| Source: 2.0.zrztlh.exe.400000.6.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 2.0.zrztlh.exe.400000.6.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 2.0.zrztlh.exe.400000.8.raw.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 2.0.zrztlh.exe.400000.8.raw.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 1.2.zrztlh.exe.730000.0.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 1.2.zrztlh.exe.730000.0.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 2.2.zrztlh.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 2.2.zrztlh.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 2.2.zrztlh.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 2.2.zrztlh.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 2.0.zrztlh.exe.400000.8.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 2.0.zrztlh.exe.400000.8.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 2.0.zrztlh.exe.400000.6.raw.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 2.0.zrztlh.exe.400000.6.raw.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 2.0.zrztlh.exe.400000.4.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 2.0.zrztlh.exe.400000.4.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 1.2.zrztlh.exe.730000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 1.2.zrztlh.exe.730000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000002.00000002.532479062.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000002.00000002.532479062.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000001.00000002.447718606.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000001.00000002.447718606.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000002.00000002.533348401.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000002.00000002.533348401.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000003.00000000.509506176.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000003.00000000.509506176.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000003.00000000.489068141.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000003.00000000.489068141.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000002.00000000.445889127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000002.00000000.445889127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 0000000A.00000002.716275585.0000000000E30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 0000000A.00000002.716275585.0000000000E30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000002.00000000.443445716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000002.00000000.443445716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 2.0.zrztlh.exe.400000.6.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 2.0.zrztlh.exe.400000.6.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 2.0.zrztlh.exe.400000.8.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 2.0.zrztlh.exe.400000.8.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 1.2.zrztlh.exe.730000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 1.2.zrztlh.exe.730000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 2.2.zrztlh.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 2.2.zrztlh.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 2.2.zrztlh.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 2.2.zrztlh.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 2.0.zrztlh.exe.400000.8.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 2.0.zrztlh.exe.400000.8.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 2.0.zrztlh.exe.400000.6.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 2.0.zrztlh.exe.400000.6.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 2.0.zrztlh.exe.400000.4.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 2.0.zrztlh.exe.400000.4.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 1.2.zrztlh.exe.730000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 1.2.zrztlh.exe.730000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000002.00000002.532479062.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000002.00000002.532479062.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000001.00000002.447718606.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000001.00000002.447718606.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000002.00000002.533348401.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000002.00000002.533348401.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000003.00000000.509506176.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000003.00000000.509506176.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000003.00000000.489068141.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000003.00000000.489068141.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000002.00000000.445889127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000002.00000000.445889127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 0000000A.00000002.716275585.0000000000E30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 0000000A.00000002.716275585.0000000000E30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000002.00000000.443445716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000002.00000000.443445716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: 2_2_0041A330 NtCreateFile, |
2_2_0041A330 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: 2_2_0041A3E0 NtReadFile, |
2_2_0041A3E0 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: 2_2_0041A460 NtClose, |
