Source: explorer.exe | String found in binary or memory: file:///c:/jbxinitvm.au3 |
Source: explorer.exe | String found in binary or memory: file:///c:/jbxinitvm.au3p |
Source: explorer.exe | String found in binary or memory: file:///c:/jbxinitvm.au3x |
Source: explorer.exe | String found in binary or memory: file:///c:/program%20files/adobe/reader%2011.0/reader/legal/enu/license.html |
Source: explorer.exe | String found in binary or memory: file:///c:/program%20files/common%20files/adobe/arm/1.0/adobearm.exe |
Source: explorer.exe | String found in binary or memory: file:///c:/program%20files/common%20files/adobe/arm/1.0/adobearm.exe30 |
Source: explorer.exe | String found in binary or memory: file:///c:/program%20files/common%20files/adobe/arm/1.0/adobearm.exexplaf |
Source: explorer.exe | String found in binary or memory: file:///c:/users/admin/appdata/local/microsoft/windows/wer/erc/responsestatecache.xml |
Source: explorer.exe | String found in binary or memory: file:///c:/windows/system32/cmd.exe |
Source: explorer.exe | String found in binary or memory: file://192.168.1.2/all/autoit-v3-setup.exe |
Source: explorer.exe | String found in binary or memory: file://c: |
Source: TTpaymentusd.exe, avewi.exe, dwm.exe, explorer.exe, taskhost.exe | String found in binary or memory: http:// |
Source: explorer.exe | String found in binary or memory: http://64.m.bin |
Source: explorer.exe | String found in binary or memory: http://64.m.bin#n |
Source: explorer.exe | String found in binary or memory: http://6_vnc.bin |
Source: explorer.exe | String found in binary or memory: http://6_vnc.bin4n |
Source: explorer.exe | String found in binary or memory: http://ams1.ib.adnxs.com/if?e=wqt_3qkkbkgbagaaagdwaauio8vkqauq4fjnl9fy6bsagp3u5m23s7zsbiabki0jaaaabq |
Source: explorer.exe | String found in binary or memory: http://c2s/bot.exe |
Source: explorer.exe | String found in binary or memory: http://c2s/bot.exe.n |
Source: explorer.exe | String found in binary or memory: http://ca.sia.it/secsrv/repository/crl.der0j |
Source: explorer.exe | String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0 |
Source: explorer.exe | String found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0 |
Source: explorer.exe | String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0 |
Source: explorer.exe | String found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0 |
Source: explorer.exe | String found in binary or memory: http://crl.entrust.net/2048ca.crl0 |
Source: explorer.exe | String found in binary or memory: http://crl.entrust.net/server1.crl0 |
Source: explorer.exe | String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl |
Source: explorer.exe | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: explorer.exe | String found in binary or memory: http://crl.globalsign.net/root.crl |
Source: E6024EAC88E6B6165D49FE3C95ADD735.2556.dr | String found in binary or memory: http://crl.microsoft.com/pki/crl/products/codesignpca.crl |
Source: ppcrlui_2556_2.2556.dr | String found in binary or memory: http://crl.microsoft.com/pki/crl/products/codesignpca.crl0 |
Source: explorer.exe | String found in binary or memory: http://crl.microsoft.com/pki/crl/products/miccerlisca2011_2011-03-29.crl0 |
Source: explorer.exe | String found in binary or memory: http://crl.microsoft.com/pki/crl/products/microoceraut_2010-06-23.crl0z |
Source: explorer.exe | String found in binary or memory: http://crl.netsolssl.com/networksolutionscertificateauthority.crl0 |
Source: explorer.exe | String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0 |
Source: ppcrlui_2556_2.2556.dr | String found in binary or memory: http://crl.verisign.com/thawtetimestampingca.crl0 |
Source: ppcrlui_2556_2.2556.dr | String found in binary or memory: http://crl.verisign.com/tss-ca.crl0 |
Source: explorer.exe | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: explorer.exe | String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd |
Source: 56331907-00000001.eml.2556.dr | String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=3d51301 |
Source: explorer.exe | String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=69157lmemx |
Source: explorer.exe | String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=92362. |
Source: TTpaymentusd.exe, avewi.exe, dwm.exe, explorer.exe | String found in binary or memory: http://https://content-typeauthorizationhttp/1.transfer-encodingchunkedconnectioncloseproxy-connecti |
Source: explorer.exe | String found in binary or memory: http://huaweideviceng.com/william/wp-includes/.cph/rename.php |
Source: explorer.exe | String found in binary or memory: http://huaweideviceng.com/william/wp-includes/.cph/rename.php%n |
Source: explorer.exe | String found in binary or memory: http://huaweideviceng.com/william/wp-includes/.cph/rename.phpc |
Source: explorer.exe | String found in binary or memory: http://java.com/ |
Source: explorer.exe | String found in binary or memory: http://java.com/help |
Source: explorer.exe | String found in binary or memory: http://java.com/helphttp://java.com/help |
Source: explorer.exe | String found in binary or memory: http://java.com/helpp |
Source: explorer.exe | String found in binary or memory: http://java.com/helpy |
Source: explorer.exe | String found in binary or memory: http://java.com/m |
Source: explorer.exe | String found in binary or memory: http://java.com/ws |
Source: explorer.exe | String found in binary or memory: http://logo.verisign.com/vslogo.gif0 |
Source: explorer.exe | String found in binary or memory: http://microsoft.com0 |
Source: explorer.exe | String found in binary or memory: http://ocsp.entrust.net03 |
