Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report P8jE8nmN7G

Overview

General Information

Sample Name:P8jE8nmN7G (renamed file extension from none to exe)
Analysis ID:409287
MD5:ac514dce9416eb9e4148431016629174
SHA1:b0e1d96605cdc3da995a667a1fdc7189b67bfdcd
SHA256:67334c1b7f629c04efefbfb466e5996a425af4a43c07a5ce51d4f142222b0de7
Tags:zeus1
Infos:

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Contains VNC / remote desktop functionality (version string found)
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • P8jE8nmN7G.exe (PID: 4860 cmdline: 'C:\Users\user\Desktop\P8jE8nmN7G.exe' MD5: AC514DCE9416EB9E4148431016629174)
    • winlogon.exe (PID: 560 cmdline: MD5: F9017F2DC455AD373DF036F5817A8870)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
Source: Process startedAuthor: vburov: Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\winlogon.exe, NewProcessName: C:\Windows\System32\winlogon.exe, OriginalFileName: C:\Windows\System32\winlogon.exe, ParentCommandLine: 'C:\Users\user\Desktop\P8jE8nmN7G.exe' , ParentImage: C:\Users\user\Desktop\P8jE8nmN7G.exe, ParentProcessId: 4860, ProcessCommandLine: , ProcessId: 560

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: P8jE8nmN7G.exeAvira: detected
Antivirus detection for dropped fileShow sources
Source: C:\Windows\SysWOW64\sdra64.exeAvira: detection malicious, Label: TR/Dropper.Gen
Multi AV Scanner detection for submitted fileShow sources
Source: P8jE8nmN7G.exeVirustotal: Detection: 80%Perma Link
Source: P8jE8nmN7G.exeReversingLabs: Detection: 96%
Machine Learning detection for dropped fileShow sources
Source: C:\Windows\SysWOW64\sdra64.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: P8jE8nmN7G.exeJoe Sandbox ML: detected
Source: 0.1.P8jE8nmN7G.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 0.0.P8jE8nmN7G.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004100F6 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: P8jE8nmN7G.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040C174 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00411D26 PathCombineW,FindFirstFileW,PathCombineW,PathCombineW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004079FA ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00415582 FindFirstFileW,FindClose,FindFirstFileW,FindClose,CreateMutexW,MoveFileExW,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00404AB1 PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004104CA select,recv,
Source: P8jE8nmN7G.exe, 00000000.00000002.464936104.0000000002563000.00000004.00000040.sdmpString found in binary or memory: https://onlineeast#.bankofamerica.com/cgi-bin/ias/
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00405F48 GetClipboardData,GlobalFix,GlobalUnWire,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004060AA GetTickCount,GetCurrentProcessId,wnsprintfW,GetKeyState,GetKeyState,GetKeyboardState,ToUnicode,WideCharToMultiByte,
Source: P8jE8nmN7G.exe, 00000000.00000002.464351346.000000000072A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00414119 OpenWindowStationW,CreateWindowStationW,GetProcessWindowStation,OpenDesktopW,CreateDesktopW,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,CloseDesktop,CloseWindowStation,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00405C8F NtQueryDirectoryFile,NtQueryObject,lstrcmpiW,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004096D8 NtdllDefWindowProc_A,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004076BC NtQueryInformationProcess,CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,NtCreateThread,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040B798 CreateFileW,NtQueryObject,lstrcpyW,CloseHandle,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040BDF2 GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,GetForegroundWindow,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,CloseHandle,DuplicateTokenEx,LoadLibraryA,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CreateProcessW,CloseHandle,CloseHandle,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040C268 ExitWindowsEx,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00410003
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004102DA
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00413758
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00551738
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeSection loaded: wininet.dll
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeSection loaded: wsock32.dll
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeSection loaded: secur32.dll
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeSection loaded: ntmarta.dll
Source: P8jE8nmN7G.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: P8jE8nmN7G.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: sdra64.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@0/0
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004046EE CertOpenSystemStoreW,PFXExportCertStore,PFXExportCertStore,GetSystemTime,wnsprintfW,CertDuplicateCertificateContext,CertDeleteCRLFromStore,CertEnumCertificatesInStore,CertCloseStore,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0041158D OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004061FF CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,Process32NextW,FindCloseChangeNotification,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMutant created: \Sessions\1\BaseNamedObjects\_AVIRA_21099
Source: P8jE8nmN7G.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: P8jE8nmN7G.exeVirustotal: Detection: 80%
Source: P8jE8nmN7G.exeReversingLabs: Detection: 96%
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeFile read: C:\Users\user\Desktop\P8jE8nmN7G.exeJump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeUnpacked PE file: 0.2.P8jE8nmN7G.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.data:W;.reloc:R;.data1:W;
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040B4E1 LoadLibraryA,GetProcAddress,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00551615 push edi; ret
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_005519C3 pushad ; retf
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_005513FB push edi; iretd
Source: initial sampleStatic PE information: section name: .text entropy: 7.22037238545
Source: initial sampleStatic PE information: section name: .text entropy: 7.22037238545
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to dropped file
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon userinitJump to behavior
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040970D LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadCursorW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeDropped PE file which has not been started: C:\Windows\SysWOW64\sdra64.exeJump to dropped file
Source: C:\Users\user\Desktop\P8jE8nmN7G.exe TID: 4896Thread sleep count: 209 > 30
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040C174 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00411D26 PathCombineW,FindFirstFileW,PathCombineW,PathCombineW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004079FA ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00415582 FindFirstFileW,FindClose,FindFirstFileW,FindClose,CreateMutexW,MoveFileExW,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00404AB1 PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00405B6F LdrGetProcedureAddress,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040B4E1 LoadLibraryA,GetProcAddress,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040B585 HeapCreate,GetProcessHeap,GetCurrentProcessId,IsBadHugeReadPtr,GetUserDefaultUILanguage,GetUserNameW,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 400000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 400000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 401000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 416000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 419000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 41B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C940000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C940000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C941000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C956000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C959000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C95B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C960000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C960000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C961000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C976000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C979000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C97B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C980000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C980000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C981000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C996000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C999000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C99B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9A0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9A0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9A1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9B6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9B9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9BB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9C0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9C0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9C1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9D6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9D9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9DB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9E0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9E0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9E1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9F6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9F9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9FB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA00000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA00000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA01000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA16000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA19000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA1B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA20000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA20000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA21000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA36000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA39000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA3B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA40000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA40000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA41000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA56000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA59000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA5B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA60000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA60000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA61000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA76000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA79000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA7B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA80000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA80000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA81000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA96000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA99000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA9B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAA0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAA0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAA1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAB6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAB9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CABB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAC0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAC0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAC1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAD6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAD9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CADB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAE0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAE0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAE1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAF6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAF9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAFB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB00000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB00000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB01000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB16000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB19000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB1B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB20000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB20000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB21000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB36000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB39000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB3B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB40000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB40000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB41000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB56000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB59000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB5B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB60000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB60000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB61000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB76000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB79000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB7B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB80000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB80000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB81000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB96000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB99000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB9B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBA0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBA0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBA1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBB6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBB9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBBB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBC0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBC0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBC1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBD6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBD9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBDB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBE0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBE0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBE1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBF6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBF9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBFB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC00000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC00000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC01000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC16000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC19000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC1B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC20000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC20000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC21000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC36000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC39000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC3B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC40000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC40000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC41000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC56000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC59000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC5B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC60000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC60000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC61000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC76000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC79000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC7B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC80000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC80000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC81000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC96000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC99000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC9B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCA0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCA0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCA1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCB6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCB9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCBB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCC0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCC0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCC1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCD6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCD9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCDB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCE0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCE0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCE1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCF6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCF9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCFB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD00000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD00000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD01000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD16000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD19000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD1B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD20000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD20000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD21000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD36000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD39000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD3B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD40000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD40000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD41000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD56000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD59000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD5B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD60000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD60000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD61000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD76000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD79000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD7B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD80000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD80000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD81000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD96000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD99000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD9B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDA0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDA0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDA1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDB6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDB9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDBB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDC0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDC0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDC1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDD6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDD9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDDB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDE0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDE0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDE1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDF6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDF9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDFB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE00000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE00000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE01000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE16000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE19000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE1B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE20000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE20000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE21000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE36000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE39000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE3B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE40000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE40000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE41000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE56000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE59000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE5B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE60000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE60000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE61000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE76000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE79000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE7B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE80000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE80000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE81000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE96000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE99000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE9B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEA0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEA0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEA1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEB6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEB9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEBB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEC0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEC0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEC1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CED6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CED9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEDB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEE0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEE0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEE1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEF6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEF9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEFB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF00000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF00000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF01000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF16000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF19000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF1B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF20000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF20000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF21000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF36000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF39000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF3B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF40000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF40000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF41000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF56000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF59000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF5B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF60000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF60000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF61000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF76000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF79000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF7B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF80000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF80000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF81000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF96000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF99000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF9B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFA0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFA0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFA1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFB6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFB9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFBB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFC0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFC0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFC1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFD6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFD9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFDB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFE0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFE0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFE1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFF6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFF9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFFB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D000000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D000000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D001000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D016000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D019000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D01B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D020000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D020000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D021000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D036000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D039000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D03B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D040000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D040000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D041000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D056000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D059000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D05B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D060000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D060000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D061000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D076000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D079000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D07B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D080000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D080000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D081000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D096000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D099000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D09B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0A0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0A0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0A1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0B6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0B9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0BB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0C0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0C0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0C1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0D6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0D9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0DB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0E0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0E0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0E1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0F6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0F9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0FB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D100000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D100000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D101000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D116000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D119000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D11B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D120000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D120000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D121000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D136000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D139000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D13B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D140000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D140000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D141000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D156000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D159000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D15B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D160000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D160000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D161000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D176000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D179000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D17B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D180000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D180000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D181000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D196000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D199000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D19B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1A0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1A0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1A1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1B6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1B9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1BB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1C0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1C0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1C1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1D6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1D9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1DB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1E0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1E0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1E1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1F6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1F9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1FB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D200000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D200000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D201000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D216000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D219000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D21B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D220000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D220000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D221000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D236000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D239000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D23B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D240000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D240000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D241000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D256000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D259000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D25B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D260000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D260000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D261000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D276000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D279000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D27B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D280000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D280000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D281000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D296000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D299000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D29B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2A0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2A0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2A1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2B6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2B9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2BB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2C0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2C0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2C1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2D6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2D9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2DB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2E0000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2E0000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2E1000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2F6000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2F9000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2FB000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D300000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D300000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D301000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D316000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D319000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D31B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D320000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D320000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D321000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D336000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D339000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D33B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D340000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D340000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D341000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D356000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D359000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D35B000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D360000 protect: page no access
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D360000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D361000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D376000 protect: page read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D379000 protect: page read and write
Changes memory attributes in foreign processes to executable or writableShow sources
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: 400000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: 401000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: 416000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: 419000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: 41B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C940000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C941000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C956000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C959000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C95B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C960000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C961000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C976000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C979000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C97B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C980000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C981000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C996000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C999000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C99B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9A0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9A1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9B6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9B9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9BB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9C0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9C1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9D6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9D9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9DB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9E0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9E1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9F6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9F9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9FB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA00000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA01000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA16000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA19000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA1B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA20000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA21000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA36000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA39000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA3B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA40000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA41000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA56000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA59000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA5B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA60000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA61000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA76000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA79000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA7B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA80000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA81000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA96000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA99000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA9B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAA0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAA1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAB6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAB9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CABB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAC0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAC1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAD6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAD9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CADB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAE0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAE1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAF6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAF9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAFB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB00000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB01000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB16000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB19000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB1B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB20000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB21000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB36000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB39000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB3B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB40000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB41000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB56000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB59000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB5B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB60000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB61000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB76000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB79000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB7B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB80000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB81000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB96000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB99000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB9B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBA0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBA1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBB6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBB9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBBB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBC0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBC1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBD6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBD9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBDB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBE0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBE1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBF6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBF9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBFB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC00000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC01000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC16000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC19000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC1B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC20000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC21000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC36000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC39000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC3B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC40000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC41000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC56000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC59000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC5B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC60000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC61000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC76000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC79000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC7B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC80000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC81000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC96000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC99000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC9B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCA0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCA1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCB6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCB9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCBB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCC0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCC1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCD6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCD9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCDB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCE0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCE1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCF6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCF9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCFB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD00000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD01000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD16000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD19000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD1B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD20000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD21000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD36000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD39000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD3B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD40000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD41000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD56000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD59000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD5B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD60000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD61000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD76000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD79000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD7B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD80000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD81000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD96000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD99000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD9B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDA0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDA1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDB6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDB9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDBB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDC0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDC1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDD6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDD9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDDB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDE0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDE1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDF6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDF9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDFB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE00000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE01000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE16000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE19000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE1B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE20000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE21000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE36000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE39000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE3B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE40000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE41000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE56000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE59000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE5B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE60000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE61000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE76000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE79000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE7B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE80000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE81000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE96000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE99000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE9B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEA0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEA1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEB6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEB9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEBB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEC0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEC1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CED6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CED9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEDB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEE0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEE1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEF6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEF9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEFB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF00000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF01000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF16000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF19000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF1B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF20000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF21000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF36000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF39000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF3B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF40000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF41000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF56000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF59000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF5B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF60000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF61000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF76000