2_2_0041A460 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: 2_2_0041A510 NtAllocateVirtualMemory, |
2_2_0041A510 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: 2_2_0041A32A NtCreateFile, |
2_2_0041A32A |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: 2_2_0041A3DB NtReadFile, |
2_2_0041A3DB |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: 2_2_0041A45A NtClose, |
2_2_0041A45A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399710 NtQueryInformationToken,LdrInitializeThunk, |
10_2_03399710 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399780 NtMapViewOfSection,LdrInitializeThunk, |
10_2_03399780 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399FE0 NtCreateMutant,LdrInitializeThunk, |
10_2_03399FE0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399660 NtAllocateVirtualMemory,LdrInitializeThunk, |
10_2_03399660 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399A50 NtCreateFile,LdrInitializeThunk, |
10_2_03399A50 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399650 NtQueryValueKey,LdrInitializeThunk, |
10_2_03399650 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033996E0 NtFreeVirtualMemory,LdrInitializeThunk, |
10_2_033996E0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033996D0 NtCreateKey,LdrInitializeThunk, |
10_2_033996D0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399910 NtAdjustPrivilegesToken,LdrInitializeThunk, |
10_2_03399910 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399540 NtReadFile,LdrInitializeThunk, |
10_2_03399540 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033999A0 NtCreateSection,LdrInitializeThunk, |
10_2_033999A0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033995D0 NtClose,LdrInitializeThunk, |
10_2_033995D0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399860 NtQuerySystemInformation,LdrInitializeThunk, |
10_2_03399860 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399840 NtDelayExecution,LdrInitializeThunk, |
10_2_03399840 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399730 NtQueryVirtualMemory, |
10_2_03399730 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0339A710 NtOpenProcessToken, |
10_2_0339A710 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399B00 NtSetValueKey, |
10_2_03399B00 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399770 NtSetInformationFile, |
10_2_03399770 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0339A770 NtOpenThread, |
10_2_0339A770 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399760 NtOpenProcess, |
10_2_03399760 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0339A3B0 NtGetContextThread, |
10_2_0339A3B0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033997A0 NtUnmapViewOfSection, |
10_2_033997A0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399A20 NtResumeThread, |
10_2_03399A20 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399610 NtEnumerateValueKey, |
10_2_03399610 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399A10 NtQuerySection, |
10_2_03399A10 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399A00 NtProtectVirtualMemory, |
10_2_03399A00 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399670 NtQueryInformationProcess, |
10_2_03399670 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399A80 NtOpenDirectoryObject, |
10_2_03399A80 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0339AD30 NtSetContextThread, |
10_2_0339AD30 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399520 NtWaitForSingleObject, |
10_2_03399520 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399560 NtWriteFile, |
10_2_03399560 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399950 NtQueueApcThread, |
10_2_03399950 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033995F0 NtQueryInformationFile, |
10_2_033995F0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033999D0 NtCreateProcessEx, |
10_2_033999D0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03399820 NtEnumerateKey, |
10_2_03399820 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0339B040 NtSuspendThread, |
10_2_0339B040 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033998A0 NtWriteVirtualMemory, |
10_2_033998A0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033998F0 NtReadVirtualMemory, |
10_2_033998F0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_007DA330 NtCreateFile, |
10_2_007DA330 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_007DA3E0 NtReadFile, |
10_2_007DA3E0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_007DA460 NtClose, |
10_2_007DA460 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_007DA510 NtAllocateVirtualMemory, |
10_2_007DA510 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_007DA32A NtCreateFile, |
10_2_007DA32A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_007DA3DB NtReadFile, |
10_2_007DA3DB |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_007DA45A NtClose, |
10_2_007DA45A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338E730 mov eax, dword ptr fs:[00000030h] |
10_2_0338E730 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03428B58 mov eax, dword ptr fs:[00000030h] |
10_2_03428B58 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03354F2E mov eax, dword ptr fs:[00000030h] |
10_2_03354F2E |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03354F2E mov eax, dword ptr fs:[00000030h] |
10_2_03354F2E |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0337F716 mov eax, dword ptr fs:[00000030h] |
