18950000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18951000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1895F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18961000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18963000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18980000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18981000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1898F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18991000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18993000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 189B0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 189B1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 189BF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 189C1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 189C3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 189E0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 189E1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 189EF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 189F1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 189F3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18A10000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18A11000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18A1F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18A21000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18A23000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18A40000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18A41000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18A4F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18A51000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18A53000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18A70000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18A71000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18A7F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18A81000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18A83000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18AA0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18AA1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18AAF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18AB1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18AB3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18AD0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18AD1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18ADF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18AE1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18AE3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B00000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B01000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B0F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B11000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B13000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B30000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B31000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B3F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B41000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B43000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B60000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B61000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B6F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B71000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B73000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B90000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B91000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18B9F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18BA1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18BA3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18BC0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18BC1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18BCF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18BD1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18BD3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18BF0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18BF1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18BFF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18C01000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18C03000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18C20000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18C21000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18C2F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18C31000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18C33000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18C50000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18C51000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18C5F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18C61000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18C63000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18C80000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18C81000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18C8F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18C91000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18C93000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18CB0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18CB1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18CBF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18CC1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18CC3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18CE0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18CE1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18CEF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18CF1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18CF3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18D10000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18D11000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18D1F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18D21000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18D23000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18D40000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18D41000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18D4F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18D51000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18D53000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18D70000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18D71000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18D7F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18D81000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18D83000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18DA0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18DA1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18DAF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18DB1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18DB3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18DD0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18DD1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18DDF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18DE1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18DE3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E00000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E01000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E0F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E11000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E13000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E30000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E31000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E3F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E41000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E43000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E60000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E61000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E6F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E71000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E73000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E90000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E91000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18E9F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18EA1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18EA3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18EC0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18EC1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18ECF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18ED1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18ED3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18EF0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18EF1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18EFF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18F01000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18F03000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18F20000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18F21000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18F2F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18F31000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18F33000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18F50000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18F51000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18F5F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18F61000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18F63000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18F80000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18F81000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18F8F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18F91000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18F93000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18FB0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18FB1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18FBF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18FC1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18FC3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18FE0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18FE1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18FEF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18FF1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 18FF3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19010000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19011000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1901F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19021000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19023000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19040000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19041000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1904F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19051000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19053000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19070000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19071000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1907F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19081000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19083000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 190A0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 190A1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 190AF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 190B1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 190B3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 190D0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 190D1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 190DF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 190E1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 190E3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19100000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19101000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1910F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19111000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19113000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19130000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19131000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1913F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19141000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19143000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19160000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19161000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1916F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19171000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19173000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19190000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19191000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1919F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 191A1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 191A3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 191C0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 191C1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 191CF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 191D1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 191D3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 191F0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 191F1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 191FF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19201000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19203000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19220000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19221000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1922F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19231000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19233000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19250000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19251000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1925F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19261000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19263000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19280000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19281000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1928F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19291000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19293000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 192B0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 192B1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 192BF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 192C1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 192C3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 192E0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 192E1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 192EF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 192F1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 192F3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19310000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19311000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1931F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19321000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19323000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19340000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19341000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1934F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19351000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19353000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19370000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19371000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1937F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19381000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19383000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 193A0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 193A1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 193AF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 193B1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 193B3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 193D0000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 193D1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 193DF000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 193E1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 193E3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19400000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19401000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1940F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19411000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19413000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19430000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19431000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1943F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19441000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19443000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19460000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19461000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1946F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19471000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19473000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19490000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 19491000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 1949F000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 194A1000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Memory written: C:\Windows\System32\winlogon.exe base: 194A3000 Jump to behavior
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0040A517 GetCurrentProcessId,GetProcAddress,SetErrorMode,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,GetUserDefaultUILanguage, 0_2_0040A517
Source: winlogon.exe, 00000002.00000000.1997732559.000001E858D81000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: winlogon.exe, 00000002.00000000.1997732559.000001E858D81000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000002.00000000.1997732559.000001E858D81000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: winlogon.exe, 00000002.00000000.1997732559.000001E858D81000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0041C694 CreateNamedPipeW,CreateEventW,CreateEventW,CreateThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,WaitForSingleObject, 0_2_0041C694
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_00415492 CertOpenSystemStoreW,PFXExportCertStore,PFXExportCertStore,GetSystemTime,wnsprintfW,CertDuplicateCertificateContext,CertDeleteCRLFromStore,CertEnumCertificatesInStore,CertCloseStore, 0_2_00415492
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0040A8B2 CreateToolhelp32Snapshot,GetUserNameW,lstrcpyW,SHGetSpecialFolderPathW,Process32FirstW,lstrcmpiW,OpenProcess,K32GetModuleFileNameExW,PathCombineW,lstrcmpiW,lstrcmpiW,CloseHandle,Process32NextW,CloseHandle,CloseHandle,CloseHandle, 0_2_0040A8B2
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0041D16C PathCombineW,PathCombineW,GetModuleFileNameA,GetTimeZoneInformation,GetVersionExW,lstrlenW, 0_2_0041D16C
Source: C:\Users\user\Desktop\nwVe0gplCc.exe Code function: 0_2_0041D16C PathCombineW,PathCombineW,GetModuleFileNameA,GetTimeZoneInformation,GetVersionExW,lstrlenW, 0_2_0041D16C
AV process strings found (often used to terminate AV products)
Source: nwVe0gplCc.exe, 00000000.00000002.3243321217.00000000007CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: zlclient.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430646 Sample: nwVe0gplCc.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 14 Antivirus detection for dropped file 2->14 16 Antivirus / Scanner detection for submitted sample 2->16 18 Multi AV Scanner detection for submitted file 2->18 20 3 other signatures 2->20 6 nwVe0gplCc.exe 1 5 2->6         started        process3 file4 12 C:\Windows\SysWOW64\ntos.exe, MS-DOS 6->12 dropped 22 Creates an undocumented autostart registry key 6->22 24 Changes memory attributes in foreign processes to executable or writable 6->24 26 Writes to foreign memory regions 6->26 28 2 other signatures 6->28 10 winlogon.exe 6->10 injected signatures5 process6
No contacted IP infos