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF79000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF7B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF80000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF81000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF96000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF99000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF9B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFA0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFA1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFB6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFB9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFBB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFC0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFC1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFD6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFD9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFDB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFE0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFE1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFF6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFF9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFFB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D000000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D001000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D016000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D019000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D01B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D020000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D021000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D036000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D039000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D03B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D040000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D041000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D056000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D059000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D05B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D060000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D061000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D076000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D079000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D07B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D080000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D081000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D096000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D099000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D09B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0A0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0A1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0B6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0B9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0BB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0C0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0C1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0D6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0D9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0DB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0E0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0E1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0F6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0F9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0FB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D100000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D101000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D116000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D119000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D11B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D120000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D121000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D136000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D139000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D13B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D140000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D141000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D156000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D159000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D15B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D160000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D161000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D176000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D179000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D17B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D180000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D181000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D196000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D199000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D19B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1A0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1A1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1B6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1B9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1BB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1C0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1C1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1D6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1D9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1DB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1E0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1E1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1F6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1F9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1FB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D200000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D201000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D216000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D219000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D21B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D220000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D221000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D236000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D239000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D23B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D240000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D241000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D256000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D259000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D25B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D260000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D261000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D276000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D279000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D27B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D280000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D281000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D296000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D299000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D29B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2A0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2A1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2B6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2B9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2BB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2C0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2C1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2D6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2D9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2DB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2E0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2E1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2F6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2F9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2FB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D300000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D301000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D316000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D319000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D31B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D320000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D321000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D336000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D339000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D33B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D340000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D341000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D356000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D359000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D35B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D360000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D361000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D376000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D379000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D37B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D380000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D381000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D396000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D399000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D39B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3A0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3A1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3B6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3B9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3BB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3C0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3C1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3D6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3D9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3DB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3E0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3E1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3F6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3F9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3FB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D400000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D401000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D416000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D419000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D41B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D420000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D421000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D436000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D439000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D43B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D440000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D441000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D456000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D459000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D45B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D460000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D461000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D476000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D479000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D47B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D480000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D481000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D496000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D499000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D49B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4A0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4A1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4B6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4B9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4BB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4C0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4C1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4D6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4D9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4DB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4E0000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4E1000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4F6000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4F9000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4FB000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D500000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D501000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D516000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D519000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D51B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D520000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D521000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D536000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D539000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D53B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D540000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D541000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D556000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D559000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D55B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D560000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D561000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D576000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D579000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D57B000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D580000 protect: page readonly
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D581000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D596000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D599000 protect: page execute and read and write
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory protected: C:\Windows\System32\winlogon.exe base: D59B000 protect: page execute and read and write
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)Show sources
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040BFE7 OpenWindowStationA,SetProcessWindowStation,OpenDesktopA,SetThreadDesktop,CloseDesktop,CloseWindowStation,
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C940000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C960000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C980000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9A0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9C0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9E0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA00000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA20000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA40000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA60000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA80000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAA0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAC0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAE0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB00000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB20000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB40000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB60000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB80000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBA0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBC0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBE0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC00000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC20000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC40000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC60000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC80000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCA0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCC0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCE0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD00000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD20000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD40000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD60000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD80000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDA0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDC0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDE0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE00000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE20000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE40000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE60000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE80000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEA0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEC0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEE0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF00000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF20000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF40000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF60000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF80000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFA0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFC0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFE0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D000000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D020000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D040000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D060000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D080000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0A0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0C0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0E0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D100000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D120000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D140000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D160000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D180000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1A0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1C0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1E0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D200000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D220000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D240000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D260000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D280000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2A0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2C0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2E0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D300000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D320000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D340000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D360000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D380000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3A0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3C0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3E0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D420000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D440000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D460000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D480000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4A0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4C0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4E0000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D500000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D520000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D540000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D560000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D580000 value starts with: 4D5A
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D5A0000 value starts with: 4D5A
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: 400000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: 401000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: 416000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: 419000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: 41B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C940000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C941000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C956000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C959000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C95B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C960000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C961000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C976000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C979000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C97B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C980000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C981000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C996000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C999000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C99B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9A0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9A1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9B6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9B9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9BB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9C0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9C1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9D6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9D9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9DB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9E0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9E1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9F6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9F9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: C9FB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA00000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA01000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA16000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA19000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA1B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA20000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA21000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA36000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA39000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA3B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA40000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA41000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA56000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA59000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA5B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA60000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA61000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA76000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA79000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA7B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA80000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA81000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA96000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA99000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CA9B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAA0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAA1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAB6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAB9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CABB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAC0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAC1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAD6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAD9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CADB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAE0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAE1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAF6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAF9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CAFB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB00000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB01000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB16000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB19000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB1B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB20000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB21000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB36000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB39000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB3B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB40000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB41000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB56000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB59000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB5B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB60000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB61000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB76000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB79000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB7B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB80000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB81000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB96000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB99000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CB9B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBA0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBA1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBB6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBB9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBBB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBC0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBC1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBD6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBD9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBDB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBE0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBE1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBF6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBF9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CBFB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC00000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC01000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC16000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC19000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC1B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC20000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC21000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC36000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC39000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC3B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC40000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC41000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC56000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC59000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC5B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC60000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC61000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC76000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC79000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC7B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC80000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC81000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC96000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC99000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CC9B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCA0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCA1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCB6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCB9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCBB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCC0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCC1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCD6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCD9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCDB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCE0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCE1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCF6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCF9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CCFB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD00000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD01000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD16000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD19000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD1B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD20000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD21000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD36000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD39000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD3B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD40000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD41000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD56000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD59000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD5B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD60000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD61000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD76000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD79000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD7B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD80000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD81000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD96000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD99000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CD9B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDA0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDA1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDB6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDB9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDBB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDC0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDC1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDD6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDD9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDDB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDE0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDE1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDF6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDF9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CDFB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE00000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE01000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE16000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE19000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE1B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE20000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE21000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE36000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE39000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE3B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE40000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE41000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE56000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE59000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE5B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE60000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE61000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE76000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE79000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE7B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE80000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE81000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE96000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE99000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CE9B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEA0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEA1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEB6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEB9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEBB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEC0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEC1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CED6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CED9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEDB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEE0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEE1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEF6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEF9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CEFB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF00000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF01000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF16000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF19000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF1B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF20000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF21000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF36000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF39000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF3B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF40000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF41000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF56000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF59000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF5B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF60000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF61000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF76000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF79000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF7B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF80000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF81000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF96000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF99000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CF9B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFA0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFA1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFB6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFB9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFBB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFC0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFC1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFD6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFD9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFDB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFE0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFE1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFF6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFF9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: CFFB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D000000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D001000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D016000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D019000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D01B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D020000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D021000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D036000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D039000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D03B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D040000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D041000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D056000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D059000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D05B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D060000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D061000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D076000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D079000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D07B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D080000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D081000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D096000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D099000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D09B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0A0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0A1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0B6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0B9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0BB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0C0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0C1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0D6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0D9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0DB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0E0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0E1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0F6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0F9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D0FB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D100000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D101000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D116000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D119000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D11B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D120000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D121000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D136000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D139000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D13B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D140000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D141000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D156000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D159000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D15B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D160000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D161000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D176000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D179000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D17B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D180000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D181000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D196000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D199000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D19B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1A0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1A1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1B6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1B9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1BB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1C0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1C1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1D6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1D9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1DB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1E0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1E1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1F6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1F9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D1FB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D200000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D201000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D216000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D219000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D21B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D220000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D221000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D236000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D239000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D23B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D240000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D241000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D256000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D259000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D25B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D260000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D261000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D276000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D279000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D27B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D280000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D281000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D296000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D299000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D29B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2A0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2A1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2B6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2B9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2BB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2C0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2C1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2D6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2D9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2DB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2E0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2E1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2F6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2F9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D2FB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D300000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D301000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D316000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D319000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D31B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D320000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D321000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D336000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D339000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D33B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D340000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D341000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D356000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D359000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D35B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D360000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D361000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D376000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D379000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D37B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D380000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D381000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D396000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D399000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D39B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3A0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3A1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3B6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3B9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3BB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3C0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3C1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3D6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3D9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3DB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3E0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3E1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3F6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3F9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D3FB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D400000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D401000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D416000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D419000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D41B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D420000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D421000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D436000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D439000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D43B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D440000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D441000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D456000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D459000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D45B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D460000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D461000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D476000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D479000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D47B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D480000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D481000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D496000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D499000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D49B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4A0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4A1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4B6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4B9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4BB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4C0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4C1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4D6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4D9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4DB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4E0000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4E1000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4F6000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4F9000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D4FB000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D500000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D501000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D516000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D519000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D51B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D520000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D521000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D536000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D539000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D53B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D540000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D541000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D556000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D559000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D55B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D560000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D561000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D576000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D579000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D57B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D580000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D581000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D596000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D599000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeMemory written: C:\Windows\System32\winlogon.exe base: D59B000
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00414AEA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,
Source: P8jE8nmN7G.exe, 00000000.00000002.464571349.0000000000DB0000.00000002.00000001.sdmp, winlogon.exe, 00000002.00000000.196746478.000002388D3F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: P8jE8nmN7G.exe, winlogon.exe, 00000002.00000000.196746478.000002388D3F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: P8jE8nmN7G.exe, 00000000.00000002.464571349.0000000000DB0000.00000002.00000001.sdmp, winlogon.exe, 00000002.00000000.196746478.000002388D3F0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: P8jE8nmN7G.exe, 00000000.00000002.464571349.0000000000DB0000.00000002.00000001.sdmp, winlogon.exe, 00000002.00000000.196746478.000002388D3F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040B231 CreateNamedPipeW,CreateEventW,CreateEventW,CloseHandle,CloseHandle,CloseHandle,WaitForSingleObject,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040486E PFXImportCertStore,GetSystemTime,wnsprintfW,lstrcatW,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040B585 HeapCreate,GetProcessHeap,GetCurrentProcessId,IsBadHugeReadPtr,GetUserDefaultUILanguage,GetUserNameW,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0040F1C9 GetTimeZoneInformation,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_00414BBB GetTickCount,GetVersionExW,GetUserDefaultUILanguage,GetModuleFileNameW,
Source: P8jE8nmN7G.exe, 00000000.00000002.465097863.00000000025DF000.00000004.00000040.sdmpBinary or memory string: zlclient.exe