10_2_0337F716 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03428F6A mov eax, dword ptr fs:[00000030h] |
10_2_03428F6A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033EFF10 mov eax, dword ptr fs:[00000030h] |
10_2_033EFF10 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033EFF10 mov eax, dword ptr fs:[00000030h] |
10_2_033EFF10 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338A70E mov eax, dword ptr fs:[00000030h] |
10_2_0338A70E |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338A70E mov eax, dword ptr fs:[00000030h] |
10_2_0338A70E |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03383B7A mov eax, dword ptr fs:[00000030h] |
10_2_03383B7A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03383B7A mov eax, dword ptr fs:[00000030h] |
10_2_03383B7A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0342070D mov eax, dword ptr fs:[00000030h] |
10_2_0342070D |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0342070D mov eax, dword ptr fs:[00000030h] |
10_2_0342070D |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0335DB60 mov ecx, dword ptr fs:[00000030h] |
10_2_0335DB60 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0336FF60 mov eax, dword ptr fs:[00000030h] |
10_2_0336FF60 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0341131B mov eax, dword ptr fs:[00000030h] |
10_2_0341131B |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0335F358 mov eax, dword ptr fs:[00000030h] |
10_2_0335F358 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0335DB40 mov eax, dword ptr fs:[00000030h] |
10_2_0335DB40 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0336EF40 mov eax, dword ptr fs:[00000030h] |
10_2_0336EF40 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03384BAD mov eax, dword ptr fs:[00000030h] |
10_2_03384BAD |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03384BAD mov eax, dword ptr fs:[00000030h] |
10_2_03384BAD |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03384BAD mov eax, dword ptr fs:[00000030h] |
10_2_03384BAD |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03368794 mov eax, dword ptr fs:[00000030h] |
10_2_03368794 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338B390 mov eax, dword ptr fs:[00000030h] |
10_2_0338B390 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D7794 mov eax, dword ptr fs:[00000030h] |
10_2_033D7794 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D7794 mov eax, dword ptr fs:[00000030h] |
10_2_033D7794 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D7794 mov eax, dword ptr fs:[00000030h] |
10_2_033D7794 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03382397 mov eax, dword ptr fs:[00000030h] |
10_2_03382397 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03361B8F mov eax, dword ptr fs:[00000030h] |
10_2_03361B8F |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03361B8F mov eax, dword ptr fs:[00000030h] |
10_2_03361B8F |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0340D380 mov ecx, dword ptr fs:[00000030h] |
10_2_0340D380 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0341138A mov eax, dword ptr fs:[00000030h] |
10_2_0341138A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033937F5 mov eax, dword ptr fs:[00000030h] |
10_2_033937F5 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033803E2 mov eax, dword ptr fs:[00000030h] |
10_2_033803E2 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033803E2 mov eax, dword ptr fs:[00000030h] |
10_2_033803E2 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033803E2 mov eax, dword ptr fs:[00000030h] |
10_2_033803E2 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033803E2 mov eax, dword ptr fs:[00000030h] |
10_2_033803E2 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033803E2 mov eax, dword ptr fs:[00000030h] |
10_2_033803E2 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033803E2 mov eax, dword ptr fs:[00000030h] |
10_2_033803E2 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0337DBE9 mov eax, dword ptr fs:[00000030h] |
10_2_0337DBE9 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03425BA5 mov eax, dword ptr fs:[00000030h] |
10_2_03425BA5 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D53CA mov eax, dword ptr fs:[00000030h] |
10_2_033D53CA |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D53CA mov eax, dword ptr fs:[00000030h] |
10_2_033D53CA |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0335E620 mov eax, dword ptr fs:[00000030h] |
10_2_0335E620 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03394A2C mov eax, dword ptr fs:[00000030h] |
10_2_03394A2C |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03394A2C mov eax, dword ptr fs:[00000030h] |
10_2_03394A2C |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0340B260 mov eax, dword ptr fs:[00000030h] |
10_2_0340B260 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0340B260 mov eax, dword ptr fs:[00000030h] |
10_2_0340B260 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03428A62 mov eax, dword ptr fs:[00000030h] |
10_2_03428A62 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0335AA16 mov eax, dword ptr fs:[00000030h] |
10_2_0335AA16 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0335AA16 mov eax, dword ptr fs:[00000030h] |
10_2_0335AA16 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338A61C mov eax, dword ptr fs:[00000030h] |
10_2_0338A61C |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338A61C mov eax, dword ptr fs:[00000030h] |
