Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report glGb1KYfX6

Overview

General Information

Sample Name:glGb1KYfX6 (renamed file extension from none to exe)
Analysis ID:368363
MD5:8944bc22235936b73bdf874bfa4d1a64
SHA1:6f48fb18ffd6497fbdc951b4d96340e878921d91
SHA256:d1bf7ec60bcb74dd395f92a1ddb5a2a66e9913514e0f7428681e9a8d7fe25b1e
Tags:zeus1
Infos:

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Startup

  • System is w10x64
  • glGb1KYfX6.exe (PID: 4144 cmdline: 'C:\Users\user\Desktop\glGb1KYfX6.exe' MD5: 8944BC22235936B73BDF874BFA4D1A64)
    • winlogon.exe (PID: 560 cmdline: MD5: F9017F2DC455AD373DF036F5817A8870)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
Source: Process startedAuthor: vburov: Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\winlogon.exe, NewProcessName: C:\Windows\System32\winlogon.exe, OriginalFileName: C:\Windows\System32\winlogon.exe, ParentCommandLine: 'C:\Users\user\Desktop\glGb1KYfX6.exe' , ParentImage: C:\Users\user\Desktop\glGb1KYfX6.exe, ParentProcessId: 4144, ProcessCommandLine: , ProcessId: 560

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: glGb1KYfX6.exeAvira: detected
Antivirus detection for dropped fileShow sources
Source: C:\Windows\SysWOW64\sdra64.exeAvira: detection malicious, Label: TR/ATRAPS.Gen2
Multi AV Scanner detection for submitted fileShow sources
Source: glGb1KYfX6.exeVirustotal: Detection: 87%Perma Link
Source: glGb1KYfX6.exeReversingLabs: Detection: 91%
Machine Learning detection for dropped fileShow sources
Source: C:\Windows\SysWOW64\sdra64.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: glGb1KYfX6.exeJoe Sandbox ML: detected
Source: 0.0.glGb1KYfX6.exe.400000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 0.1.glGb1KYfX6.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_004101CA CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: glGb1KYfX6.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040B844 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00413853 FindFirstFileW,FindClose,FindFirstFileW,FindClose,CreateMutexW,MoveFileExW,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00413682 PathCombineW,FindFirstFileW,wnsprintfW,PathCombineW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_004048AC PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00407F27 ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040C598 SHGetSpecialFolderPathW,PathCombineW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,WideCharToMultiByte,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00411DB9 PathCombineW,FindFirstFileW,PathCombineW,PathCombineW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00407066 InternetReadFile,
Source: winlogon.exe, 00000002.00000002.465403884.000000000D741000.00000040.00000001.sdmpString found in binary or memory: https://bc.nsk.
Source: glGb1KYfX6.exe, 00000000.00000002.459555222.00000000023A3000.00000004.00000040.sdmpString found in binary or memory: https://onlineeast#.bankofamerica.com/cgi-bin/ias/
Source: glGb1KYfX6.exe, winlogon.exe, 00000002.00000002.465403884.000000000D741000.00000040.00000001.sdmpString found in binary or memory: https://www.faktura.ru/enter.jsp?site=
Source: glGb1KYfX6.exe, 00000000.00000002.459555222.00000000023A3000.00000004.00000040.sdmp, winlogon.exe, 00000002.00000002.465403884.000000000D741000.00000040.00000001.sdmpString found in binary or memory: https://www.faktura.ru/enter.jsp?site=%S
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040652B GetClipboardData,GlobalFix,GlobalUnWire,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040668F GetTickCount,GetCurrentProcessId,wnsprintfW,GetKeyState,GetKeyState,GetKeyboardState,ToUnicode,WideCharToMultiByte,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040AE64 CreateFileW,NtQueryObject,lstrcpyW,CloseHandle,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00406266 NtQueryDirectoryFile,NtQueryObject,lstrcmpiW,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00405F35 NtCreateFile,PathRemoveFileSpecW,PathCombineW,CreateFileW,CloseHandle,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00407BE9 NtQueryInformationProcess,CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,NtCreateThread,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040B4C6 GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,GetForegroundWindow,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,CloseHandle,DuplicateTokenEx,LoadLibraryA,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CreateProcessW,CloseHandle,CloseHandle,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040B938 ExitWindowsEx,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_004100D7
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_004103AE
Source: glGb1KYfX6.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: glGb1KYfX6.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: sdra64.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal100.evad.winEXE@1/2@0/0
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_004045A1 CertOpenSystemStoreW,PFXExportCertStore,PFXExportCertStore,GetSystemTime,wnsprintfW,CertDuplicateCertificateContext,CertDeleteCRLFromStore,CertEnumCertificatesInStore,CertCloseStore,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00411622 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040B135 CreateToolhelp32Snapshot,GetUserNameW,lstrcpyW,SHGetSpecialFolderPathW,Process32FirstW,lstrcmpiW,OpenProcess,K32GetModuleFileNameExW,PathCombineW,lstrcmpiW,lstrcmpiW,CloseHandle,Process32NextW,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMutant created: \Sessions\1\BaseNamedObjects\_AVIRA_21099
Source: glGb1KYfX6.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\glGb1KYfX6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: glGb1KYfX6.exeVirustotal: Detection: 87%
Source: glGb1KYfX6.exeReversingLabs: Detection: 91%
Source: C:\Users\user\Desktop\glGb1KYfX6.exeFile read: C:\Users\user\Desktop\glGb1KYfX6.exeJump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\glGb1KYfX6.exeUnpacked PE file: 0.2.glGb1KYfX6.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.data:W;.reloc:R;.data1:W;
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040AB9A LoadLibraryA,GetProcAddress,
Source: initial sampleStatic PE information: section name: .text entropy: 6.93746073005
Source: initial sampleStatic PE information: section name: .text entropy: 6.93746073005
Source: C:\Users\user\Desktop\glGb1KYfX6.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to dropped file
Source: C:\Users\user\Desktop\glGb1KYfX6.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Users\user\Desktop\glGb1KYfX6.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon userinitJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00408DDB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadCursorW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeDropped PE file which has not been started: C:\Windows\SysWOW64\sdra64.exeJump to dropped file
Source: C:\Users\user\Desktop\glGb1KYfX6.exe TID: 3892Thread sleep count: 196 > 30
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040B844 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00413853 FindFirstFileW,FindClose,FindFirstFileW,FindClose,CreateMutexW,MoveFileExW,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00413682 PathCombineW,FindFirstFileW,wnsprintfW,PathCombineW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_004048AC PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00407F27 ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040C598 SHGetSpecialFolderPathW,PathCombineW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,WideCharToMultiByte,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00411DB9 PathCombineW,FindFirstFileW,PathCombineW,PathCombineW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00405C1F LdrGetProcedureAddress,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040AB9A LoadLibraryA,GetProcAddress,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040AC42 HeapCreate,GetProcessHeap,RtlAllocateHeap,GetCurrentProcessId,IsBadHugeReadPtr,GetUserDefaultUILanguage,GetUserNameW,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 400000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 400000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 401000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 414000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 416000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 418000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C940000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C940000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C941000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C954000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C956000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C958000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C960000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C960000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C961000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C974000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C976000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C978000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C980000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C980000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C981000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C994000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C996000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C998000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9A0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9A0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9A1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9B4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9B6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9B8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9C0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9C0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9C1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9D4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9D6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9D8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9E0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9E0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9E1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9F4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9F6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9F8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA00000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA00000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA01000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA14000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA16000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA18000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA20000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA20000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA21000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA34000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA36000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA38000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA40000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA40000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA41000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA54000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA56000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA58000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA60000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA60000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA61000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA74000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA76000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA78000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA80000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA80000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA81000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA94000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA96000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA98000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAA0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAA0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAA1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAB4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAB6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAB8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAC0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAC0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAC1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAD4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAD6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAD8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAE0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAE0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAE1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAF4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAF6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAF8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB00000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB00000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB01000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB14000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB16000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB18000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB20000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB20000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB21000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB34000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB36000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB38000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB40000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB40000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB41000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB54000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB56000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB58000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB60000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB60000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB61000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB74000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB76000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB78000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB80000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB80000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB81000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB94000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB96000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB98000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBA0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBA0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBA1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBB4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBB6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBB8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBC0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBC0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBC1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBD4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBD6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBD8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBE0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBE0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBE1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBF4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBF6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBF8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC00000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC00000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC01000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC14000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC16000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC18000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC20000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC20000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC21000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC34000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC36000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC38000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC40000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC40000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC41000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC54000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC56000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC58000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC60000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC60000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC61000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC74000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC76000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC78000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC80000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC80000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC81000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC94000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC96000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC98000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCA0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCA0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCA1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCB4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCB6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCB8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCC0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCC0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCC1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCD4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCD6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCD8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCE0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCE0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCE1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCF4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCF6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCF8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD00000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD00000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD01000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD14000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD16000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD18000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD20000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD20000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD21000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD34000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD36000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD38000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD40000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD40000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD41000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD54000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD56000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD58000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD60000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD60000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD61000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD74000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD76000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD78000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD80000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD80000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD81000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD94000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD96000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD98000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDA0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDA0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDA1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDB4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDB6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDB8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDC0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDC0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDC1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDD4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDD6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDD8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDE0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDE0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDE1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDF4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDF6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDF8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE00000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE00000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE01000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE14000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE16000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE18000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE20000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE20000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE21000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE34000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE36000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE38000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE40000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE40000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE41000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE54000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE56000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE58000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE60000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE60000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE61000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE74000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE76000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE78000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE80000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE80000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE81000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE94000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE96000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE98000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEA0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEA0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEA1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEB4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEB6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEB8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEC0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEC0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEC1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CED4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CED6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CED8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEE0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEE0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEE1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEF4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEF6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEF8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF00000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF00000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF01000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF14000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF16000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF18000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF20000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF20000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF21000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF34000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF36000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF38000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF40000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF40000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF41000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF54000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF56000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF58000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF60000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF60000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF61000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF74000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF76000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF78000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF80000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF80000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF81000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF94000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF96000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF98000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFA0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFA0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFA1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFB4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFB6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFB8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFC0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFC0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFC1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFD4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFD6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFD8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFE0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFE0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFE1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFF4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFF6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFF8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D000000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D000000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D001000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D014000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D016000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D018000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D020000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D020000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D021000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D034000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D036000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