Loading ...

Play interactive tourEdit tour

Analysis Report zeus 1_1.2.7.16.vir

Overview

General Information

Sample Name:zeus 1_1.2.7.16.vir (renamed file extension from vir to exe)
Analysis ID:247311
MD5:110bb0c198f670b5596d69dd555758b5
SHA1:35415b49a99545a7887432fb0acfbf52bbea2d24
SHA256:c09598cf7797d78f3da54d780bb4180ce6518216ec25fe85063f7af4fbd486c5

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • zeus 1_1.2.7.16.exe (PID: 2496 cmdline: 'C:\Users\user\Desktop\zeus 1_1.2.7.16.exe' MD5: 110BB0C198F670B5596D69DD555758B5)
    • winlogon.exe (PID: 548 cmdline: MD5: 3E56F9D58EBBB1B33E31B86267DBECFC)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
Source: Process startedAuthor: vburov: Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\winlogon.exe, NewProcessName: C:\Windows\System32\winlogon.exe, OriginalFileName: C:\Windows\System32\winlogon.exe, ParentCommandLine: 'C:\Users\user\Desktop\zeus 1_1.2.7.16.exe' , ParentImage: C:\Users\user\Desktop\zeus 1_1.2.7.16.exe, ParentProcessId: 2496, ProcessCommandLine: , ProcessId: 548