10_2_0338A61C |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03355210 mov eax, dword ptr fs:[00000030h] |
10_2_03355210 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03355210 mov ecx, dword ptr fs:[00000030h] |
10_2_03355210 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03355210 mov eax, dword ptr fs:[00000030h] |
10_2_03355210 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03355210 mov eax, dword ptr fs:[00000030h] |
10_2_03355210 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03373A1C mov eax, dword ptr fs:[00000030h] |
10_2_03373A1C |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0335C600 mov eax, dword ptr fs:[00000030h] |
10_2_0335C600 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0335C600 mov eax, dword ptr fs:[00000030h] |
10_2_0335C600 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0335C600 mov eax, dword ptr fs:[00000030h] |
10_2_0335C600 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03388E00 mov eax, dword ptr fs:[00000030h] |
10_2_03388E00 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03368A0A mov eax, dword ptr fs:[00000030h] |
10_2_03368A0A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0339927A mov eax, dword ptr fs:[00000030h] |
10_2_0339927A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0337AE73 mov eax, dword ptr fs:[00000030h] |
10_2_0337AE73 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0337AE73 mov eax, dword ptr fs:[00000030h] |
10_2_0337AE73 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0337AE73 mov eax, dword ptr fs:[00000030h] |
10_2_0337AE73 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0337AE73 mov eax, dword ptr fs:[00000030h] |
10_2_0337AE73 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0337AE73 mov eax, dword ptr fs:[00000030h] |
10_2_0337AE73 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03411608 mov eax, dword ptr fs:[00000030h] |
10_2_03411608 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0336766D mov eax, dword ptr fs:[00000030h] |
10_2_0336766D |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033E4257 mov eax, dword ptr fs:[00000030h] |
10_2_033E4257 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03359240 mov eax, dword ptr fs:[00000030h] |
10_2_03359240 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03359240 mov eax, dword ptr fs:[00000030h] |
10_2_03359240 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03359240 mov eax, dword ptr fs:[00000030h] |
10_2_03359240 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03359240 mov eax, dword ptr fs:[00000030h] |
10_2_03359240 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03367E41 mov eax, dword ptr fs:[00000030h] |
10_2_03367E41 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03367E41 mov eax, dword ptr fs:[00000030h] |
10_2_03367E41 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03367E41 mov eax, dword ptr fs:[00000030h] |
10_2_03367E41 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03367E41 mov eax, dword ptr fs:[00000030h] |
10_2_03367E41 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03367E41 mov eax, dword ptr fs:[00000030h] |
10_2_03367E41 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03367E41 mov eax, dword ptr fs:[00000030h] |
10_2_03367E41 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0340FE3F mov eax, dword ptr fs:[00000030h] |
10_2_0340FE3F |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0340FEC0 mov eax, dword ptr fs:[00000030h] |
10_2_0340FEC0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0336AAB0 mov eax, dword ptr fs:[00000030h] |
10_2_0336AAB0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0336AAB0 mov eax, dword ptr fs:[00000030h] |
10_2_0336AAB0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338FAB0 mov eax, dword ptr fs:[00000030h] |
10_2_0338FAB0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033552A5 mov eax, dword ptr fs:[00000030h] |
10_2_033552A5 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033552A5 mov eax, dword ptr fs:[00000030h] |
10_2_033552A5 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033552A5 mov eax, dword ptr fs:[00000030h] |
10_2_033552A5 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033552A5 mov eax, dword ptr fs:[00000030h] |
10_2_033552A5 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033552A5 mov eax, dword ptr fs:[00000030h] |
10_2_033552A5 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03428ED6 mov eax, dword ptr fs:[00000030h] |
10_2_03428ED6 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D46A7 mov eax, dword ptr fs:[00000030h] |
10_2_033D46A7 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338D294 mov eax, dword ptr fs:[00000030h] |
10_2_0338D294 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338D294 mov eax, dword ptr fs:[00000030h] |
10_2_0338D294 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033EFE87 mov eax, dword ptr fs:[00000030h] |
10_2_033EFE87 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033676E2 mov eax, dword ptr fs:[00000030h] |
10_2_033676E2 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033816E0 mov ecx, dword ptr fs:[00000030h] |
10_2_033816E0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03382AE4 mov eax, dword ptr fs:[00000030h] |
10_2_03382AE4 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03420EA5 mov eax, dword ptr fs:[00000030h] |
10_2_03420EA5 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03420EA5 mov eax, dword ptr fs:[00000030h] |