D038000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D040000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D040000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D041000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D054000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D056000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D058000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D060000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D060000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D061000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D074000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D076000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D078000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D080000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D080000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D081000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D094000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D096000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D098000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0A0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0A0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0A1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0B4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0B6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0B8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0C0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0C0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0C1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0D4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0D6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0D8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0E0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0E0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0E1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0F4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0F6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0F8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D100000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D100000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D101000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D114000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D116000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D118000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D120000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D120000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D121000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D134000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D136000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D138000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D140000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D140000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D141000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D154000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D156000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D158000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D160000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D160000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D161000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D174000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D176000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D178000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D180000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D180000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D181000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D194000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D196000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D198000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1A0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1A0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1A1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1B4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1B6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1B8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1C0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1C0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1C1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1D4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1D6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1D8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1E0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1E0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1E1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1F4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1F6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1F8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D200000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D200000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D201000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D214000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D216000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D218000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D220000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D220000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D221000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D234000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D236000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D238000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D240000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D240000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D241000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D254000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D256000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D258000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D260000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D260000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D261000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D274000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D276000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D278000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D280000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D280000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D281000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D294000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D296000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D298000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2A0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2A0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2A1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2B4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2B6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2B8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2C0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2C0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2C1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2D4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2D6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2D8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2E0000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2E0000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2E1000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2F4000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2F6000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2F8000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D300000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D300000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D301000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D314000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D316000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D318000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D320000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D320000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D321000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D334000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D336000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D338000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D340000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D340000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D341000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D354000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D356000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D358000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D360000 protect: page no access
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D360000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D361000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D374000 protect: page read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D376000 protect: page read and write
Changes memory attributes in foreign processes to executable or writableShow sources
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: 400000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: 401000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: 414000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: 416000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: 418000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C940000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C941000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C954000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C956000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C958000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C960000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C961000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C974000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C976000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C978000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C980000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C981000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C994000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C996000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C998000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9A0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9A1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9B4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9B6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9B8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9C0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9C1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9D4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9D6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9D8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9E0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9E1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9F4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9F6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9F8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA00000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA01000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA14000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA16000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA18000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA20000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA21000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA34000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA36000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA38000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA40000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA41000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA54000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA56000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA58000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA60000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA61000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA74000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA76000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA78000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA80000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA81000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA94000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA96000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA98000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAA0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAA1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAB4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAB6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAB8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAC0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAC1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAD4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAD6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAD8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAE0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAE1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAF4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAF6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAF8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB00000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB01000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB14000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB16000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB18000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB20000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB21000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB34000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB36000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB38000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB40000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB41000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB54000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB56000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB58000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB60000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB61000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB74000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB76000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB78000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB80000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB81000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB94000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB96000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB98000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBA0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBA1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBB4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBB6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBB8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBC0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBC1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBD4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBD6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBD8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBE0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBE1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBF4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBF6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBF8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC00000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC01000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC14000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC16000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC18000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC20000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC21000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC34000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC36000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC38000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC40000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC41000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC54000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC56000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC58000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC60000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC61000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC74000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC76000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC78000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC80000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC81000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC94000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC96000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC98000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCA0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCA1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCB4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCB6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCB8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCC0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCC1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCD4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCD6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCD8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCE0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCE1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCF4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCF6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCF8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD00000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD01000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD14000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD16000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD18000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD20000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD21000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD34000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD36000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD38000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD40000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD41000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD54000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD56000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD58000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD60000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD61000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD74000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD76000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD78000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD80000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD81000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD94000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD96000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD98000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDA0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDA1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDB4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDB6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDB8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDC0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDC1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDD4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDD6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDD8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDE0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDE1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDF4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDF6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDF8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE00000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE01000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE14000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE16000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE18000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE20000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE21000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE34000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE36000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE38000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE40000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE41000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE54000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE56000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE58000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE60000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE61000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE74000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE76000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE78000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE80000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE81000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE94000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE96000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE98000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEA0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEA1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEB4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEB6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEB8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEC0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEC1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CED4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CED6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CED8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEE0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEE1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEF4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEF6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEF8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF00000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF01000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF14000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF16000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF18000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF20000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF21000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF34000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF36000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF38000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF40000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF41000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF54000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF56000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF58000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF60000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF61000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF74000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF76000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF78000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF80000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF81000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF94000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF96000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF98000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFA0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFA1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFB4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFB6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFB8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFC0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFC1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFD4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFD6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFD8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFE0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFE1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFF4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFF6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFF8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D000000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D001000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D014000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D016000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D018000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D020000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D021000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D034000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D036000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D038000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D040000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D041000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D054000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D056000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D058000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D060000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D061000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D074000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D076000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D078000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D080000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D081000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D094000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D096000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D098000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0A0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0A1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0B4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0B6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0B8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0C0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0C1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0D4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0D6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0D8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0E0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0E1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0F4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0F6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0F8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D100000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D101000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D114000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D116000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D118000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D120000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