Remote Access Functionality:

barindex
Contains VNC / remote desktop functionality (version string found)Show sources
Source: P8jE8nmN7G.exeString found in binary or memory: RFB 003.003
Source: P8jE8nmN7G.exeString found in binary or memory: RFB 003.003
Source: P8jE8nmN7G.exe, 00000000.00000002.463690111.0000000000400000.00000040.00020000.sdmpString found in binary or memory: A@dA@RFB 003.003
Source: winlogon.exe, 00000002.00000002.473149033.000000000E0E1000.00000040.00000001.sdmpString found in binary or memory: RFB 003.003
Source: winlogon.exe, 00000002.00000002.463379411.0000000000401000.00000040.00000001.sdmpString found in binary or memory: A@dA@RFB 003.003
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_0041090B socket,bind,closesocket,
Source: C:\Users\user\Desktop\P8jE8nmN7G.exeCode function: 0_2_004105F2 socket,bind,listen,closesocket,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Native API1DLL Side-Loading1DLL Side-Loading1Obfuscated Files or Information2Input Capture21System Time Discovery2Remote Desktop Protocol1Archive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Default AccountsScheduled Task/JobApplication Shimming1Application Shimming1Install Root Certificate1LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Create Account1Valid Accounts1Software Packing13Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Valid Accounts1Access Token Manipulation11DLL Side-Loading1NTDSSystem Information Discovery3Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronRegistry Run Keys / Startup Folder1Process Injection42Masquerading2LSA SecretsSecurity Software Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRegistry Run Keys / Startup Folder1Valid Accounts1Cached Domain CredentialsVirtualization/Sandbox Evasion1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion1DCSyncProcess Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation11Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection42/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
P8jE8nmN7G.exe80%VirustotalBrowse
P8jE8nmN7G.exe96%ReversingLabsWin32.Trojan.Zeus
P8jE8nmN7G.exe100%AviraTR/Dropper.Gen
P8jE8nmN7G.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\SysWOW64\sdra64.exe100%AviraTR/Dropper.Gen
C:\Windows\SysWOW64\sdra64.exe100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
2.2.winlogon.exe.d6a0000.108.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d1a0000.68.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.1.P8jE8nmN7G.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
2.2.winlogon.exe.d8a0000.124.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.2.P8jE8nmN7G.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fa60000.394.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10760000.498.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d740000.113.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f440000.345.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d1c0000.69.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10800000.503.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.eaa0000.268.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e060000.186.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fae0000.398.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.100c0000.445.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.dfa0000.180.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f260000.330.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e5e0000.230.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e480000.219.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fa40000.393.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.dfe0000.182.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fa80000.395.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.106c0000.493.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e660000.234.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e7c0000.245.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ed20000.288.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f920000.384.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fd20000.416.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ebe0000.278.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d5a0000.100.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fb80000.403.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.efa0000.308.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d2e0000.78.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f420000.344.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f540000.353.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f580000.355.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e7e0000.246.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.c960000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e360000.210.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d960000.130.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10160000.450.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e6e0000.238.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f9e0000.390.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f9a0000.388.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.db00000.143.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.eac0000.269.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cfe0000.54.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ce40000.41.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10620000.488.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d040000.57.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e9a0000.260.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10960000.514.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ca00000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.102c0000.461.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d880000.123.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cbc0000.21.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10720000.496.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d7a0000.116.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.df20000.176.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.efe0000.310.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10680000.491.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f1a0000.324.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f960000.386.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.103e0000.470.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ea40000.265.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cc80000.27.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f720000.368.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.dc40000.153.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cf60000.50.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10280000.459.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ec40000.281.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cea0000.44.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f2e0000.334.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e880000.251.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e3a0000.212.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ca60000.10.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10300000.463.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fbe0000.406.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f940000.385.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f240000.329.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.108e0000.510.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f400000.343.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e0e0000.190.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d140000.65.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cba0000.20.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.100e0000.446.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f5e0000.358.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10460000.474.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e720000.240.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e940000.257.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e620000.232.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fec0000.429.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fd00000.415.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d9a0000.132.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.eb20000.272.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cb80000.19.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d940000.129.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f460000.346.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.de00000.167.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://onlineeast#.bankofamerica.com/cgi-bin/ias/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://onlineeast#.bankofamerica.com/cgi-bin/ias/P8jE8nmN7G.exe, 00000000.00000002.464936104.0000000002563000.00000004.00000040.sdmpfalse
  • Avira URL Cloud: safe
low