10_2_03420EA5 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03420EA5 mov eax, dword ptr fs:[00000030h] |
10_2_03420EA5 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03382ACB mov eax, dword ptr fs:[00000030h] |
10_2_03382ACB |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033836CC mov eax, dword ptr fs:[00000030h] |
10_2_033836CC |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03398EC7 mov eax, dword ptr fs:[00000030h] |
10_2_03398EC7 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338513A mov eax, dword ptr fs:[00000030h] |
10_2_0338513A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338513A mov eax, dword ptr fs:[00000030h] |
10_2_0338513A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
10_2_03363D34 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
10_2_03363D34 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
10_2_03363D34 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
10_2_03363D34 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
10_2_03363D34 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
10_2_03363D34 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
10_2_03363D34 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
10_2_03363D34 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
10_2_03363D34 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
10_2_03363D34 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
10_2_03363D34 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
10_2_03363D34 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
10_2_03363D34 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03384D3B mov eax, dword ptr fs:[00000030h] |
10_2_03384D3B |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03384D3B mov eax, dword ptr fs:[00000030h] |
10_2_03384D3B |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03384D3B mov eax, dword ptr fs:[00000030h] |
10_2_03384D3B |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0335AD30 mov eax, dword ptr fs:[00000030h] |
10_2_0335AD30 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033DA537 mov eax, dword ptr fs:[00000030h] |
10_2_033DA537 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03374120 mov eax, dword ptr fs:[00000030h] |
10_2_03374120 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03374120 mov eax, dword ptr fs:[00000030h] |
10_2_03374120 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03374120 mov eax, dword ptr fs:[00000030h] |
10_2_03374120 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03374120 mov eax, dword ptr fs:[00000030h] |
10_2_03374120 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03374120 mov ecx, dword ptr fs:[00000030h] |
10_2_03374120 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03359100 mov eax, dword ptr fs:[00000030h] |
10_2_03359100 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03359100 mov eax, dword ptr fs:[00000030h] |
10_2_03359100 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03359100 mov eax, dword ptr fs:[00000030h] |
10_2_03359100 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0337C577 mov eax, dword ptr fs:[00000030h] |
10_2_0337C577 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0337C577 mov eax, dword ptr fs:[00000030h] |
10_2_0337C577 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0335B171 mov eax, dword ptr fs:[00000030h] |
10_2_0335B171 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0335B171 mov eax, dword ptr fs:[00000030h] |
10_2_0335B171 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0335C962 mov eax, dword ptr fs:[00000030h] |
10_2_0335C962 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03377D50 mov eax, dword ptr fs:[00000030h] |
10_2_03377D50 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0337B944 mov eax, dword ptr fs:[00000030h] |
10_2_0337B944 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0337B944 mov eax, dword ptr fs:[00000030h] |
10_2_0337B944 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03428D34 mov eax, dword ptr fs:[00000030h] |
10_2_03428D34 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03393D43 mov eax, dword ptr fs:[00000030h] |
10_2_03393D43 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D3540 mov eax, dword ptr fs:[00000030h] |
10_2_033D3540 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D51BE mov eax, dword ptr fs:[00000030h] |
10_2_033D51BE |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D51BE mov eax, dword ptr fs:[00000030h] |
10_2_033D51BE |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D51BE mov eax, dword ptr fs:[00000030h] |
10_2_033D51BE |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D51BE mov eax, dword ptr fs:[00000030h] |
10_2_033D51BE |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03381DB5 mov eax, dword ptr fs:[00000030h] |
10_2_03381DB5 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03381DB5 mov eax, dword ptr fs:[00000030h] |
10_2_03381DB5 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03381DB5 mov eax, dword ptr fs:[00000030h] |
10_2_03381DB5 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033861A0 mov eax, dword ptr fs:[00000030h] |
10_2_033861A0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033861A0 mov eax, dword ptr fs:[00000030h] |
10_2_033861A0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033835A1 mov eax, dword ptr fs:[00000030h] |
10_2_033835A1 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D69A6 mov eax, dword ptr fs:[00000030h] |
