Loading ...

Play interactive tourEdit tour

Analysis Report zeus 1_1.2.4.10.vir

Overview

General Information

Sample Name:zeus 1_1.2.4.10.vir (renamed file extension from vir to exe)
Analysis ID:247166
MD5:b9c618bfccb4c700f538415b4a475992
SHA1:e548106618d37564ec9271cd622f980837e98057
SHA256:8df08ecd3c08c6e28a5d73869b6c3a980363856cce72dd9a1c2170c75332a451

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • zeus 1_1.2.4.10.exe (PID: 4600 cmdline: 'C:\Users\user\Desktop\zeus 1_1.2.4.10.exe' MD5: B9C618BFCCB4C700F538415B4A475992)
    • tmp2.exe (PID: 4808 cmdline: C:\Users\user\AppData\Local\Temp\tmp2.exe MD5: A9B2054ADF150709FDB27DEF286008B1)
      • winlogon.exe (PID: 548 cmdline: MD5: 3E56F9D58EBBB1B33E31B86267DBECFC)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
Source: Process startedAuthor: vburov: Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\winlogon.exe, NewProcessName: C:\Windows\System32\winlogon.exe, OriginalFileName: C:\Windows\System32\winlogon.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\tmp2.exe, ParentImage: C:\Users\user\AppData\Local\Temp\tmp2.exe, ParentProcessId: 4808, ProcessCommandLine: , ProcessId: 548

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: zeus 1_1.2.4.10.exeAvira: detected
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Windows\SysWOW64\sdra64.exeAvira: detection malicious, Label: TR/Dropper.Gen
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\tmp1.exeVirustotal: Detection: 6%Perma Link
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeVirustotal: Detection: 87%Perma Link
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeReversingLabs: Detection: 96%
Multi AV Scanner detection for submitted fileShow sources
Source: zeus 1_1.2.4.10.exeVirustotal: Detection: 88%Perma Link
Source: zeus 1_1.2.4.10.exeMetadefender: Detection: 76%Perma Link
Source: zeus 1_1.2.4.10.exeReversingLabs: Detection: 93%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeJoe Sandbox ML: detected
Source: C:\Windows\SysWOW64\sdra64.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: zeus 1_1.2.4.10.exeJoe Sandbox ML: detected
Source: 1.1.tmp2.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 0.2.zeus 1_1.2.4.10.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 0.2.zeus 1_1.2.4.10.exe.404000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 1.0.tmp2.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 0.0.zeus 1_1.2.4.10.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_0040E66F CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_00410265 PathCombineW,FindFirstFileW,PathCombineW,PathCombineW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_0040A871 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_00411A04 FindFirstFileW,FindClose,FindFirstFileW,FindClose,CreateMutexW,MoveFileExW,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_004040EB PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_00406F91 ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_0040EA43 select,recv,
Source: tmp2.exe, 00000001.00000002.866040303.00000000008E3000.00000004.00000040.sdmpString found in binary or memory: https://onlineeast#.bankofamerica.com/cgi-bin/ias/
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_00405582 GetClipboardData,GlobalFix,GlobalUnWire,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_004056E6 GetTickCount,GetCurrentProcessId,wnsprintfW,GetKeyState,GetKeyState,GetKeyboardState,ToUnicode,WideCharToMultiByte,

System Summary:

barindex
PE file has nameless sectionsShow sources
Source: zeus 1_1.2.4.10.exeStatic PE information: section name:
Source: zeus 1_1.2.4.10.exeStatic PE information: section name:
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_00406C53 NtQueryInformationProcess,CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,NtCreateThread,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_00409E95 CreateFileW,NtQueryObject,lstrcpyW,CloseHandle,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_004052BD NtQueryDirectoryFile,NtQueryObject,lstrcmpiW,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_0040A4F7 GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,GetForegroundWindow,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,CloseHandle,DuplicateTokenEx,LoadLibraryA,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CreateProcessW,CloseHandle,CloseHandle,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_0040A965 ExitWindowsEx,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.4.10.exeCode function: 0_2_004062E0
Source: C:\Users\user\Desktop\zeus 1_1.2.4.10.exeCode function: 0_2_00419310
Source: C:\Users\user\Desktop\zeus 1_1.2.4.10.exeCode function: 0_2_00416DD0
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_0040E853
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_00412002
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_0040E57C
Source: tmp1.exe.0.drStatic PE information: No import functions for PE file found
Source: tmp1.exe.0.drStatic PE information: Data appended to the last section found
Source: tmp2.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: sdra64.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal100.evad.winEXE@4/3@0/1
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_00403DE0 CertOpenSystemStoreW,PFXExportCertStore,PFXExportCertStore,GetSystemTime,wnsprintfW,CertDuplicateCertificateContext,CertDeleteCRLFromStore,CertEnumCertificatesInStore,CertCloseStore,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_0040FAC7 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_0040583B CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,Process32NextW,FindCloseChangeNotification,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMutant created: \Sessions\1\BaseNamedObjects\_AVIRA_21099
Source: C:\Users\user\Desktop\zeus 1_1.2.4.10.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1.exeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.4.10.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: zeus 1_1.2.4.10.exeVirustotal: Detection: 88%
Source: zeus 1_1.2.4.10.exeMetadefender: Detection: 76%
Source: zeus 1_1.2.4.10.exeReversingLabs: Detection: 93%
Source: unknownProcess created: C:\Users\user\Desktop\zeus 1_1.2.4.10.exe 'C:\Users\user\Desktop\zeus 1_1.2.4.10.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tmp2.exe C:\Users\user\AppData\Local\Temp\tmp2.exe
Source: C:\Users\user\Desktop\zeus 1_1.2.4.10.exeProcess created: C:\Users\user\AppData\Local\Temp\tmp2.exe C:\Users\user\AppData\Local\Temp\tmp2.exe