D121000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D134000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D136000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D138000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D140000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D141000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D154000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D156000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D158000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D160000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D161000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D174000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D176000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D178000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D180000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D181000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D194000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D196000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D198000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1A0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1A1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1B4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1B6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1B8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1C0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1C1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1D4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1D6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1D8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1E0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1E1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1F4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1F6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1F8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D200000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D201000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D214000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D216000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D218000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D220000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D221000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D234000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D236000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D238000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D240000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D241000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D254000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D256000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D258000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D260000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D261000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D274000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D276000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D278000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D280000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D281000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D294000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D296000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D298000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2A0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2A1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2B4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2B6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2B8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2C0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2C1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2D4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2D6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2D8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2E0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2E1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2F4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2F6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2F8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D300000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D301000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D314000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D316000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D318000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D320000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D321000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D334000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D336000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D338000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D340000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D341000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D354000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D356000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D358000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D360000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D361000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D374000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D376000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D378000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D380000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D381000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D394000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D396000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D398000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3A0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3A1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3B4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3B6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3B8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3C0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3C1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3D4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3D6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3D8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3E0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3E1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3F4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3F6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3F8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D400000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D401000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D414000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D416000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D418000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D420000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D421000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D434000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D436000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D438000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D440000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D441000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D454000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D456000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D458000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D460000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D461000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D474000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D476000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D478000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D480000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D481000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D494000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D496000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D498000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4A0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4A1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4B4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4B6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4B8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4C0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4C1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4D4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4D6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4D8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4E0000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4E1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4F4000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4F6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4F8000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D500000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D501000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D514000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D516000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D518000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D520000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D521000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D534000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D536000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D538000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D540000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D541000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D554000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D556000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D558000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D560000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D561000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D574000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D576000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D578000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D580000 protect: page readonly
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D581000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D594000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D596000 protect: page execute and read and write
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D598000 protect: page execute and read and write
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)Show sources
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040B6B3 OpenWindowStationA,SetProcessWindowStation,OpenDesktopA,SetThreadDesktop,CloseDesktop,CloseWindowStation,
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C940000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C960000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C980000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9A0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9C0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9E0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA00000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA20000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA40000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA60000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA80000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAA0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAC0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAE0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB00000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB20000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB40000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB60000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB80000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBA0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBC0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBE0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC00000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC20000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC40000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC60000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC80000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCA0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCC0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCE0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD00000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD20000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD40000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD60000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD80000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDA0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDC0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDE0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE00000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE20000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE40000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE60000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE80000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEA0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEC0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEE0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF00000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF20000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF40000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF60000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF80000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFA0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFC0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFE0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D000000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D020000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D040000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D060000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D080000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0A0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0C0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0E0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D100000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D120000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D140000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D160000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D180000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1A0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1C0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1E0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D200000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D220000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D240000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D260000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D280000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2A0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2C0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2E0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D300000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D320000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D340000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D360000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D380000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3A0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3C0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3E0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D420000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D440000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D460000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D480000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4A0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4C0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4E0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D500000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D520000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D540000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D560000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D580000 value starts with: 4D5A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D5A0000 value starts with: 4D5A
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: 400000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: 401000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: 414000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: 416000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: 418000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C940000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C941000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C954000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C956000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C958000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C960000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C961000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C974000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C976000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C978000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C980000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C981000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C994000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C996000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C998000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9A0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9A1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9B4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9B6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9B8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9C0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9C1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9D4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9D6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9D8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9E0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9E1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9F4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9F6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9F8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA00000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA01000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA14000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA16000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA18000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA20000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA21000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA34000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA36000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA38000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA40000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA41000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA54000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA56000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA58000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA60000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA61000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA74000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA76000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA78000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA80000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA81000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA94000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA96000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA98000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAA0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAA1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAB4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAB6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAB8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAC0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAC1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAD4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAD6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAD8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAE0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAE1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAF4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAF6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAF8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB00000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB01000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB14000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB16000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB18000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB20000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB21000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB34000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB36000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB38000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB40000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB41000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB54000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB56000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB58000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB60000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB61000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB74000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB76000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB78000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB80000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB81000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB94000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB96000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB98000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBA0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBA1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBB4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBB6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBB8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBC0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBC1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBD4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBD6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBD8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBE0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBE1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBF4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBF6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBF8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC00000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC01000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC14000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC16000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC18000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC20000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC21000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC34000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC36000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC38000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC40000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC41000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC54000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC56000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC58000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC60000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC61000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC74000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC76000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC78000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC80000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC81000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC94000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC96000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC98000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCA0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCA1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCB4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCB6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCB8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCC0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCC1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCD4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCD6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCD8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCE0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCE1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCF4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCF6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCF8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD00000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD01000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD14000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD16000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD18000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD20000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD21000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD34000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD36000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD38000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD40000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD41000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD54000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD56000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD58000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD60000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD61000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD74000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD76000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD78000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD80000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD81000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD94000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD96000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD98000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDA0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDA1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDB4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDB6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDB8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDC0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDC1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDD4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDD6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDD8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDE0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDE1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDF4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDF6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDF8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE00000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE01000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE14000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE16000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE18000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE20000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE21000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE34000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE36000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE38000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE40000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE41000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE54000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE56000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE58000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE60000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE61000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE74000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE76000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE78000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE80000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE81000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE94000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE96000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE98000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEA0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEA1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEB4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEB6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEB8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEC0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEC1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CED4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CED6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CED8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEE0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEE1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEF4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEF6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEF8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF00000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF01000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF14000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF16000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF18000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF20000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF21000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF34000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF36000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF38000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF40000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF41000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF54000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF56000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF58000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF60000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF61000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF74000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF76000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF78000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF80000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF81000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF94000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF96000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF98000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFA0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFA1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFB4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFB6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFB8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFC0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFC1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFD4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFD6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFD8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFE0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFE1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFF4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFF6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFF8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D000000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D001000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D014000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D016000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D018000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D020000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D021000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D034000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D036000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D038000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D040000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D041000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D054000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D056000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D058000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D060000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D061000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D074000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D076000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D078000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D080000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D081000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D094000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D096000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D098000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0A0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0A1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0B4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0B6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0B8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0C0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0C1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0D4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0D6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0D8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0E0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0E1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0F4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0F6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0F8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D100000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D101000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D114000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D116000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D118000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D120000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D121000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D134000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D136000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D138000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D140000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D141000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D154000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D156000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D158000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D160000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D161000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D174000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D176000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D178000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D180000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D181000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D194000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D196000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D198000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1A0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1A1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1B4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1B6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1B8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1C0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1C1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1D4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1D6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1D8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1E0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1E1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1F4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1F6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1F8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D200000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D201000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D214000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D216000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D218000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D220000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D221000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D234000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D236000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D238000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D240000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D241000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D254000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D256000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D258000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D260000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D261000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D274000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D276000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D278000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D280000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D281000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D294000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D296000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D298000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2A0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2A1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2B4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2B6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2B8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2C0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2C1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2D4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2D6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2D8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2E0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2E1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2F4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2F6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2F8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D300000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D301000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D314000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D316000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D318000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D320000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D321000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D334000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D336000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D338000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D340000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D341000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D354000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D356000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D358000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D360000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D361000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D374000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D376000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D378000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D380000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D381000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D394000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D396000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D398000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3A0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3A1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3B4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3B6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3B8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3C0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3C1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3D4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3D6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3D8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3E0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3E1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3F4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3F6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3F8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D400000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D401000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D414000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D416000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D418000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D420000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D421000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D434000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D436000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D438000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D440000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D441000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D454000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D456000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D458000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D460000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D461000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D474000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D476000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D478000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D480000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D481000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D494000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D496000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D498000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4A0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4A1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4B4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4B6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4B8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4C0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4C1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4D4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4D6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4D8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4E0000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4E1000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4F4000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4F6000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4F8000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D500000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D501000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D514000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D516000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D518000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D520000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D521000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D534000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D536000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D538000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D540000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D541000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D554000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D556000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D558000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D560000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D561000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D574000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D576000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D578000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D580000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D581000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D594000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D596000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D598000
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00412BFD InitializeSecurityDescriptor,SetSecurityDescriptorDacl,
Source: glGb1KYfX6.exe, 00000000.00000002.459336076.0000000000CA0000.00000002.00000001.sdmp, winlogon.exe, 00000002.00000002.485332816.000002388D3F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: glGb1KYfX6.exe, 00000000.00000002.459336076.0000000000CA0000.00000002.00000001.sdmp, winlogon.exe, 00000002.00000002.485332816.000002388D3F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: glGb1KYfX6.exe, 00000000.00000002.459336076.0000000000CA0000.00000002.00000001.sdmp, winlogon.exe, 00000002.00000002.485332816.000002388D3F0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: glGb1KYfX6.exe, 00000000.00000002.459336076.0000000000CA0000.00000002.00000001.sdmp, winlogon.exe, 00000002.00000002.485332816.000002388D3F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040A8E2 RtlAllocateHeap,CreateNamedPipeW,CreateEventW,CreateEventW,CloseHandle,CloseHandle,CloseHandle,WaitForSingleObject,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040F233 GetSystemTime,SystemTimeToFileTime,__aulldiv,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040AC42 HeapCreate,GetProcessHeap,RtlAllocateHeap,GetCurrentProcessId,IsBadHugeReadPtr,GetUserDefaultUILanguage,GetUserNameW,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040F272 GetTimeZoneInformation,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00412CCE GetTickCount,GetVersionExW,GetUserDefaultUILanguage,GetModuleFileNameW,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_004106C8 socket,bind,listen,closesocket,
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00410986 socket,bind,closesocket,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Native API1Valid Accounts1Valid Accounts1Masquerading2Input Capture11System Time Discovery2Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder1Access Token Manipulation11Valid Accounts1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Application Shimming1Process Injection42Virtualization/Sandbox Evasion1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Access Token Manipulation11NTDSProcess Discovery3Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptApplication Shimming1Process Injection42LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsInstall Root Certificate1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemSystem Information Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
glGb1KYfX6.exe88%VirustotalBrowse
glGb1KYfX6.exe91%ReversingLabsWin32.Trojan.Zeus
glGb1KYfX6.exe100%AviraTR/ATRAPS.Gen2
glGb1KYfX6.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\SysWOW64\sdra64.exe100%AviraTR/ATRAPS.Gen2
C:\Windows\SysWOW64\sdra64.exe100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
2.2.winlogon.exe.111a0000.580.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d6a0000.108.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d1a0000.68.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10c20000.536.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d8a0000.124.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11360000.594.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fa60000.394.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10760000.498.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d740000.113.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f440000.345.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10fc0000.565.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d1c0000.69.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10800000.503.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.eaa0000.268.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e060000.186.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fae0000.398.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.100c0000.445.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.dfa0000.180.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f260000.330.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11180000.579.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e5e0000.230.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e480000.219.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fa40000.393.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11060000.570.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.dfe0000.182.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fa80000.395.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.106c0000.493.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e660000.234.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e7c0000.245.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11220000.584.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ed20000.288.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f920000.384.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10de0000.550.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fd20000.416.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ebe0000.278.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d5a0000.100.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fb80000.403.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11080000.571.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.efa0000.308.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d2e0000.78.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f420000.344.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f540000.353.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f580000.355.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e7e0000.246.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.c960000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e360000.210.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d960000.130.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10160000.450.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e6e0000.238.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10da0000.548.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f9e0000.390.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f9a0000.388.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.db00000.143.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10c00000.535.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.eac0000.269.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10f20000.560.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10e60000.554.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cfe0000.54.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ce40000.41.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10620000.488.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d040000.57.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e9a0000.260.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10f60000.562.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11140000.577.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10960000.514.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ca00000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.0.glGb1KYfX6.exe.400000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
2.2.winlogon.exe.102c0000.461.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d880000.123.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cbc0000.21.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10720000.496.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d7a0000.116.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.df20000.176.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.efe0000.310.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10680000.491.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f1a0000.324.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f960000.386.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.103e0000.470.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ea40000.265.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cc80000.27.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f720000.368.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.dc40000.153.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cf60000.50.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10f80000.563.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10aa0000.524.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10280000.459.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ec40000.281.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cea0000.44.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f2e0000.334.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e880000.251.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e3a0000.212.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11380000.595.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ca60000.10.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10c80000.539.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10300000.463.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fbe0000.406.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f940000.385.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f240000.329.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.108e0000.510.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://bc.nsk.0%Avira URL Cloudsafe
https://onlineeast#.bankofamerica.com/cgi-bin/ias/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://www.faktura.ru/enter.jsp?site=glGb1KYfX6.exe, winlogon.exe, 00000002.00000002.465403884.000000000D741000.00000040.00000001.sdmpfalse
    		high
    https://bc.nsk.winlogon.exe, 00000002.00000002.465403884.000000000D741000.00000040.00000001.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.faktura.ru/enter.jsp?site=%SglGb1KYfX6.exe, 00000000.00000002.459555222.00000000023A3000.00000004.00000040.sdmp, winlogon.exe, 00000002.00000002.465403884.000000000D741000.00000040.00000001.sdmpfalse
      		high
      https://onlineeast#.bankofamerica.com/cgi-bin/ias/glGb1KYfX6.exe, 00000000.00000002.459555222.00000000023A3000.00000004.00000040.sdmpfalse
      • Avira URL Cloud: safe
      		low

      Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox Version:31.0.0 Emerald
      Analysis ID:368363
      Start date:14.03.2021
      Start time:03:02:11
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 5m 23s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:glGb1KYfX6 (renamed file extension from none to exe)
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:22
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:1
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.evad.winEXE@1/2@0/0
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 95.4% (good quality ratio 90.2%)
      • Quality average: 83.3%
      • Quality standard deviation: 27.6%
      HCA Information:Failed
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtWriteVirtualMemory calls found.

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Windows\SysWOW64\sdra64.exe
      Process:C:\Users\user\Desktop\glGb1KYfX6.exe
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:modified
      Size (bytes):529408
      Entropy (8bit):7.446899077949846
      Encrypted:false
      SSDEEP:12288:/1ekq9qv+41dEAMY535cZoBg0r20v4YkA3ieEMLnZg:/ckAmaAF32f0r2w4kLLG
      MD5:F4B5E29A4AB7133AA34463A01F313CC0
      SHA1:9AEBA004BA54F3800FD95C97B6E2FBF774E881B2
      SHA-256:3DB80A4033B4F71879C44264AE29444400FC94C902BFE706870218425BB0F13F
      SHA-512:4FC0730662207D94376FA7A5CF4A4DF15C887E3754929EA9C6B1020A10DF21EB8670C1F89C399CBAC7B694745BF16A0B1BBD222F10A9B447FC4923C0C3BC9968
      Malicious:true
      Antivirus:
      • Antivirus: Avira, Detection: 100%
      • Antivirus: Joe Sandbox ML, Detection: 100%
      Reputation:low
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q>.V._..._..._.....~_...\..._......._..8.G.^_...q..._...X_.5_..P.>.._..Rich._..................PE..L...g..G.....................D...............0....@..........................................................................:..x....................................................................................0..@............................text............................... ..`.rdata...A...0...B..................@..@.data...F............\..............@...........................................................................................................................................................................................................................................................................................................................................................................................................................
      C:\Windows\SysWOW64\sdra64.exe:Zone.Identifier
      Process:C:\Users\user\Desktop\glGb1KYfX6.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):26
      Entropy (8bit):3.95006375643621
      Encrypted:false
      SSDEEP:3:ggPYV:rPYV
      MD5:187F488E27DB4AF347237FE461A079AD
      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
      Malicious:true
      Reputation:high, very likely benign file
      Preview: [ZoneTransfer]....ZoneId=0

