Loading ...

Play interactive tourEdit tour

Analysis Report zeus 1_1.2.3.1.vir

Overview

General Information

Sample Name:zeus 1_1.2.3.1.vir (renamed file extension from vir to exe)
Analysis ID:247445
MD5:0797dda9930e3b0a7345984d4fbb9509
SHA1:6c21660acf1c1af1eae98aececa607bed5305fe0
SHA256:9c01cf666c922c17867f4d2a85d090376c6f82e2c77b16de330d116f147fca59

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Startup

  • System is w10x64
  • zeus 1_1.2.3.1.exe (PID: 2916 cmdline: 'C:\Users\user\Desktop\zeus 1_1.2.3.1.exe' MD5: 0797DDA9930E3B0A7345984D4FBB9509)
    • winlogon.exe (PID: 548 cmdline: MD5: 3E56F9D58EBBB1B33E31B86267DBECFC)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
Source: Process startedAuthor: vburov: Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\winlogon.exe, NewProcessName: C:\Windows\System32\winlogon.exe, OriginalFileName: C:\Windows\System32\winlogon.exe, ParentCommandLine: 'C:\Users\user\Desktop\zeus 1_1.2.3.1.exe' , ParentImage: C:\Users\user\Desktop\zeus 1_1.2.3.1.exe, ParentProcessId: 2916, ProcessCommandLine: , ProcessId: 548