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeUnpacked PE file: 1.2.tmp2.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.data:W;.reloc:R;.data1:W;
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_00409BCB LoadLibraryA,GetProcAddress,
Source: zeus 1_1.2.4.10.exeStatic PE information: section name:
Source: zeus 1_1.2.4.10.exeStatic PE information: section name:
Source: tmp1.exe.0.drStatic PE information: section name: .data1
Source: C:\Users\user\Desktop\zeus 1_1.2.4.10.exeCode function: 0_2_00421019 pushfd ; iretd
Source: C:\Users\user\Desktop\zeus 1_1.2.4.10.exeCode function: 0_2_0041F8BC push cs; ret
Source: C:\Users\user\Desktop\zeus 1_1.2.4.10.exeCode function: 0_2_00420B8B push 00000000h; retf
Source: C:\Users\user\Desktop\zeus 1_1.2.4.10.exeCode function: 0_2_0041EBA9 push es; retn 001Ah
Source: C:\Users\user\Desktop\zeus 1_1.2.4.10.exeCode function: 0_2_0041DEC4 push es; ret
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_0046BB91 push dword ptr [ebx]; retf
Source: initial sampleStatic PE information: section name: entropy: 7.12508911808
Source: initial sampleStatic PE information: section name: .text entropy: 7.23145219564
Source: initial sampleStatic PE information: section name: .text entropy: 7.23145219564
Source: C:\Users\user\Desktop\zeus 1_1.2.4.10.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to dropped file
Source: C:\Users\user\Desktop\zeus 1_1.2.4.10.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon userinitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_00407E30 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadCursorW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,VirtualAlloc,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeDropped PE file which has not been started: C:\Windows\SysWOW64\sdra64.exeJump to dropped file
Source: C:\Users\user\Desktop\zeus 1_1.2.4.10.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp1.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tmp2.exe TID: 1336Thread sleep count: 230 > 30
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_00410265 PathCombineW,FindFirstFileW,PathCombineW,PathCombineW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_0040A871 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_00411A04 FindFirstFileW,FindClose,FindFirstFileW,FindClose,CreateMutexW,MoveFileExW,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_004040EB PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_00406F91 ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeProcess information queried: ProcessInformation
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_00405209 LdrGetDllHandle,LdrLoadDll,RtlEnterCriticalSection,RtlLeaveCriticalSection,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_00409BCB LoadLibraryA,GetProcAddress,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeCode function: 1_2_00409C73 HeapCreate,GetProcessHeap,RtlAllocateHeap,GetCurrentProcessId,IsBadHugeReadPtr,GetUserDefaultUILanguage,GetUserNameW,
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 400000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 400000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 401000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 412000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 414000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 416000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A100000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A100000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A101000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A112000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A114000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A116000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A120000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A120000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A121000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A132000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A134000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A136000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A140000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A140000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A141000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A152000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A154000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A156000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A160000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A160000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A161000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A172000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A174000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A176000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A180000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A180000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A181000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A192000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A194000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A196000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A1A0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A1A0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A1A1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A1B2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A1B4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A1B6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A1C0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A1C0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A1C1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A1D2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A1D4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A1D6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A1E0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A1E0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A1E1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A1F2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A1F4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A1F6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A200000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A200000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A201000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A212000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A214000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A216000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A220000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A220000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A221000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A232000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A234000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A236000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A240000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A240000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A241000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A252000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A254000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A256000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A260000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A260000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A261000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A272000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A274000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A276000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A280000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A280000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A281000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A292000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A294000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A296000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A2A0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A2A0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A2A1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A2B2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A2B4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A2B6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A2C0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A2C0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A2C1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A2D2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A2D4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A2D6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A2E0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A2E0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A2E1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A2F2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A2F4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A2F6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A300000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A300000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A301000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A312000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A314000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A316000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A320000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A320000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A321000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A332000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A334000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A336000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A340000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A340000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A341000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A352000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A354000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A356000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A360000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A360000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A361000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A372000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A374000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A376000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A380000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A380000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A381000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A392000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A394000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A396000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A3A0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A3A0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A3A1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A3B2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A3B4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A3B6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A3C0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A3C0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A3C1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A3D2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A3D4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A3D6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A3E0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A3E0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A3E1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A3F2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A3F4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A3F6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A400000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A400000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A401000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A412000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A414000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A416000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A420000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A420000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A421000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A432000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A434000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A436000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A440000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A440000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A441000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A452000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A454000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A456000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A460000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A460000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A461000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A472000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A474000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A476000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A480000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A480000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A481000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A492000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A494000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A496000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A4A0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A4A0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A4A1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A4B2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A4B4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A4B6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A4C0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A4C0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A4C1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A4D2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A4D4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A4D6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A4E0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A4E0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A4E1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A4F2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A4F4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A4F6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A500000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A500000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A501000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A512000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A514000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A516000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A520000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A520000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A521000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A532000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A534000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A536000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A540000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A540000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A541000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A552000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A554000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A556000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A560000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A560000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A561000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A572000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A574000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A576000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A580000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A580000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A581000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A592000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A594000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A596000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A5A0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A5A0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A5A1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A5B2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A5B4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A5B6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A5C0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A5C0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A5C1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A5D2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A5D4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A5D6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A5E0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A5E0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A5E1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A5F2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A5F4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A5F6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A600000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A600000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A601000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A612000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A614000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A616000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A620000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A620000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A621000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A632000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A634000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A636000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A640000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A640000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