Source: explorer.exe | String found in binary or memory: http://ocsp.entrust.net0d |
Source: ppcrlui_2556_2.2556.dr | String found in binary or memory: http://ocsp.verisign.com0 |
Source: explorer.exe | String found in binary or memory: http://platform.twitter.com/widgets/follow_button.html?show_screen_name=false&screen_name=msnde&show |
Source: explorer.exe | String found in binary or memory: http://schemas.microsoft.com/contact |
Source: explorer.exe | String found in binary or memory: http://schemas.microsoft.com/contactjg= |
Source: explorer.exe | String found in binary or memory: http://schemas.microsoft.com/passport/soapservices/ppcrl |
Source: explorer.exe | String found in binary or memory: http://schemas.microsoft.com/passport/soapservices/soapfault |
Source: explorer.exe | String found in binary or memory: http://schemas.microsoft.com/trustbridge/schema#1 |
Source: explorer.exe | String found in binary or memory: http://schemas.microsoft.com/win/2004/08/events/event |
Source: explorer.exe | String found in binary or memory: http://schemas.microsoft.com/windows/2009/library |
Source: explorer.exe | String found in binary or memory: http://schemas.microsoft.com/windows/2009/library4bfc |
Source: explorer.exe | String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/ |
Source: explorer.exe | String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy |
Source: explorer.exe | String found in binary or memory: http://schemas.xmlsoap.org/ws/2003/06/secext |
Source: explorer.exe | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust |
Source: explorer.exe | String found in binary or memory: http://www.bing.com/search |
Source: explorer.exe | String found in binary or memory: http://www.bing.com/searcho |
Source: explorer.exe | String found in binary or memory: http://www.chambersign.org1 |
Source: explorer.exe | String found in binary or memory: http://www.digicert.com.my/cps.htm02 |
Source: explorer.exe | String found in binary or memory: http://www.e-trust.be/cps/qncerts |
Source: explorer.exe | String found in binary or memory: http://www.facebook.com/plugins/like.php?href=http%3a%2f%2fwww.facebook.com%2fwindows&locale=en_us&w |
Source: explorer.exe | String found in binary or memory: http://www.kayako.com |
Source: explorer.exe | String found in binary or memory: http://www.microsoft.com/pki/certs/miccerlisca2011_2011-03-29.crt0 |
Source: explorer.exe | String found in binary or memory: http://www.microsoft.com/pki/certs/microoceraut_2010-06-23.crt07 |
Source: ppcrlui_2556_2.2556.dr | String found in binary or memory: http://www.passport.com |
Source: ppcrlui_2556_2.2556.dr | String found in binary or memory: http://www.passport.net/0 |
Source: ppcrlui_2556_2.2556.dr | String found in binary or memory: http://www.passport.net/consumer/privacypolicy.asp |
Source: ppcrlui_2556_2.2556.dr | String found in binary or memory: http://www.passport.net/consumer/termsofuse.asp |
Source: explorer.exe | String found in binary or memory: http://www.w3.org/1999/xhtml |
Source: explorer.exe | String found in binary or memory: http://www.w3.org/1999/xsl/transform |
Source: explorer.exe | String found in binary or memory: http://www.w3.org/2000/09/xmldsig# |
Source: explorer.exe | String found in binary or memory: http://www.w3.org/2001/04/xmlenc# |
Source: explorer.exe | String found in binary or memory: http://www.w3.org/2001/xmlschema-instance |
Source: explorer.exe | String found in binary or memory: http://www.w3.org/2001/xmlschema-instancebg |
Source: explorer.exe | String found in binary or memory: http://www.w3.org/tr/rec-html40 |
Source: explorer.exe | String found in binary or memory: http://www.w3.org/xml/1998/namespace: |
Source: explorer.exe | String found in binary or memory: http://www.wellsfargo.com/certpolicy0 |
Source: explorer.exe | String found in binary or memory: http://ya.ru |
Source: TTpaymentusd.exe, avewi.exe, dwm.exe, explorer.exe, taskhost.exe | String found in binary or memory: https:// |
Source: explorer.exe | String found in binary or memory: https://ca.sia.it/secsrv/repository/cps0 |
Source: explorer.exe | String found in binary or memory: https://get.adobe.com/flashplayer/completion/aih/?exitcode=0&re=0&type=install&appid=200 |
Source: explorer.exe | String found in binary or memory: https://get.adobe.com/flashplayer/completion/aih/?exitcode=0&re=0&type=install&appid=200(l2 |
Source: explorer.exe | String found in binary or memory: https://get.adobe.com/flashplayer/completion/aih/?exitcode=0&re=0&type=install&appid=200lmem |
Source: explorer.exe | String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=12&checkda=1&ct=1427711392&rver=6.1.6195.0&wp=& |
Source: explorer.exe | String found in binary or memory: https://s-static.ak.facebook.com/connect/xd_arbiter/6dg4olkbbyq.js?version=41 |
Source: explorer.exe | String found in binary or memory: https://s-static.ak.facebook.com/connect/xd_arbiter/6dg4olkbbyq.js?version=41p |
Source: ppcrlui_2556_2.2556.dr | String found in binary or memory: https://uimemsvc-c.net.pdmsn.test.microsoft.com/memberservice.srf |
Source: explorer.exe | String found in binary or memory: https://www.facebook.com/connect/ping?client_id=132970837947&domain=www.msn.com&origin=1&redirect_ur |
Source: explorer.exe | String found in binary or memory: https://www.facebook.com/connect/ping?client_id=544580382313562&domain=www.msn.com&origin=1&redirect |
Source: explorer.exe | String found in binary or memory: https://yandex.ru/ |