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:32.0.0 Black Diamond
Analysis ID:409287
Start date:09.05.2021
Start time:20:35:16
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 6s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:P8jE8nmN7G (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:23
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winEXE@1/2@0/0
EGA Information:Failed
HDC Information:
  • Successful, ratio: 87.2% (good quality ratio 82.8%)
  • Quality average: 83.4%
  • Quality standard deviation: 27.7%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Windows\SysWOW64\sdra64.exe
Process:C:\Users\user\Desktop\P8jE8nmN7G.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:modified
Size (bytes):960512
Entropy (8bit):7.4471687140914185
Encrypted:false
SSDEEP:24576:+Vy+qcRpdmAA4xiaUG5al4+0JgF8VDn50JTJtFW1a7wt:V+tTmIzD4O+4gF+5Qjka7+
MD5:8834EA3D0BD0092967199887FAA44929
SHA1:411441B2883B67FECDC085B6E5F7E7F51D68AA90
SHA-256:2C3A335C1B7760346149BEC5BE904E9DD6289E18C81A5264E5C8C073D58DDE03
SHA-512:42E28B003961CC94D9F26AE5C347AD972A45283B4213123F818BC4F76829E54BC33C22ACD92BEBA3EE4A22E5FFC82163F9FBB4E82BA9DB6E68C051DB840D6CDE
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%
  • Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:low
Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........".R.C...C...C..Zg2..C..4...C..N.F..C...)0..C..|...GC..Rich.C..................................................................PE..L....G0G................. ...v......Tt.......0....@..........................................................................5..x....................................................................................0...............................text............ .................. ..`.rdata..@#...0...$...$..............@..@.data...}P...`.......H..............@...........................................................................................................................................................................................................................................................................................................................................................................................
C:\Windows\SysWOW64\sdra64.exe:Zone.Identifier
Process:C:\Users\user\Desktop\P8jE8nmN7G.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):26
Entropy (8bit):3.95006375643621
Encrypted:false
SSDEEP:3:ggPYV:rPYV
MD5:187F488E27DB4AF347237FE461A079AD
SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:true
Reputation:high, very likely benign file
Preview: [ZoneTransfer]....ZoneId=0