10_2_033D69A6 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338FD9B mov eax, dword ptr fs:[00000030h] |
10_2_0338FD9B |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338FD9B mov eax, dword ptr fs:[00000030h] |
10_2_0338FD9B |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0341FDE2 mov eax, dword ptr fs:[00000030h] |
10_2_0341FDE2 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0341FDE2 mov eax, dword ptr fs:[00000030h] |
10_2_0341FDE2 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0341FDE2 mov eax, dword ptr fs:[00000030h] |
10_2_0341FDE2 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0341FDE2 mov eax, dword ptr fs:[00000030h] |
10_2_0341FDE2 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03382990 mov eax, dword ptr fs:[00000030h] |
10_2_03382990 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03408DF1 mov eax, dword ptr fs:[00000030h] |
10_2_03408DF1 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0337C182 mov eax, dword ptr fs:[00000030h] |
10_2_0337C182 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03382581 mov eax, dword ptr fs:[00000030h] |
10_2_03382581 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03382581 mov eax, dword ptr fs:[00000030h] |
10_2_03382581 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03382581 mov eax, dword ptr fs:[00000030h] |
10_2_03382581 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03382581 mov eax, dword ptr fs:[00000030h] |
10_2_03382581 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338A185 mov eax, dword ptr fs:[00000030h] |
10_2_0338A185 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03352D8A mov eax, dword ptr fs:[00000030h] |
10_2_03352D8A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03352D8A mov eax, dword ptr fs:[00000030h] |
10_2_03352D8A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03352D8A mov eax, dword ptr fs:[00000030h] |
10_2_03352D8A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03352D8A mov eax, dword ptr fs:[00000030h] |
10_2_03352D8A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03352D8A mov eax, dword ptr fs:[00000030h] |
10_2_03352D8A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0335B1E1 mov eax, dword ptr fs:[00000030h] |
10_2_0335B1E1 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0335B1E1 mov eax, dword ptr fs:[00000030h] |
10_2_0335B1E1 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0335B1E1 mov eax, dword ptr fs:[00000030h] |
10_2_0335B1E1 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033E41E8 mov eax, dword ptr fs:[00000030h] |
10_2_033E41E8 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0336D5E0 mov eax, dword ptr fs:[00000030h] |
10_2_0336D5E0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0336D5E0 mov eax, dword ptr fs:[00000030h] |
10_2_0336D5E0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_034205AC mov eax, dword ptr fs:[00000030h] |
10_2_034205AC |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_034205AC mov eax, dword ptr fs:[00000030h] |
10_2_034205AC |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D6DC9 mov eax, dword ptr fs:[00000030h] |
10_2_033D6DC9 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D6DC9 mov eax, dword ptr fs:[00000030h] |
10_2_033D6DC9 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D6DC9 mov eax, dword ptr fs:[00000030h] |
10_2_033D6DC9 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D6DC9 mov ecx, dword ptr fs:[00000030h] |
10_2_033D6DC9 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D6DC9 mov eax, dword ptr fs:[00000030h] |
10_2_033D6DC9 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D6DC9 mov eax, dword ptr fs:[00000030h] |
10_2_033D6DC9 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338BC2C mov eax, dword ptr fs:[00000030h] |
10_2_0338BC2C |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338002D mov eax, dword ptr fs:[00000030h] |
10_2_0338002D |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338002D mov eax, dword ptr fs:[00000030h] |
10_2_0338002D |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338002D mov eax, dword ptr fs:[00000030h] |
10_2_0338002D |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338002D mov eax, dword ptr fs:[00000030h] |
10_2_0338002D |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338002D mov eax, dword ptr fs:[00000030h] |
10_2_0338002D |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0336B02A mov eax, dword ptr fs:[00000030h] |
10_2_0336B02A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0336B02A mov eax, dword ptr fs:[00000030h] |
10_2_0336B02A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0336B02A mov eax, dword ptr fs:[00000030h] |
10_2_0336B02A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0336B02A mov eax, dword ptr fs:[00000030h] |
10_2_0336B02A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D7016 mov eax, dword ptr fs:[00000030h] |
10_2_033D7016 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D7016 mov eax, dword ptr fs:[00000030h] |
10_2_033D7016 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D7016 mov eax, dword ptr fs:[00000030h] |
10_2_033D7016 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03412073 mov eax, dword ptr fs:[00000030h] |
10_2_03412073 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03421074 mov eax, dword ptr fs:[00000030h] |
10_2_03421074 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D6C0A mov eax, dword ptr fs:[00000030h] |
10_2_033D6C0A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D6C0A mov eax, dword ptr fs:[00000030h] |