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: zeus 1_1.2.3.1.exeAvira: detected
Antivirus detection for dropped fileShow sources
Source: C:\Windows\SysWOW64\sdra64.exeAvira: detection malicious, Label: TR/Dropper.Gen
Multi AV Scanner detection for submitted fileShow sources
Source: zeus 1_1.2.3.1.exeVirustotal: Detection: 87%Perma Link
Source: zeus 1_1.2.3.1.exeMetadefender: Detection: 89%Perma Link
Source: zeus 1_1.2.3.1.exeReversingLabs: Detection: 100%
Machine Learning detection for dropped fileShow sources
Source: C:\Windows\SysWOW64\sdra64.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: zeus 1_1.2.3.1.exeJoe Sandbox ML: detected
Source: 0.1.zeus 1_1.2.3.1.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 0.0.zeus 1_1.2.3.1.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_0040E39F CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_0040E39F
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_0040A681 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,0_2_0040A681
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_00406E84 ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose,0_2_00406E84
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_00411746 FindFirstFileW,FindClose,FindFirstFileW,FindClose,CreateMutexW,MoveFileExW,0_2_00411746
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_0040FF7B PathCombineW,FindFirstFileW,PathCombineW,PathCombineW,FindNextFileW,FindClose,0_2_0040FF7B
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_00403FE2 PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose,0_2_00403FE2
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_0040BA65 CreateEventW,InternetQueryOptionA,InternetSetStatusCallback,InternetSetOptionA,InternetReadFileExA,GetLastError,DispatchMessageW,PeekMessageW,MsgWaitForMultipleObjects,ResetEvent,InternetSetOptionA,InternetSetStatusCallback,CloseHandle,InternetQueryOptionA,InternetCrackUrlA,GetSystemTime,wnsprintfW,GetSystemTime,InternetQueryOptionA,GetUrlCacheEntryInfoW,RtlEnterCriticalSection,RtlLeaveCriticalSection,0_2_0040BA65
Source: zeus 1_1.2.3.1.exe, 00000000.00000002.1214363661.00000000022F3000.00000004.00000040.sdmpString found in binary or memory: https://onlineeast#.bankofamerica.com/cgi-bin/ias/
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_00405471 GetClipboardData,GlobalFix,GlobalUnWire,0_2_00405471
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_004055DD GetTickCount,GetCurrentProcessId,wnsprintfW,GetKeyState,GetKeyState,GetKeyboardState,ToUnicode,WideCharToMultiByte,0_2_004055DD
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_00406B46 NtQueryInformationProcess,CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,NtCreateThread,0_2_00406B46
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_00409D71 CreateFileW,NtQueryObject,lstrcpyW,CloseHandle,0_2_00409D71
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_004051B8 NtQueryDirectoryFile,NtQueryObject,lstrcmpiW,0_2_004051B8
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_0040A3D2 GetForegroundWindow,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,DuplicateTokenEx,CloseHandle,CloseHandle,CreateProcessAsUserW,CloseHandle,CreateProcessW,CloseHandle,CloseHandle,0_2_0040A3D2
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_0040A775 ExitWindowsEx,0_2_0040A775
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_0040E2AC0_2_0040E2AC
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_0040E57D0_2_0040E57D
Source: zeus 1_1.2.3.1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: sdra64.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal100.evad.winEXE@1/2@0/1
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_00403CD7 CertOpenSystemStoreW,PFXExportCertStore,PFXExportCertStore,GetSystemTime,wnsprintfW,CertDuplicateCertificateContext,CertDeleteCRLFromStore,CertEnumCertificatesInStore,CertCloseStore,0_2_00403CD7
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_0040F7CF OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,0_2_0040F7CF
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_0040A041 CreateToolhelp32Snapshot,GetUserNameW,lstrcpyW,SHGetSpecialFolderPathW,Process32FirstW,lstrcmpiW,OpenProcess,K32GetModuleFileNameExW,PathCombineW,lstrcmpiW,lstrcmpiW,CloseHandle,Process32NextW,CloseHandle,FindCloseChangeNotification,FindCloseChangeNotification,0_2_0040A041
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMutant created: \Sessions\1\BaseNamedObjects\_AVIRA_21099
Source: zeus 1_1.2.3.1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: zeus 1_1.2.3.1.exeVirustotal: Detection: 87%
Source: zeus 1_1.2.3.1.exeMetadefender: Detection: 89%
Source: zeus 1_1.2.3.1.exeReversingLabs: Detection: 100%
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeFile read: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeJump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeUnpacked PE file: 0.2.zeus 1_1.2.3.1.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.data:W;.reloc:R;.data1:W;
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_00409AC3 LoadLibraryA,GetProcAddress,0_2_00409AC3
Source: initial sampleStatic PE information: section name: .text entropy: 7.22640789062
Source: initial sampleStatic PE information: section name: .text entropy: 7.22640789062
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to dropped file
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon userinitJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_00407D31 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadCursorW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,0_2_00407D31
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeDropped PE file which has not been started: C:\Windows\SysWOW64\sdra64.exeJump to dropped file
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exe TID: 1076Thread sleep count: 180 > 30Jump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_0040A681 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,0_2_0040A681
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_00406E84 ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose,0_2_00406E84
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_00411746 FindFirstFileW,FindClose,FindFirstFileW,FindClose,CreateMutexW,MoveFileExW,0_2_00411746
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_0040FF7B PathCombineW,FindFirstFileW,PathCombineW,PathCombineW,FindNextFileW,FindClose,0_2_0040FF7B
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_00403FE2 PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose,0_2_00403FE2
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_0040509F LdrGetProcedureAddress,0_2_0040509F
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_00409AC3 LoadLibraryA,GetProcAddress,0_2_00409AC3
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeCode function: 0_2_00409B6F HeapCreate,GetProcessHeap,GetCurrentProcessId,GetUserDefaultUILanguage,GetUserNameW,0_2_00409B6F
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 400000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 400000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 401000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 412000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 414000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 416000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12270000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12270000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12271000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12282000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12284000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12286000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12290000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12290000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12291000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122A2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122A4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122A6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122B0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122B0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122B1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122C2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122C4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122C6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122D0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122D0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122D1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122E2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122E4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122E6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122F0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122F0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 122F1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12302000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12304000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12306000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12310000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12310000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12311000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12322000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12324000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12326000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12330000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12330000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12331000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12342000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12344000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12346000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12350000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12350000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12351000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12362000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12364000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12366000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12370000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12370000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12371000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12382000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12384000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12386000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12390000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12390000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12391000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123A2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123A4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123A6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123B0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123B0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123B1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123C2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123C4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123C6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123D0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123D0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123D1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123E2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123E4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123E6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123F0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123F0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 123F1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12402000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12404000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12406000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12410000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12410000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12411000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12422000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12424000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12426000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12430000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12430000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12431000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12442000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12444000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12446000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12450000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12450000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12451000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12462000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12464000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12466000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12470000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12470000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12471000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12482000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12484000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12486000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12490000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12490000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12491000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124A2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124A4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124A6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124B0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124B0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124B1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124C2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124C4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124C6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124D0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124D0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124D1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124E2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124E4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124E6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124F0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124F0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 124F1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12502000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12504000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12506000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12510000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12510000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12511000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12522000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12524000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12526000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12530000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12530000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12531000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12542000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12544000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12546000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12550000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12550000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12551000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12562000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12564000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12566000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12570000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12570000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12571000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12582000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12584000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12586000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12590000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12590000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12591000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125A2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125A4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125A6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125B0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125B0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125B1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125C2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125C4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125C6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125D0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125D0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125D1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125E2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125E4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125E6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125F0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125F0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 125F1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12602000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12604000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12606000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12610000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12610000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12611000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12622000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12624000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12626000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12630000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12630000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12631000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12642000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12644000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12646000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12650000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12650000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12651000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12662000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12664000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12666000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12670000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12670000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12671000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12682000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12684000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12686000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12690000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12690000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12691000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126A2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126A4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126A6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126B0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126B0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126B1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126C2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126C4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126C6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126D0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126D0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126D1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126E2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126E4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126E6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126F0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126F0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 126F1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12702000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12704000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12706000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12710000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12710000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12711000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12722000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12724000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12726000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12730000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12730000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12731000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12742000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12744000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12746000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12750000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12750000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12751000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12762000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12764000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12766000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12770000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12770000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12771000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12782000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12784000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12786000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12790000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12790000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12791000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127A2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127A4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127A6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127B0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127B0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127B1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127C2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127C4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127C6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127D0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127D0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127D1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127E2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127E4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127E6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127F0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127F0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 127F1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12802000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12804000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12806000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12810000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12810000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12811000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12822000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12824000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12826000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12830000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12830000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12831000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12842000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12844000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12846000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12850000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12850000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12851000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12862000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\zeus 1_1.2.3.1.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 12864000 protect: page read and