Source: explorer.exe | String found in binary or memory: ?api_key=544580382313562&channel_url=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter%2F6Dg4oLkBbYq.js%3Fversion%3D41%23cb%3Df5f6f50a62e71d%26domain%3Dwww.msn.com%26origin%3Dhttp%253A%252F%252Fwww.msn.com%252Ff2aa9a05d4366ea%26relation%3Dparent.parent&colorscheme=light&href=http%3A%2F%2Fwww.msn.com%2Fde-de%2Ffinanzen%2Ftop-stories%2Fzehntausende-deutsche-sind-heimlich-depressiv%2Far-AAacgh2&locale=de_DE&numposts=10&order_by=social&sdk=joey&skin=light&width=100%25 equals www.facebook.com (Facebook) |
Source: explorer.exe | String found in binary or memory: ?href=http%3a%2f%2fwww.facebook.com%2fwindows&locale=en_US&width=227&show_faces=false&send=false&layout=button_count&action=like&colorscheme=light&font=segoe+uiA4_{ equals www.facebook.com (Facebook) |
Source: explorer.exe | String found in binary or memory: ?locale=de_DE&href=https%3A%2F%2Fwww.facebook.com%2Fmsn.deutschland&send=false&layout=button_count&width=450&show_faces=false&font&colorscheme=light&action=like&height=21 equals www.facebook.com (Facebook) |
Source: explorer.exe | String found in binary or memory: http://platform.twitter.com/widgets/follow_button.html?show_screen_name=false&screen_name=msnde&show_count=false&lang=de equals www.twitter.com (Twitter) |
Source: explorer.exe | String found in binary or memory: http://platform.twitter.com/widgets/follow_button.html?show_screen_name=false&screen_name=msnde&show_count=false&lang=de>` equals www.twitter.com (Twitter) |
Source: explorer.exe | String found in binary or memory: http://www.facebook.com/plugins/like.php?href=http%3a%2f%2fwww.facebook.com%2fwindows&locale=en_US&width=227&show_faces=false&send=false&layout=button_count&action=like&colorscheme=light&font=segoe+ui equals www.facebook.com (Facebook) |
Source: explorer.exe | String found in binary or memory: http://www.facebook.com/plugins/like.php?href=http%3a%2f%2fwww.facebook.com%2fwindows&locale=en_US&width=227&show_faces=false&send=false&layout=button_count&action=like&colorscheme=light&font=segoe+uide equals www.facebook.com (Facebook) |
Source: explorer.exe | String found in binary or memory: https://s-static.ak.facebook.com/connect/xd_arbiter/6Dg4oLkBbYq.js?version=41 equals www.facebook.com (Facebook) |
Source: explorer.exe | String found in binary or memory: https://s-static.ak.facebook.com/connect/xd_arbiter/6Dg4oLkBbYq.js?version=41p equals www.facebook.com (Facebook) |
Source: explorer.exe | String found in binary or memory: https://www.facebook.com/connect/ping?client_id=132970837947&domain=www.msn.com&origin=1&redirect_uri=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter%2F6Dg4oLkBbYq.js%3Fversion%3D41%23cb%3Df1b1681c8e29d1f%26domain%3Dwww.msn.com%26origin%3Dhttp%253A%252F%252Fwww.msn.com%252Ff14b2bcd2c4031a%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey equals www.facebook.com (Facebook) |
Source: explorer.exe | String found in binary or memory: https://www.facebook.com/connect/ping?client_id=544580382313562&domain=www.msn.com&origin=1&redirect_uri=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter%2F6Dg4oLkBbYq.js%3Fversion%3D41%23cb%3Df270617c712a17%26domain%3Dwww.msn.com%26origin%3Dhttp%253A%252F%252Fwww.msn.com%252Ff2aa9a05d4366ea%26relation%3Dparent&response_type=token%2Csigned_request%2Ccode&sdk=joey equals www.facebook.com (Facebook) |
Source: explorer.exe | String found in binary or memory: s-static.ak.facebook.com) equals www.facebook.com (Facebook) |
Source: explorer.exe | String found in binary or memory: s-static.ak.facebook.com+00 equals www.facebook.com (Facebook) |
Source: explorer.exe | String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook) |
Source: explorer.exe | String found in binary or memory: www.facebook.comChK~ equals www.facebook.com (Facebook) |
Source: explorer.exe | String found in binary or memory: www.facebook.comS~ equals www.facebook.com (Facebook) |
Source: explorer.exe | String found in binary or memory: www.facebook.comte-~ equals www.facebook.com (Facebook) |
Source: explorer.exe | String found in binary or memory: yahoo.com equals www.yahoo.com (Yahoo) |
Source: C:\Windows\explorer.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail * |
Source: C:\Windows\explorer.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail unknown |
Source: C:\Windows\explorer.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup * |
Source: C:\Windows\explorer.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup unknown |
Source: C:\Windows\explorer.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\new * |
Source: C:\Windows\explorer.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\new unknown |
Source: C:\Windows\explorer.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery * |
Source: C:\Windows\explorer.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery unknown |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail edb<.log |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail unknown |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail edbres<.jrs |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail edbres00001.jrs |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail edbres00002.jrs |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail tmp.edb |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail WindowsMail.MSMessageStore |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail * |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail account<.oeaccount |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail Backup |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup * |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup unknown |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail edb00002.log |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail WindowsMail.pat |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\old * |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\old unknown |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders * |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders unknown |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox * |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox unknown |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox * |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox unknown |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items * |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items unknown |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items * |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items unknown |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts * |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts unknown |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail * |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail unknown |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Microsoft Communities * |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Microsoft Communities unknown |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery * |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery unknown |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\new * |
Source: C:\Program Files\Windows Mail\WinMail.exe | Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\new unknown |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{ED85764C-4428-FE51-BFA3-076458846DB5} |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-4C1A-8689AB3DEC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-501C-8689B73BEC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-581E-8689BF39EC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-581B-8689BF3CEC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-7C1E-86899B39EC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-CC1E-86892B39EC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-C015-86892732EC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-501E-8689B739EC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-601C-8689873BEC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-C41E-86892339EC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-F81E-86891F39EC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-341E-8689D339EC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-A81F-86894F38EC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-A818-86894F3FEC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-4016-8689A731EC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-741A-8689933DEC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\{48122E6C-1C08-5BC6-BFA3-076458846DB5} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{180E1732-2556-0BDA-BFA3-076458846DB5} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-A41A-8689433DEC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-F416-86891331EC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-781D-86899F3AEC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-D014-86893733EC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-3C13-8689DB34EC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-C01A-8689273DEC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-7C1B-86899B3CEC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\{24FD0B10-3974-3729-BFA3-076458846DB5} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-9016-86897731EC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{845263F4-5190-9786-BFA3-076458846DB5} |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-A417-86894330EC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-E419-8689033EEC58} |
Source: C:\Windows\System32\taskhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{BD3BED1F-DF7B-AEEF-BFA3-076458846DB5} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-5C1E-8689BB39EC58} |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\{F90EAA8C-98E8-EADA-BFA3-076458846DB5} |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-C81B-86892F3CEC58} |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-D01B-8689373CEC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-1019-8689F73EEC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-6C1F-86898B38EC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-FC1D-86891B3AEC58} |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-E015-86890732EC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-381D-8689DF3AEC58} |
Source: C:\TTpaymentusd.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{2EF6DF73-ED17-3D22-BFA3-076458846DB5} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-3015-8689D732EC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\{9D424888-7AEC-8E96-BFA3-076458846DB5} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-D41B-8689333CEC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{EFF895FD-A799-FC2C-BFA3-076458846DB5} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-001A-8689E73DEC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-681F-86898F38EC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-801D-8689673AEC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-B01B-8689573CEC58} |