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.463091044475583
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.83%
  • Windows Screen Saver (13104/52) 0.13%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:P8jE8nmN7G.exe
File size:602112
MD5:ac514dce9416eb9e4148431016629174
SHA1:b0e1d96605cdc3da995a667a1fdc7189b67bfdcd
SHA256:67334c1b7f629c04efefbfb466e5996a425af4a43c07a5ce51d4f142222b0de7
SHA512:8c485630cae11e23c5eb790aa061681fe161ea390e07731ea7742a9f029806f43eb432eb08af280b301e889a6b4932ae6c6b436b8d78afb333e5cf0ba8e8907a
SSDEEP:12288:+VZuL+Kd3LSbFPFX3PL2w5+9naFA4xixYUSl5alHY+0JgKsOaRC:+Vy+qcRpdmAA4xiaUG5al4+0JgFU
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........".R.C...C...C..Zg2..C..4....C..N.F..C...)0..C..|...GC..Rich.C.................................................................

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x407454
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:TERMINAL_SERVER_AWARE
Time Stamp:0x4730479C [Tue Nov 6 10:53:16 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:fbbf51b163121df5cf4fc9419aafa3af

Entrypoint Preview

Instruction
call 00007FE68087D0EBh
xor edi, edi
pop esi
retn 0028h
xor esi, esi
push 0000000Eh
push 00681494h
push 00FFFE7Ch
push 00000001h
push 00AAC0FBh
push 00000000h
call dword ptr [004130FCh]
mov edx, eax
or edx, 000000BEh
add esi, edx
push edx
push 00000000h
call dword ptr [00413100h]
pop ebx
cmp esi, 08407BE0h
jnl 00007FE68087D0E4h
jmp 00007FE68087D0A9h
mov eax, 0001362Fh
add eax, 5Bh
mov ecx, edx
sub esp, 04h
mov dword ptr [esp], ecx
sub esp, 04h
mov dword ptr [esp], 00000040h
sub esp, 04h
mov dword ptr [esp], 00003000h
push eax
sub esp, 04h
mov dword ptr [esp], 00000000h
call dword ptr [004130F8h]
pop ecx
mov ecx, esi
mov esi, dword ptr [esp]
mov edi, eax
add esi, 000000F3h
push eax
mov ecx, 000001E6h
mov edx, 137D02D9h
mov ebp, 00000000h
mov bh, dl
add bh, byte ptr [esi]
add esi, 01h
mov byte ptr [edi], bh
add byte ptr [edi], bl
add edi, 01h
sub esp, 04h
mov dword ptr [esp], edx
sub esp, 04h
mov dword ptr [esp], ecx
push 0000001Dh
push 0000001Eh
push 00FFFC60h
push 00000005h
push 006D2D0Ch
push 00000000h
call dword ptr [000000FCh]

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x135c80x78.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x130000x4e0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x11f890x12000False0.879055447049data7.22037238545IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x130000x23400x2400False0.452256944444data5.58339650142IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x160000x507d0x200False0.13671875data0.819758377798IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Imports