A641000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A652000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A654000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A656000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A660000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A660000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A661000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A672000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A674000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A676000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A680000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A680000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A681000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A692000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A694000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A696000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A6A0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A6A0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A6A1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A6B2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A6B4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A6B6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A6C0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A6C0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A6C1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A6D2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A6D4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A6D6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A6E0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A6E0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A6E1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A6F2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A6F4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A6F6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A700000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A700000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A701000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A712000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A714000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A716000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A720000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A720000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A721000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A732000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A734000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A736000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A740000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A740000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A741000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A752000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A754000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A756000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A760000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A760000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A761000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A772000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A774000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A776000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A780000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A780000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A781000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A792000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A794000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A796000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A7A0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A7A0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A7A1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A7B2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A7B4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A7B6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A7C0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A7C0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A7C1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A7D2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A7D4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A7D6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A7E0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A7E0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A7E1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A7F2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A7F4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A7F6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A800000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A800000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A801000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A812000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A814000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A816000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A820000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A820000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A821000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A832000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A834000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A836000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A840000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A840000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A841000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A852000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A854000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A856000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A860000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A860000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A861000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A872000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A874000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A876000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A880000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A880000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A881000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A892000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A894000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A896000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A8A0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A8A0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A8A1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A8B2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A8B4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A8B6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A8C0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A8C0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A8C1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A8D2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A8D4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A8D6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A8E0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A8E0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A8E1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A8F2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A8F4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A8F6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A900000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A900000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A901000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A912000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A914000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A916000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A920000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A920000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A921000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A932000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A934000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A936000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A940000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A940000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A941000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A952000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A954000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A956000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A960000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A960000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A961000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A972000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A974000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A976000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A980000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A980000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A981000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A992000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A994000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A996000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A9A0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A9A0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A9A1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A9B2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A9B4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A9B6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A9C0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A9C0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A9C1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A9D2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A9D4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A9D6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A9E0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A9E0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A9E1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A9F2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A9F4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2A9F6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA00000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA00000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA01000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA12000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA14000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA16000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA20000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA20000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA21000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA32000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA34000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA36000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA40000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA40000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA41000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA52000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA54000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA56000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA60000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA60000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA61000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA72000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA74000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA76000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA80000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA80000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA81000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA92000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA94000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AA96000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AAA0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AAA0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AAA1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AAB2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AAB4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AAB6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AAC0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AAC0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AAC1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AAD2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AAD4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AAD6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AAE0000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AAE0000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AAE1000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AAF2000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AAF4000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AAF6000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AB00000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AB00000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AB01000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AB12000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AB14000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AB16000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AB20000 protect: page no access
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AB20000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AB21000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AB32000 protect: page read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 2AB34000 protect: page read and write
Changes memory attributes in foreign processes to executable or writableShow sources
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 400000 protect: page readonly
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 401000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 412000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 414000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 416000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A100000 protect: page readonly
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A101000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A112000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A114000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A116000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A120000 protect: page readonly
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A121000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A132000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A134000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A136000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A140000 protect: page readonly
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A141000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A152000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A154000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A156000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A160000 protect: page readonly
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A161000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A172000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A174000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A176000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A180000 protect: page readonly
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A181000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A192000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A194000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A196000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A1A0000 protect: page readonly
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A1A1000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A1B2000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A1B4000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A1B6000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A1C0000 protect: page readonly
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A1C1000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A1D2000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A1D4000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A1D6000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A1E0000 protect: page readonly
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A1E1000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A1F2000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A1F4000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A1F6000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A200000 protect: page readonly
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A201000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A212000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A214000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A216000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A220000 protect: page readonly
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A221000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A232000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A234000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A236000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A240000 protect: page readonly
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A241000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A252000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A254000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A256000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A260000 protect: page readonly
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A261000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A272000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A274000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\tmp2.exeMemory protected: C:\Windows\System32\winlogon.exe base: 2A276000 protect: pag