Source: C:\Windows\explorer.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{95679DD8-AFBC-86B3-BFA3-076458846DB5} |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{72E78B68-B90C-6133-1819-8689FF3EEC58} |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\dwm.exe base: 200000 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\dwm.exe base: 2298EC protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\dwm.exe base: 229000 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\dwm.exe base: 229A0C protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\dwm.exe base: 229E18 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\dwm.exe base: 229E1C protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\dwm.exe base: 229E20 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\dwm.exe base: 2298E0 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\dwm.exe base: 229A64 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\dwm.exe base: 2297A0 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\explorer.exe base: 1CC0000 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\explorer.exe base: 1CE98EC protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\explorer.exe base: 1CE9000 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\explorer.exe base: 1CE9A0C protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\explorer.exe base: 1CE9E18 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\explorer.exe base: 1CE9E1C protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\explorer.exe base: 1CE9E20 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\explorer.exe base: 1CE98E0 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\explorer.exe base: 1CE9A64 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\explorer.exe base: 1CE97A0 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\taskhost.exe base: 1A50000 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\taskhost.exe base: 1A798EC protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\taskhost.exe base: 1A79000 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\taskhost.exe base: 1A79A0C protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\taskhost.exe base: 1A79E18 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\taskhost.exe base: 1A79E1C protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\taskhost.exe base: 1A79E20 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\taskhost.exe base: 1A798E0 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\taskhost.exe base: 1A79A64 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\taskhost.exe base: 1A797A0 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\conhost.exe base: 60000 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\conhost.exe base: 898EC protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\conhost.exe base: 89000 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\conhost.exe base: 89A0C protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\conhost.exe base: 89E18 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\conhost.exe base: 89E1C protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\conhost.exe base: 89E20 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\conhost.exe base: 898E0 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\conhost.exe base: 89A64 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: C:\Windows\System32\conhost.exe base: 897A0 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: unknown base: 550000 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: unknown base: 5798EC protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: unknown base: 579000 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: unknown base: 579A0C protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: unknown base: 579E18 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: unknown base: 579E1C protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: unknown base: 579E20 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: unknown base: 5798E0 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: unknown base: 579A64 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory protected: unknown base: 5797A0 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: C:\Program Files\Windows Mail\WinMail.exe base: 300000 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: C:\Program Files\Windows Mail\WinMail.exe base: 3298EC protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: C:\Program Files\Windows Mail\WinMail.exe base: 329000 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: C:\Program Files\Windows Mail\WinMail.exe base: 329A0C protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: C:\Program Files\Windows Mail\WinMail.exe base: 329E18 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: C:\Program Files\Windows Mail\WinMail.exe base: 329E1C protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: C:\Program Files\Windows Mail\WinMail.exe base: 329E20 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: C:\Program Files\Windows Mail\WinMail.exe base: 3298E0 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: C:\Program Files\Windows Mail\WinMail.exe base: 329A64 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: C:\Program Files\Windows Mail\WinMail.exe base: 3297A0 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: unknown base: 10B0000 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: unknown base: 10D98EC protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: unknown base: 10D9000 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: unknown base: 10D9A0C protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: unknown base: 10D9E18 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: unknown base: 10D9E1C protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: unknown base: 10D9E20 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: unknown base: 10D98E0 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: unknown base: 10D9A64 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: unknown base: 10D97A0 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: unknown base: 2950000 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: unknown base: 29798EC protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: unknown base: 2979000 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: unknown base: 2979A0C protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: unknown base: 2979E18 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: unknown base: 2979E1C protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: unknown base: 2979E20 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: unknown base: 29798E0 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: unknown base: 2979A64 protect: page execute and read and write |
Source: C:\Windows\explorer.exe | Memory protected: unknown base: 29797A0 protect: page execute and read and write |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\dwm.exe base: 200000 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\dwm.exe base: 2298EC |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\dwm.exe base: 229A0C |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\dwm.exe base: 229E18 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\dwm.exe base: 229E1C |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\dwm.exe base: 229E20 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\dwm.exe base: 2298E0 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\dwm.exe base: 229A64 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\dwm.exe base: 2297A0 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\explorer.exe base: 1CC0000 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\explorer.exe base: 1CE98EC |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\explorer.exe base: 1CE9A0C |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\explorer.exe base: 1CE9E18 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\explorer.exe base: 1CE9E1C |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\explorer.exe base: 1CE9E20 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\explorer.exe base: 1CE98E0 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\explorer.exe base: 1CE9A64 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\explorer.exe base: 1CE97A0 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\taskhost.exe base: 1A50000 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\taskhost.exe base: 1A798EC |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\taskhost.exe base: 1A79A0C |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\taskhost.exe base: 1A79E18 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\taskhost.exe base: 1A79E1C |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\taskhost.exe base: 1A79E20 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\taskhost.exe base: 1A798E0 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\taskhost.exe base: 1A79A64 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\taskhost.exe base: 1A797A0 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\conhost.exe base: 60000 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\conhost.exe base: 898EC |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\conhost.exe base: 89A0C |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\conhost.exe base: 89E18 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\conhost.exe base: 89E1C |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\conhost.exe base: 89E20 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\conhost.exe base: 898E0 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\conhost.exe base: 89A64 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: C:\Windows\System32\conhost.exe base: 897A0 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: unknown base: 550000 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: unknown base: 5798EC |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: unknown base: 579A0C |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: unknown base: 579E18 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: unknown base: 579E1C |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: unknown base: 579E20 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: unknown base: 5798E0 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: unknown base: 579A64 |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Memory written: unknown base: 5797A0 |
Source: C:\Windows\explorer.exe | Memory written: C:\Program Files\Windows Mail\WinMail.exe base: 300000 |
Source: C:\Windows\explorer.exe | Memory written: C:\Program Files\Windows Mail\WinMail.exe base: 3298EC |
Source: C:\Windows\explorer.exe | Memory written: C:\Program Files\Windows Mail\WinMail.exe base: 329A0C |
Source: C:\Windows\explorer.exe | Memory written: C:\Program Files\Windows Mail\WinMail.exe base: 329E18 |
Source: C:\Windows\explorer.exe | Memory written: C:\Program Files\Windows Mail\WinMail.exe base: 329E1C |
Source: C:\Windows\explorer.exe | Memory written: C:\Program Files\Windows Mail\WinMail.exe base: 329E20 |
Source: C:\Windows\explorer.exe | Memory written: C:\Program Files\Windows Mail\WinMail.exe base: 3298E0 |
Source: C:\Windows\explorer.exe | Memory written: C:\Program Files\Windows Mail\WinMail.exe base: 329A64 |
Source: C:\Windows\explorer.exe | Memory written: C:\Program Files\Windows Mail\WinMail.exe base: 3297A0 |
Source: C:\Windows\explorer.exe | Memory written: unknown base: 10B0000 |