DLLImport
KERNEL32.dllFatalAppExitW, WriteTapemark, CreatePipe, FindClose, GetWindowsDirectoryA, FatalAppExitA, TerminateProcess, ReadConsoleW, MoveFileExW, GetPrivateProfileSectionW, CreateProcessA, DebugBreak, VerLanguageNameA, WaitForSingleObject, ReleaseMutex, OpenWaitableTimerW, GetQueuedCompletionStatus, LocalSize, lstrcpyn, GetProcAddress, GetLogicalDriveStringsA, FlushViewOfFile, GetCurrentProcess, BackupSeek, SystemTimeToTzSpecificLocalTime, SetConsoleCP, InitAtomTable, HeapCompact, WriteProfileStringA, FindNextFileW, GetDateFormatA, GetNumberFormatA, CommConfigDialogA, RemoveDirectoryA, ReadConsoleOutputCharacterA, IsBadCodePtr, GetFileAttributesA, GetProcessPriorityBoost, WriteFileEx, ConvertDefaultLocale, IsBadReadPtr, CreateSemaphoreA, Toolhelp32ReadProcessMemory, SetThreadPriority, SuspendThread, GetProcessAffinityMask, CreateMailslotW, VirtualProtect, SetConsoleTitleA, GetCurrentThread, VirtualProtectEx, ReadConsoleOutputA, EnumCalendarInfoExA, FindFirstChangeNotificationA, lstrcpyW, GetFileInformationByHandle, DebugActiveProcess, DisableThreadLibraryCalls, SetLocaleInfoA, OpenEventW, FreeLibraryAndExitThread, EnumSystemCodePagesA, VirtualAlloc, MapViewOfFileEx, GetFileType
ole32.dllGetHookInterface, CoRevertToSelf, OleDraw, OleBuildVersion, OleCreateFromFile, StgCreateDocfileOnILockBytes, OpenOrCreateStream, OleCreateFromData, CreateAntiMoniker, GetHGlobalFromStream, OleSetMenuDescriptor, ReleaseStgMedium, ReadStringStream, CoFileTimeToDosDateTime, OleCreateEmbeddingHelper, RegisterDragDrop, GetHGlobalFromILockBytes, OleConvertIStorageToOLESTREAM, DllDebugObjectRPCHook, UtGetDvtd16Info, OleMetafilePictFromIconAndLabel, CoRevokeClassObject, ReadOleStg, CoRegisterMessageFilter, CreateGenericComposite, CreateStreamOnHGlobal, IsEqualGUID, OleRegEnumFormatEtc, CoFreeLibrary, CoGetTreatAsClass, OleSave, StgOpenAsyncDocfileOnIFillLockBytes, CoCopyProxy, CoIsOle1Class, CoBuildVersion, CoGetCurrentLogicalThreadId, CoReleaseMarshalData, CoQueryAuthenticationServices, OleConvertOLESTREAMToIStorageEx, CreateClassMoniker, CoImpersonateClient, StgOpenStorageEx, CoRevokeMallocSpy, OleCreate, CoUnmarshalInterface, CoGetCurrentProcess, CreateDataCache, StringFromGUID2, CoTreatAsClass, StgOpenStorage, OleCreateLinkFromData, OleGetIconOfFile, OleTranslateAccelerator, CreateDataAdviseHolder, OleCreateLinkEx, CoGetCallerTID, CoTaskMemRealloc, UtConvertDvtd32toDvtd16
ADVAPI32.dllCryptEnumProvidersW, CryptSetProviderA, QueryServiceObjectSecurity, LookupPrivilegeValueA, CryptEnumProviderTypesA, LookupSecurityDescriptorPartsW, GetLengthSid, CopySid, BuildSecurityDescriptorW, SetSecurityDescriptorDacl, RegQueryValueW, BuildTrusteeWithSidW, SetEntriesInAuditListA, BuildTrusteeWithNameW, CryptSetProvParam, RegReplaceKeyA, OpenBackupEventLogA, RegSaveKeyA, RegisterEventSourceW, UnlockServiceDatabase, LookupAccountNameA, CloseServiceHandle, GetSidSubAuthorityCount, CryptAcquireContextW, SetServiceStatus, OpenThreadToken, CryptGetDefaultProviderW, RegEnumKeyExW, AreAnyAccessesGranted, GetOldestEventLogRecord, CryptSetHashParam, CryptContextAddRef, StartServiceW, RegSetValueExA, ReadEventLogW, GetCurrentHwProfileW, GetSecurityDescriptorGroup, GetMultipleTrusteeOperationA, CryptGenRandom, ChangeServiceConfigA, SetNamedSecurityInfoExA, GetAccessPermissionsForObjectW, AddAuditAccessAce, GetOverlappedAccessResults, RegCreateKeyW, SetSecurityDescriptorSacl, LookupAccountSidA, ReportEventA, CryptSignHashW, RegQueryMultipleValuesW, DeregisterEventSource, CancelOverlappedAccess, RegQueryValueExW, OpenBackupEventLogW, BackupEventLogW, CryptDecrypt, AccessCheckAndAuditAlarmA, CreateProcessAsUserA, InitializeSecurityDescriptor, RegEnumKeyA, SetTokenInformation, AddAccessDeniedAce, RegCreateKeyExA, GetTokenInformation, IsValidAcl, RegCreateKeyExW, LookupPrivilegeNameW
SHLWAPI.dllPathMakePrettyA, SHEnumKeyExW, PathCompactPathExA, SHDeleteKeyA, UrlEscapeA, SHCreateStreamOnFileW, PathIsUNCServerA, PathFindExtensionA, SHRegDeleteUSValueA, PathFindSuffixArrayW, PathIsUNCServerW, SHRegGetUSValueW, StrCmpNA, SHRegEnumUSValueA, StrStrIA, SHSetValueW, SHOpenRegStream2A, PathIsNetworkPathA, StrCpyNW, StrRChrIW, PathSkipRootA, UrlHashA, SHRegDeleteEmptyUSKeyW, PathGetArgsA, StrRetToBufA, SHRegOpenUSKeyA, StrCatBuffW, PathRemoveArgsA, ChrCmpIA, PathBuildRootA, SHRegDeleteUSValueW, PathCompactPathA, PathIsRootW, PathSearchAndQualifyW, wnsprintfW, StrToIntW, SHQueryInfoKeyA, PathAddBackslashW, StrCmpNW, UrlUnescapeA, StrCSpnIA, SHStrDupW, PathRemoveFileSpecW, StrFormatKBSizeA, SHSetThreadRef, StrCSpnA, SHRegDuplicateHKey, UrlCanonicalizeA, UrlIsOpaqueW, SHQueryValueExA, PathCommonPrefixA, StrChrW, SHRegSetUSValueW, PathRemoveExtensionA, wvnsprintfA, PathIsDirectoryA, SHEnumValueW, StrRetToStrA, UrlEscapeW, StrCSpnIW, UrlIsW, PathStripToRootA
USER32.dllIsRectEmpty, GetSubMenu, DialogBoxParamW, ReleaseCapture, ExitWindowsEx, LoadCursorW, EndDialog, MessageBoxIndirectW, GetMenuState, TranslateMessage, SetLastErrorEx, CreateDialogParamA, GetTabbedTextExtentW, SetDlgItemTextA, GetMenuInfo, CharLowerBuffW, DdeConnect, EnumThreadWindows, UnregisterClassA, ChangeDisplaySettingsExW, TrackPopupMenuEx, SetCursorPos, GetMenuItemRect, GetCaretBlinkTime, IsMenu, GetThreadDesktop, SetPropA, GetClipboardOwner, EnumPropsExW, GetClipboardFormatNameA, DrawEdge, GetMenuCheckMarkDimensions, IsChild, DrawStateW, GetAncestor, FillRect, DlgDirListComboBoxW, WinHelpA, EnumClipboardFormats, SetPropW, EnumDisplayMonitors, GetWindowInfo, EnumDisplaySettingsA, CharUpperW, LookupIconIdFromDirectoryEx, GetQueueStatus, GetMessageTime, GetKeyboardState, DdeAddData, SendMessageTimeoutA, EnumDesktopsA, SetWindowPos, InvalidateRect, SetMessageExtraInfo, SetClipboardData

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: P8jE8nmN7G.exe PID: 4860 Parent PID: 5760

General

Start time:20:35:59
Start date:09/05/2021
Path:C:\Users\user\Desktop\P8jE8nmN7G.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user\Desktop\P8jE8nmN7G.exe'
Imagebase:0x400000
File size:602112 bytes
MD5 hash:AC514DCE9416EB9E4148431016629174
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Analysis Process: winlogon.exe PID: 560 Parent PID: 4860

General

Start time:20:36:00
Start date:09/05/2021
Path:C:\Windows\System32\winlogon.exe
Wow64 process (32bit):false
Commandline:
Imagebase:0x7ff739090000
File size:677376 bytes
MD5 hash:F9017F2DC455AD373DF036F5817A8870
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate

Disassembly

Code Analysis

Reset < >