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):6.854645796088476
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:glGb1KYfX6.exe
      File size:89600
      MD5:8944bc22235936b73bdf874bfa4d1a64
      SHA1:6f48fb18ffd6497fbdc951b4d96340e878921d91
      SHA256:d1bf7ec60bcb74dd395f92a1ddb5a2a66e9913514e0f7428681e9a8d7fe25b1e
      SHA512:e3d637bdb3d5c4fda8a34eb3f47bdee837c514c5481067cf8c20a523430ca2b5bcd8ea20c5c79d7ea3c627b214cf89dc59c96c6d1a3983f6c77a489c489de9c2
      SSDEEP:1536:lTSvBFUz/BK0IUzdpQJ4anbsbeoXBbvLRb0JJlBQx7IlPuo/SfDEhxDEhv+143xo:lCF0K0IipQJzbsttLRbKJXQx7OuoafD2
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q>.V._..._..._......~_...\..._......._..8.G.^_...q..._...X_.5_..P.>.._..Rich._..................PE..L...g..G...................

      File Icon

      Icon Hash:00828e8e8686b000

      Static PE Info

      General

      Entrypoint:0x40aba8
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
      DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
      Time Stamp:0x471C8667 [Mon Oct 22 11:15:51 2007 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:4c317a879868b941a965444eede73069

      Entrypoint Preview

      Instruction
      call dword ptr [00413154h]
      cmp eax, 00000000h
      jne 00007F474527B25Bh
      push eax
      mov eax, esp
      push eax
      push 000000FBh
      push eax
      push eax
      call dword ptr [00413840h]
      push ebx
      mov ebx, eax
      call 00007F474527B246h
      ret
      mov eax, 00011E13h
      sub eax, 000D4A19h
      add eax, 000D4BA3h
      mov ecx, edx
      sub esp, 04h
      mov dword ptr [esp], ecx
      sub esp, 04h
      mov dword ptr [esp], 00000040h
      push 00003000h
      push eax
      sub esp, 04h
      mov dword ptr [esp], 00000000h
      call dword ptr [00413814h]
      mov ecx, dword ptr [esp]
      add esp, 04h
      mov ecx, esi
      mov esi, dword ptr [esp]
      add esi, 000000B4h
      mov edi, eax
      mov ecx, 000001E3h
      push eax
      mov edx, 0470E26Dh
      add dl, bl
      xor ebp, ebp
      sub esp, 04h
      mov dword ptr [esp], edx
      push edx
      mov bh, byte ptr [esi]
      add bh, byte ptr [esp+04h]
      add byte ptr [edi], bh
      pop edx
      pop edx
      inc esi
      sub edi, 0001A485h
      add edi, 0001A486h
      xor eax, eax
      sub eax, 000758B9h
      add eax, 000758BDh
      inc ebp
      shr edx, 08h
      cmp eax, ebp
      jne 00007F474527B24Eh
      mov ebp, 0470E26Dh
      mov edx, ebp
      mov ebp, 00000000h
      add dl, bl
      sub ecx, 000A10FDh
      add ecx, 000010FCh

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x13a000x78.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x130000x940.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x1141e0x11600False0.838621290468data6.93746073005IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .rdata0x130000x41900x4200False0.407788825758COM executable for DOS5.58195571948IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x180000x1460x200False0.3046875data2.0215018045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