Source: C:\Windows\explorer.exe | Memory written: unknown base: 10D98EC |
Source: C:\Windows\explorer.exe | Memory written: unknown base: 10D9A0C |
Source: C:\Windows\explorer.exe | Memory written: unknown base: 10D9E18 |
Source: C:\Windows\explorer.exe | Memory written: unknown base: 10D9E1C |
Source: C:\Windows\explorer.exe | Memory written: unknown base: 10D9E20 |
Source: C:\Windows\explorer.exe | Memory written: unknown base: 10D98E0 |
Source: C:\Windows\explorer.exe | Memory written: unknown base: 10D9A64 |
Source: C:\Windows\explorer.exe | Memory written: unknown base: 10D97A0 |
Source: C:\Windows\explorer.exe | Memory written: unknown base: 2950000 |
Source: C:\Windows\explorer.exe | Memory written: unknown base: 29798EC |
Source: C:\Windows\explorer.exe | Memory written: unknown base: 2979A0C |
Source: C:\Windows\explorer.exe | Memory written: unknown base: 2979E18 |
Source: C:\Windows\explorer.exe | Memory written: unknown base: 2979E1C |
Source: C:\Windows\explorer.exe | Memory written: unknown base: 2979E20 |
Source: C:\Windows\explorer.exe | Memory written: unknown base: 29798E0 |
Source: C:\Windows\explorer.exe | Memory written: unknown base: 2979A64 |
Source: C:\Windows\explorer.exe | Memory written: unknown base: 29797A0 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 43000A value: 8B FF 55 8B EC E9 B8 64 88 75 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 430014 value: 8B FF 55 8B EC E9 8E 2B 89 75 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 43001E value: 8B FF 55 8B EC E9 6B 31 98 75 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 430028 value: 8B FF 55 8B EC E9 A3 B4 04 76 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 430032 value: 8B FF 55 8B EC E9 B9 2A 09 76 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 43003C value: 8B FF 55 8B EC E9 6F 3D 08 76 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 430046 value: 8B FF 55 8B EC E9 45 C7 10 76 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 430050 value: 8B FF 55 8B EC E9 5B 4F 05 76 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 43005A value: 8B FF 55 8B EC E9 B1 0D 07 76 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 430064 value: 8B FF 55 8B EC E9 47 0D 07 76 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 43006E value: 8B FF 55 8B EC E9 1D 32 06 76 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 430078 value: 8B FF 55 8B EC E9 23 3F 04 76 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 430082 value: 8B FF 55 8B EC E9 B9 86 09 76 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 43008C value: 8B FF 55 8B EC E9 CF 86 04 76 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 430096 value: 8B FF 55 8B EC E9 75 AF 04 76 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 4300A0 value: 8B FF 55 8B EC E9 0B 86 09 76 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 4300AA value: 8B FF 55 8B EC E9 61 C3 04 76 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 4300B4 value: 8B FF 55 8B EC E9 E7 AE 03 76 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 4300BE value: 8B FF 55 8B EC E9 55 38 A9 75 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 4300C8 value: 8B FF 55 8B EC E9 34 6E A9 75 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 4300D2 value: 8B FF 55 8B EC E9 37 6A A9 75 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 4300DC value: 8B FF 55 8B EC E9 25 43 A9 75 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 4300E6 value: 8B FF 55 8B EC E9 9E 6F A9 75 |
Source: C:\TTpaymentusd.exe | Memory written: PID: 1652 base: 4300F0 value: 8B FF 55 8B EC E9 F1 25 74 75 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF000A value: 8B FF 55 8B EC E9 B8 64 FC 73 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF0014 value: 8B FF 55 8B EC E9 8E 2B FD 73 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF001E value: 8B FF 55 8B EC E9 6B 31 0C 74 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF0028 value: 8B FF 55 8B EC E9 A3 B4 78 74 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF0032 value: 8B FF 55 8B EC E9 B9 2A 7D 74 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF003C value: 8B FF 55 8B EC E9 6F 3D 7C 74 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF0046 value: 8B FF 55 8B EC E9 45 C7 84 74 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF0050 value: 8B FF 55 8B EC E9 5B 4F 79 74 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF005A value: 8B FF 55 8B EC E9 B1 0D 7B 74 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF0064 value: 8B FF 55 8B EC E9 47 0D 7B 74 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF006E value: 8B FF 55 8B EC E9 1D 32 7A 74 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF0078 value: 8B FF 55 8B EC E9 23 3F 78 74 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF0082 value: 8B FF 55 8B EC E9 B9 86 7D 74 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF008C value: 8B FF 55 8B EC E9 CF 86 78 74 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF0096 value: 8B FF 55 8B EC E9 75 AF 78 74 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF00A0 value: 8B FF 55 8B EC E9 0B 86 7D 74 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF00AA value: 8B FF 55 8B EC E9 61 C3 78 74 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF00B4 value: 8B FF 55 8B EC E9 E7 AE 77 74 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF00BE value: 8B FF 55 8B EC E9 55 38 1D 74 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF00C8 value: 8B FF 55 8B EC E9 34 6E 1D 74 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF00D2 value: 8B FF 55 8B EC E9 37 6A 1D 74 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF00DC value: 8B FF 55 8B EC E9 25 43 1D 74 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF00E6 value: 8B FF 55 8B EC E9 9E 6F 1D 74 |