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: zeus 1_1.2.7.16.exeAvira: detected
Antivirus detection for dropped fileShow sources
Source: C:\Windows\SysWOW64\sdra64.exeAvira: detection malicious, Label: TR/Dropper.Gen
Multi AV Scanner detection for submitted fileShow sources
Source: zeus 1_1.2.7.16.exeVirustotal: Detection: 84%Perma Link
Source: zeus 1_1.2.7.16.exeMetadefender: Detection: 76%Perma Link
Source: zeus 1_1.2.7.16.exeReversingLabs: Detection: 92%
Machine Learning detection for dropped fileShow sources
Source: C:\Windows\SysWOW64\sdra64.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: zeus 1_1.2.7.16.exeJoe Sandbox ML: detected
Source: 0.0.zeus 1_1.2.7.16.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 0.3.zeus 1_1.2.7.16.exe.530000.1.unpackAvira: Label: TR/Dropper.Gen
Source: 0.3.zeus 1_1.2.7.16.exe.550000.0.unpackAvira: Label: TR/Patched.Ren.Gen
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_0040DFA7 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_0040DFA7
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_004112AA FindFirstFileW,FindClose,FindFirstFileW,FindClose,CreateMutexW,MoveFileExW,0_2_004112AA
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_0040A15D PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,0_2_0040A15D
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_0040F9C7 PathCombineW,FindFirstFileW,PathCombineW,PathCombineW,FindNextFileW,FindClose,0_2_0040F9C7
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_00404180 PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose,0_2_00404180
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_00406F85 ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose,0_2_00406F85
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_0040DA47 CreateFileW,RtlAllocateHeap,WaitForSingleObject,InternetReadFile,WriteFile,FlushFileBuffers,CloseHandle,0_2_0040DA47
Source: zeus 1_1.2.7.16.exe, 00000000.00000002.1201500570.0000000002373000.00000004.00000040.sdmpString found in binary or memory: https://onlineeast#.bankofamerica.com/cgi-bin/ias/
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_00405617 GetClipboardData,GlobalFix,GlobalUnWire,0_2_00405617
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_0040577B GetTickCount,GetCurrentProcessId,wnsprintfW,GetKeyState,GetKeyState,GetKeyboardState,ToUnicode,WideCharToMultiByte,0_2_0040577B
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_3_0054271B NtProtectVirtualMemory,0_3_0054271B
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_3_005426D2 NtFreeVirtualMemory,0_3_005426D2
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_3_005426BE NtAllocateVirtualMemory,0_3_005426BE
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_3_0054284A NtFreeVirtualMemory,0_3_0054284A
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_00406CD5 NtQueryInformationProcess,CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,NtCreateThread,0_2_00406CD5
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_00405352 NtQueryDirectoryFile,NtQueryObject,lstrcmpiW,0_2_00405352
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_0040977D CreateFileW,NtQueryObject,lstrcpyW,CloseHandle,0_2_0040977D
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_00409DDF GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,GetForegroundWindow,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,CloseHandle,DuplicateTokenEx,LoadLibraryA,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CreateProcessW,CloseHandle,CloseHandle,0_2_00409DDF
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_0040A251 ExitWindowsEx,0_2_0040A251
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_0040DEB40_2_0040DEB4
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_0040E1210_2_0040E121
Source: zeus 1_1.2.7.16.exe, 00000000.00000000.776579854.0000000000419000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamelTH1Vf56KGqg5NDD vs zeus 1_1.2.7.16.exe
Source: zeus 1_1.2.7.16.exeBinary or memory string: OriginalFilenamelTH1Vf56KGqg5NDD vs zeus 1_1.2.7.16.exe
Source: zeus 1_1.2.7.16.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: sdra64.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal100.evad.winEXE@1/2@0/1
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_00403E75 CertOpenSystemStoreW,PFXExportCertStore,PFXExportCertStore,GetSystemTime,wnsprintfW,CertDuplicateCertificateContext,CertDeleteCRLFromStore,CertEnumCertificatesInStore,CertCloseStore,0_2_00403E75
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_0040F230 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,0_2_0040F230
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_00409A4E CreateToolhelp32Snapshot,GetUserNameW,lstrcpyW,SHGetSpecialFolderPathW,Process32FirstW,lstrcmpiW,OpenProcess,K32GetModuleFileNameExW,PathCombineW,lstrcmpiW,lstrcmpiW,CloseHandle,Process32NextW,CloseHandle,FindCloseChangeNotification,FindCloseChangeNotification,0_2_00409A4E
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMutant created: \Sessions\1\BaseNamedObjects\_AVIRA_21099
Source: zeus 1_1.2.7.16.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: zeus 1_1.2.7.16.exeVirustotal: Detection: 84%
Source: zeus 1_1.2.7.16.exeMetadefender: Detection: 76%
Source: zeus 1_1.2.7.16.exeReversingLabs: Detection: 92%
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeFile read: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeJump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeUnpacked PE file: 0.2.zeus 1_1.2.7.16.exe.400000.0.unpack .text:ER;.data:R;.rdata:R;.rsrc:R; vs .text:ER;.data:W;.reloc:R;.data1:W;
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_004094B3 LoadLibraryA,GetProcAddress,0_2_004094B3
Source: zeus 1_1.2.7.16.exeStatic PE information: real checksum: 0x18488 should be: 0xac379
Source: sdra64.exe.0.drStatic PE information: real checksum: 0x18488 should be: 0xdc260
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_3_00542B47 push ecx; ret 0_3_00542B48
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_3_00542B17 push eax; ret 0_3_00542B26
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_3_00542B1E push eax; ret 0_3_00542B26
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_3_0054273D push eax; ret 0_3_00542753
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_004121D8 push DC00401Bh; retf 0040h0_2_00412311
Source: initial sampleStatic PE information: section name: .text entropy: 7.93043162948
Source: initial sampleStatic PE information: section name: .text entropy: 7.93043162948
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to dropped file
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon userinitJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_00407E29 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadCursorW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,0_2_00407E29
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_3_00542940 rdtsc 0_3_00542940
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeDropped PE file which has not been started: C:\Windows\SysWOW64\sdra64.exeJump to dropped file
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exe TID: 2104Thread sleep count: 209 > 30Jump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_004112AA FindFirstFileW,FindClose,FindFirstFileW,FindClose,CreateMutexW,MoveFileExW,0_2_004112AA
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_0040A15D PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,0_2_0040A15D
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_0040F9C7 PathCombineW,FindFirstFileW,PathCombineW,PathCombineW,FindNextFileW,FindClose,0_2_0040F9C7
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_00404180 PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose,0_2_00404180
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_00406F85 ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose,0_2_00406F85
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_3_00542940 rdtsc 0_3_00542940
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_3_005424D8 LdrLoadDll,0_3_005424D8
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_004094B3 LoadLibraryA,GetProcAddress,0_2_004094B3
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_3_00542443 mov ebx, dword ptr fs:[00000030h]0_3_00542443
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_3_00542771 mov edx, dword ptr fs:[00000030h]0_3_00542771
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeCode function: 0_2_0040955B HeapCreate,GetProcessHeap,RtlAllocateHeap,GetCurrentProcessId,IsBadHugeReadPtr,GetUserDefaultUILanguage,GetUserNameW,0_2_0040955B
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 400000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 400000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 401000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 412000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 414000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 416000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12270000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12270000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12271000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12282000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12284000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12286000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12290000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12290000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12291000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122A2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122A4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122A6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122B0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122B0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122B1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122C2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122C4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122C6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122D0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122D0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122D1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122E2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122E4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122E6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122F0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122F0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122F1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12302000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12304000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12306000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12310000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12310000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12311000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12322000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12324000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12326000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12330000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12330000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12331000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12342000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12344000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12346000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12350000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12350000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12351000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12362000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12364000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12366000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12370000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12370000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12371000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12382000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12384000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12386000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12390000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12390000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12391000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123A2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123A4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123A6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123B0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123B0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123B1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123C2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123C4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123C6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123D0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123D0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123D1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123E2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123E4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123E6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123F0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123F0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123F1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12402000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12404000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12406000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12410000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12410000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12411000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12422000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12424000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12426000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12430000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12430000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12431000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12442000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12444000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12446000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12450000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12450000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12451000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12462000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12464000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12466000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12470000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12470000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12471000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12482000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12484000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12486000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12490000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12490000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12491000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124A2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124A4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124A6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124B0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124B0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124B1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124C2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124C4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124C6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124D0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124D0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124D1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124E2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124E4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124E6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124F0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124F0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124F1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12502000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12504000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12506000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12510000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12510000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12511000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12522000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12524000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12526000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12530000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12530000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12531000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12542000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12544000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12546000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12550000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12550000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12551000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12562000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12564000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12566000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12570000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12570000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12571000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12582000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12584000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12586000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12590000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12590000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12591000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125A2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125A4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125A6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125B0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125B0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125B1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125C2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125C4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125C6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125D0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125D0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125D1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125E2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125E4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125E6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125F0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125F0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125F1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12602000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12604000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12606000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12610000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12610000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12611000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12622000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12624000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12626000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12630000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12630000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12631000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12642000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12644000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12646000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12650000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12650000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12651000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12662000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12664000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12666000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12670000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12670000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12671000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12682000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12684000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12686000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12690000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12690000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12691000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126A2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126A4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126A6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126B0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126B0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126B1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126C2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126C4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126C6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126D0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126D0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126D1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126E2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126E4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126E6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126F0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126F0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126F1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12702000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12704000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12706000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12710000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12710000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12711000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12722000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12724000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12726000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12730000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12730000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12731000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12742000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12744000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12746000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12750000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12750000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12751000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12762000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12764000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12766000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12770000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12770000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12771000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12782000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12784000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12786000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12790000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12790000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12791000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127A2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127A4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127A6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127B0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127B0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127B1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127C2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127C4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127C6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127D0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127D0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127D1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127E2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127E4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127E6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127F0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127F0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127F1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12802000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12804000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12806000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.7.16.exe