      Imports

      DLLImport
      USER32.dllIsCharAlphaA, BringWindowToTop, CopyAcceleratorTableA, DdeKeepStringHandle, FindWindowExA, InsertMenuW, LookupIconIdFromDirectoryEx, IsWindowEnabled, EnumPropsExW, SetSysColors, GetClassInfoExA, SendMessageTimeoutA, DrawCaption, GetMonitorInfoA, CreatePopupMenu, SetMenuItemInfoA, EnumWindowStationsW, ToUnicode, SubtractRect, ChangeDisplaySettingsA, SetScrollRange, SetDlgItemInt, DestroyMenu, CreateIconFromResourceEx, IsDialogMessage, GetWindowRgn, RealGetWindowClass, CreateDialogIndirectParamA, SetWindowTextW, CallWindowProcW, HideCaret, SetPropW, CharUpperW, LoadBitmapA, SetWindowLongW, GetSystemMetrics, CallNextHookEx, SetForegroundWindow, LoadMenuW, CharToOemBuffA, IsDialogMessageA, TabbedTextOutA, DdeCreateStringHandleA, ValidateRect, EnumDesktopsA, CreateAcceleratorTableW, DialogBoxIndirectParamA, GetUpdateRect, GetMenuItemID, GetWindowInfo, MapVirtualKeyExA, DdeQueryStringW, FrameRect, EnumDisplaySettingsExA, ToUnicodeEx, SendMessageW, IsZoomed, GetScrollRange, SetPropA, IsCharAlphaW, GetWindowModuleFileNameA, WaitForInputIdle, CopyAcceleratorTableW, IsCharUpperA, MonitorFromWindow, GetClassInfoExW, IsRectEmpty, TrackPopupMenuEx, CreateIconIndirect, SetWindowTextA, SetRectEmpty, DlgDirListW, TrackMouseEvent, GetMenuItemInfoA, DrawFrameControl, CloseDesktop, GetWindowThreadProcessId, SetScrollInfo, DrawFrame, GetMessageA, AttachThreadInput, InsertMenuItemW, GetFocus, ChangeDisplaySettingsExA, ScrollWindow, SwitchDesktop, GetClassLongW, MonitorFromRect, SetKeyboardState, TranslateAcceleratorA, PostThreadMessageA, AppendMenuA, DrawIconEx, GetWindowContextHelpId, CharToOemW, ChangeMenuW, DlgDirSelectExW, LoadImageW, MsgWaitForMultipleObjects, UnpackDDElParam, DispatchMessageA, BlockInput, SetMessageExtraInfo, TrackPopupMenu, GetKeyboardLayoutNameA, DragDetect, GetUserObjectSecurity, UnloadKeyboardLayout, IsDialogMessageW, MapVirtualKeyW, RegisterClipboardFormatA, GetMenuStringA, CharNextA, GetKeyState, GetAsyncKeyState, SendMessageTimeoutW, DdePostAdvise, DrawTextW, GetCaretBlinkTime, CharPrevW, GetNextDlgTabItem, GetCursorInfo, GetDC, GetThreadDesktop, CloseWindowStation, DdeCreateStringHandleW, GetKeyNameTextW, GetWindowLongA, GetKBCodePage, DdeFreeDataHandle, LoadCursorW, GetWindowTextW, DestroyCursor, RemovePropW, IsCharLowerW, DrawStateA, EnableScrollBar, DdeSetUserHandle, EnumPropsW, GetSysColor, GetActiveWindow, EndPaint, FlashWindowEx
      ADVAPI32.dllRegSetValueA, SetSecurityInfo, LookupPrivilegeNameA, GetAccessPermissionsForObjectA, CreateServiceA, RegQueryMultipleValuesA, CryptSignHashA, CreatePrivateObjectSecurity, AdjustTokenPrivileges, QueryServiceStatus, ReportEventW, LookupAccountNameA, RegSetValueExA, GetOverlappedAccessResults, LookupPrivilegeValueW, CryptEnumProviderTypesA, CreateProcessAsUserA, ConvertSecurityDescriptorToAccessNamedA, RegEnumValueA, SetEntriesInAclW, QueryServiceLockStatusW, ConvertSecurityDescriptorToAccessA, AddAccessDeniedAce, CryptSignHashW, ControlService, RegQueryValueExW, RegDeleteKeyA, PrivilegedServiceAuditAlarmA, ImpersonateLoggedOnUser, RegDeleteValueW, CryptDestroyKey, SetTokenInformation, LookupSecurityDescriptorPartsW, GetServiceKeyNameA, DuplicateTokenEx, ConvertAccessToSecurityDescriptorW, LookupPrivilegeDisplayNameA, BuildTrusteeWithNameA, LookupPrivilegeValueA, RegConnectRegistryA, ReportEventA, AddAce, CryptReleaseContext, EqualSid, StartServiceCtrlDispatcherA, OpenThreadToken, SetServiceStatus, AddAuditAccessAce, CryptHashSessionKey, GetExplicitEntriesFromAclA, BuildImpersonateExplicitAccessWithNameW, NotifyBootConfigStatus, CryptGetDefaultProviderW, GetMultipleTrusteeA, CryptDuplicateHash, EqualPrefixSid, CreateServiceW, GetPrivateObjectSecurity, GetAclInformation, CryptGetDefaultProviderA, MakeSelfRelativeSD, MapGenericMask, GetServiceDisplayNameW, GetMultipleTrusteeW, OpenEventLogW, DestroyPrivateObjectSecurity, DeleteService, GetSecurityInfo, RegOpenKeyW, RegSaveKeyW, SetNamedSecurityInfoA, ObjectCloseAuditAlarmW, RegQueryMultipleValuesW, LogonUserA, AddAccessAllowedAce, CryptGetProvParam, ClearEventLogA, EnumServicesStatusW, SetNamedSecurityInfoW, GetSidLengthRequired, GetSecurityDescriptorOwner, ObjectOpenAuditAlarmW, LockServiceDatabase, GetSidIdentifierAuthority, RegQueryInfoKeyA, GetEffectiveRightsFromAclA, BackupEventLogW, ObjectDeleteAuditAlarmA, OpenBackupEventLogW, GetAccessPermissionsForObjectW, GetEffectiveRightsFromAclW, ImpersonateSelf, BuildTrusteeWithNameW, LookupPrivilegeNameW, CryptGetHashParam, RegEnumKeyExA, AbortSystemShutdownA, InitiateSystemShutdownA, RegQueryValueA, OpenSCManagerA, BuildSecurityDescriptorW, ObjectPrivilegeAuditAlarmW, CryptEnumProviderTypesW, CryptSetProviderExW, CryptExportKey, SetEntriesInAccessListA
      SHLWAPI.dllPathIsRelativeA, HashData, SHDeleteKeyW, SHOpenRegStream2W, PathStripPathW, SHRegQueryUSValueW, StrRetToBufA, PathParseIconLocationW, SHSetThreadRef, ColorHLSToRGB, UrlCreateFromPathW, StrCatBuffW, UrlApplySchemeW, SHSkipJunction, UrlUnescapeW, StrRStrIW, PathCompactPathExW, SHAutoComplete, PathMakeSystemFolderA, PathGetCharTypeA, IntlStrEqWorkerA, PathRemoveExtensionA, ColorAdjustLuma, SHRegOpenUSKeyW, SHRegGetBoolUSValueA, PathIsPrefixA, PathRelativePathToW, UrlHashA, SHRegEnumUSValueW, PathMakePrettyA, StrIsIntlEqualA, SHDeleteEmptyKeyW, UrlIsOpaqueA, PathIsSameRootW, SHCopyKeyW, PathFindExtensionW, PathIsDirectoryA, UrlCompareW, PathIsPrefixW, GetMenuPosFromID, StrStrIW, PathAppendA, SHCreateStreamOnFileW, PathAddExtensionW, wnsprintfW, PathRemoveBackslashW, PathUndecorateA, StrCmpW, SHRegQueryInfoUSKeyW, UrlGetLocationW, UrlCompareA, UrlCanonicalizeA, PathFindNextComponentW, SHQueryInfoKeyA, UrlCanonicalizeW, SHRegSetUSValueW, PathFindFileNameW, StrSpnW, PathIsUNCA, SHGetValueW, PathUnmakeSystemFolderA, UrlIsNoHistoryA, PathFindFileNameA, PathIsSystemFolderW, PathAddExtensionA, StrStrA, PathFindSuffixArrayW, StrPBrkA, StrFromTimeIntervalA, SHIsLowMemoryMachine, PathRemoveFileSpecW, SHOpenRegStream2A, PathGetDriveNumberW, PathRemoveBlanksW, StrCmpNW, PathStripPathA, SHRegDeleteEmptyUSKeyW, PathFileExistsW, StrCmpNIW, PathFileExistsA, SHRegGetBoolUSValueW, StrRChrW, StrChrIW, PathIsUNCServerA, PathIsRootA, PathSearchAndQualifyW, PathCreateFromUrlW, StrToIntExA, PathRemoveArgsW, StrCpyNW, StrRetToBufW, PathGetArgsA, SHCreateShellPalette, StrDupA, PathCommonPrefixA, PathIsContentTypeA, PathStripToRootW, PathQuoteSpacesA, IntlStrEqWorkerW, PathCombineA, PathMatchSpecW, SHRegOpenUSKeyA, SHDeleteKeyA, StrFormatByteSize64A, SHStrDupA, StrCSpnIW, PathUnmakeSystemFolderW, wvnsprintfA