Source: C:\Windows\explorer.exe | Memory written: PID: 1212 base: 1CF00F0 value: 8B FF 55 8B EC E9 F1 25 E8 73 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C000A value: 8B FF 55 8B EC E9 B8 64 2F 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C0014 value: 8B FF 55 8B EC E9 8E 2B 30 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C001E value: 8B FF 55 8B EC E9 6B 31 3F 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C0028 value: 8B FF 55 8B EC E9 A3 B4 AB 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C0032 value: 8B FF 55 8B EC E9 B9 2A B0 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C003C value: 8B FF 55 8B EC E9 6F 3D AF 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C0046 value: 8B FF 55 8B EC E9 45 C7 B7 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C0050 value: 8B FF 55 8B EC E9 5B 4F AC 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C005A value: 8B FF 55 8B EC E9 B1 0D AE 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C0064 value: 8B FF 55 8B EC E9 47 0D AE 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C006E value: 8B FF 55 8B EC E9 1D 32 AD 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C0078 value: 8B FF 55 8B EC E9 23 3F AB 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C0082 value: 8B FF 55 8B EC E9 B9 86 B0 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C008C value: 8B FF 55 8B EC E9 CF 86 AB 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C0096 value: 8B FF 55 8B EC E9 75 AF AB 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C00A0 value: 8B FF 55 8B EC E9 0B 86 B0 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C00AA value: 8B FF 55 8B EC E9 61 C3 AB 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C00B4 value: 8B FF 55 8B EC E9 E7 AE AA 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C00BE value: 8B FF 55 8B EC E9 55 38 50 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C00C8 value: 8B FF 55 8B EC E9 34 6E 50 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C00D2 value: 8B FF 55 8B EC E9 37 6A 50 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C00DC value: 8B FF 55 8B EC E9 25 43 50 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C00E6 value: 8B FF 55 8B EC E9 9E 6F 50 74 |
Source: C:\Windows\System32\taskhost.exe | Memory written: PID: 1312 base: 19C00F0 value: 8B FF 55 8B EC E9 F1 25 1B 74 |
Source: C:\Windows\explorer.exe | Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1406 |
Source: C:\Windows\explorer.exe | Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1406 |
Source: C:\Windows\explorer.exe | Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1609 |
Source: C:\Windows\explorer.exe | Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1609 |
Source: C:\Windows\explorer.exe | Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1A02 |
Source: C:\Windows\explorer.exe | Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1A10 |
Source: C:\Windows\explorer.exe | Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1A03 |
Source: C:\Windows\explorer.exe | Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1A05 |
Source: C:\Windows\explorer.exe | Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1A06 |
Source: C:\Windows\explorer.exe | Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1406 |
Source: C:\Windows\explorer.exe | Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1406 |
Source: C:\Windows\explorer.exe | Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1609 |
Source: C:\Windows\explorer.exe | Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1609 |
Source: C:\Windows\explorer.exe | Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1A10 |
Source: C:\Windows\explorer.exe | Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1A10 |
Source: C:\Windows\explorer.exe | Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1A05 |
Source: C:\Windows\explorer.exe | Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1A05 |
Source: C:\Windows\System32\taskhost.exe | Registry key created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1609 |
Source: C:\TTpaymentusd.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Users\admin\AppData\Roaming\Beedwy\avewi.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.chk VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.log VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.log VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.chk VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.log VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\tmp.edb VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.chk VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.chk VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edbtmp.log VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edbtmp.log VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.log VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.chk VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb00002.log VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.chk VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.chk VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore VolumeInformation |
Source: C:\Program Files\Windows Mail\WinMail.exe | Queries volume information: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.chk VolumeInformation |
Source: C:\Windows\System32\cmd.exe | Queries volume information: C:\ VolumeInformation |