      ole32.dllCoRevokeClassObject, OleGetIconOfFile, StgSetTimes, OleRun, CoCreateGuid, MkParseDisplayName, OleLoad, UtConvertDvtd16toDvtd32, CoLockObjectExternal, CoFreeLibrary, WriteStringStream, ReadFmtUserTypeStg, WriteClassStm, GetHGlobalFromILockBytes, OleDestroyMenuDescriptor, IsAccelerator, OleQueryCreateFromData, CoRegisterChannelHook, CoRevertToSelf, CreateILockBytesOnHGlobal, MonikerCommonPrefixWith, StgGetIFillLockBytesOnILockBytes, OleInitialize, OleUninitialize, OleDuplicateData, SetConvertStg, CoGetMalloc, CoFileTimeToDosDateTime, CoUninitialize, CoTreatAsClass, CreatePointerMoniker, UpdateDCOMSettings, OleConvertIStorageToOLESTREAM, CoRegisterMessageFilter, CreateDataAdviseHolder, CoGetPSClsid, OleRegGetMiscStatus, OleQueryLinkFromData, CoCopyProxy, OleGetAutoConvert, OleNoteObjectVisible, IIDFromString, OleCreateStaticFromData, IsEqualGUID, OleSetAutoConvert, ReadClassStg, StgGetIFillLockBytesOnFile, StgOpenStorage, UtConvertDvtd32toDvtd16, CreateBindCtx, CoFreeUnusedLibraries, CoLoadLibrary, StringFromIID, OleGetClipboard, CoGetObject, CoQueryAuthenticationServices, StgCreateDocfileOnILockBytes, SetDocumentBitStg, OleCreateFromFile, WriteOleStg, CoCreateInstance, WriteFmtUserTypeStg, RevokeDragDrop, CoTaskMemFree, GetClassFile, CoRevokeMallocSpy, CoGetCurrentLogicalThreadId, OleDraw, OleGetIconOfClass, OpenOrCreateStream, OleRegEnumVerbs, StgIsStorageILockBytes, OleConvertIStorageToOLESTREAMEx, CoUnmarshalHresult, CoTaskMemAlloc, CoGetInstanceFromFile, CoCreateFreeThreadedMarshaler, EnableHookObject, OleCreateDefaultHandler, OleSave, CoInitialize, OleSetMenuDescriptor, OleCreateLinkEx, OleCreateLink, CoInitializeEx, OleCreateFromFileEx, OleRegGetUserType, CoGetCallerTID, DoDragDrop, CLSIDFromProgID
      KERNEL32.dllFreeLibraryAndExitThread, VerLanguageNameA, IsDebuggerPresent, CreateDirectoryExA, GetDiskFreeSpaceExW, GetModuleHandleW, VirtualProtectEx, GetPrivateProfileIntA, FileTimeToLocalFileTime, FreeConsole, GetFileAttributesExA, lstrcpynA, GetCommMask, OpenMutexW, CreateMailslotW, EnumCalendarInfoW, GetConsoleOutputCP, LCMapStringW, FormatMessageW, GetShortPathNameW, ExitProcess, SetThreadLocale, CopyFileExW, OpenEventW, CreateEventA, WaitForMultipleObjects, EnumResourceTypesA, GetSystemTimeAsFileTime, VirtualProtect, SystemTimeToTzSpecificLocalTime, WaitForDebugEvent, GetDiskFreeSpaceW, GetConsoleScreenBufferInfo, lstrcmpW, ReadConsoleOutputAttribute, GetStartupInfoA, SetEnvironmentVariableA, GlobalMemoryStatus, SetConsoleOutputCP, WriteConsoleOutputW, HeapFree, IsBadHugeWritePtr, FlushViewOfFile, GetSystemInfo, EnumResourceLanguagesA, FillConsoleOutputCharacterW, SetCalendarInfoA, GlobalAlloc, EnumCalendarInfoA, EnumResourceLanguagesW, GetThreadContext, CreateMutexW, VirtualFree, GetWriteWatch, GetCPInfo, lstrlenA, SetVolumeLabelW, VirtualFreeEx, IsSystemResumeAutomatic, GetNamedPipeHandleStateW, GetPrivateProfileSectionA, GetTempFileNameW, GetSystemDirectoryW, CreateFiber, GlobalFindAtomW, lstrcmpA, VirtualAlloc, GetLocalTime, MoveFileExA, GetPrivateProfileStringA, GetPriorityClass, GetCurrentThread, SetupComm, EnumSystemLocalesA, SetThreadPriorityBoost, LoadResource, GetNumberOfConsoleMouseButtons, GetPrivateProfileIntW, GetBinaryTypeA, SetConsoleTitleA, ReleaseMutex, RemoveDirectoryW, HeapValidate, CreateDirectoryExW, IsBadStringPtrW, GetCurrentProcess, GetEnvironmentStringsA, EndUpdateResourceA, SetConsoleCtrlHandler, GetThreadPriorityBoost, FreeEnvironmentStringsW, GetNumberFormatW, CreateProcessW, GetFileInformationByHandle, Heap32Next, CreateFileW, GetUserDefaultLangID, ReadConsoleOutputA, GetCommProperties, GetProcAddress, CancelIo, CompareStringA, LoadLibraryA, GetProfileIntA, SetConsoleScreenBufferSize, TlsSetValue, ReadConsoleOutputW, WritePrivateProfileStringW, LoadLibraryExW, FindResourceExW, SetUnhandledExceptionFilter, MapViewOfFileEx, WritePrivateProfileStructA, FatalAppExitA, IsBadStringPtrA, EnumDateFormatsA, BeginUpdateResourceA, FlushInstructionCache, CopyFileA, FoldStringA, ReadConsoleA, lstrcmpiA, CreateDirectoryA, ReadFile, CreateConsoleScreenBuffer, SetProcessWorkingSetSize, WritePrivateProfileSectionW, GlobalLock, WaitCommEvent, CreateTapePartition, SetConsoleCP, SystemTimeToFileTime, SetFilePointer, GetVersion, GetDriveTypeW, PurgeComm, WritePrivateProfileSectionA, CloseHandle, lstrcmpiW, GetDateFormatW

      Network Behavior

      No network behavior found

      Code Manipulations

      Statistics

      Behavior

      Click to jump to process

      System Behavior

      Analysis Process: glGb1KYfX6.exe PID: 4144 Parent PID: 5812

      General

      Start time:03:02:52
      Start date:14/03/2021
      Path:C:\Users\user\Desktop\glGb1KYfX6.exe
      Wow64 process (32bit):true
      Commandline:'C:\Users\user\Desktop\glGb1KYfX6.exe'
      Imagebase:0x400000
      File size:89600 bytes
      MD5 hash:8944BC22235936B73BDF874BFA4D1A64
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low

      Analysis Process: winlogon.exe PID: 560 Parent PID: 4144

      General

      Start time:03:02:53
      Start date:14/03/2021
      Path:C:\Windows\System32\winlogon.exe
      Wow64 process (32bit):false
      Commandline:
      Imagebase:0x7ff739090000
      File size:677376 bytes
      MD5 hash:F9017F2DC455AD373DF036F5817A8870
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Disassembly

      Code Analysis

      Reset < >