10_2_033D6C0A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D6C0A mov eax, dword ptr fs:[00000030h] |
10_2_033D6C0A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D6C0A mov eax, dword ptr fs:[00000030h] |
10_2_033D6C0A |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
10_2_03411C06 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
10_2_03411C06 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
10_2_03411C06 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
10_2_03411C06 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
10_2_03411C06 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
10_2_03411C06 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
10_2_03411C06 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
10_2_03411C06 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
10_2_03411C06 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
10_2_03411C06 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
10_2_03411C06 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
10_2_03411C06 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
10_2_03411C06 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
10_2_03411C06 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0342740D mov eax, dword ptr fs:[00000030h] |
10_2_0342740D |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0342740D mov eax, dword ptr fs:[00000030h] |
10_2_0342740D |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0342740D mov eax, dword ptr fs:[00000030h] |
10_2_0342740D |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03424015 mov eax, dword ptr fs:[00000030h] |
10_2_03424015 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03424015 mov eax, dword ptr fs:[00000030h] |
10_2_03424015 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0337746D mov eax, dword ptr fs:[00000030h] |
10_2_0337746D |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03370050 mov eax, dword ptr fs:[00000030h] |
10_2_03370050 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03370050 mov eax, dword ptr fs:[00000030h] |
10_2_03370050 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033EC450 mov eax, dword ptr fs:[00000030h] |
10_2_033EC450 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033EC450 mov eax, dword ptr fs:[00000030h] |
10_2_033EC450 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338A44B mov eax, dword ptr fs:[00000030h] |
10_2_0338A44B |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338F0BF mov ecx, dword ptr fs:[00000030h] |
10_2_0338F0BF |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338F0BF mov eax, dword ptr fs:[00000030h] |
10_2_0338F0BF |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0338F0BF mov eax, dword ptr fs:[00000030h] |
10_2_0338F0BF |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03428CD6 mov eax, dword ptr fs:[00000030h] |
10_2_03428CD6 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033990AF mov eax, dword ptr fs:[00000030h] |
10_2_033990AF |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033820A0 mov eax, dword ptr fs:[00000030h] |
10_2_033820A0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033820A0 mov eax, dword ptr fs:[00000030h] |
10_2_033820A0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033820A0 mov eax, dword ptr fs:[00000030h] |
10_2_033820A0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033820A0 mov eax, dword ptr fs:[00000030h] |
10_2_033820A0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033820A0 mov eax, dword ptr fs:[00000030h] |
10_2_033820A0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033820A0 mov eax, dword ptr fs:[00000030h] |
10_2_033820A0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_0336849B mov eax, dword ptr fs:[00000030h] |
10_2_0336849B |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_03359080 mov eax, dword ptr fs:[00000030h] |
10_2_03359080 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D3884 mov eax, dword ptr fs:[00000030h] |
10_2_033D3884 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D3884 mov eax, dword ptr fs:[00000030h] |
10_2_033D3884 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_034114FB mov eax, dword ptr fs:[00000030h] |
10_2_034114FB |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D6CF0 mov eax, dword ptr fs:[00000030h] |
10_2_033D6CF0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D6CF0 mov eax, dword ptr fs:[00000030h] |
10_2_033D6CF0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033D6CF0 mov eax, dword ptr fs:[00000030h] |
10_2_033D6CF0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033558EC mov eax, dword ptr fs:[00000030h] |
10_2_033558EC |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033EB8D0 mov eax, dword ptr fs:[00000030h] |
10_2_033EB8D0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033EB8D0 mov ecx, dword ptr fs:[00000030h] |
10_2_033EB8D0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033EB8D0 mov eax, dword ptr fs:[00000030h] |
10_2_033EB8D0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033EB8D0 mov eax, dword ptr fs:[00000030h] |
10_2_033EB8D0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033EB8D0 mov eax, dword ptr fs:[00000030h] |
10_2_033EB8D0 |
| Source: C:\Windows\SysWOW64\NETSTAT.EXE |
Code function: 10_2_033EB8D0 mov eax, dword ptr fs:[00000030h] |
10_2_033EB8D0 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
1_2_00EBE8C3 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, |
1_2_00EB8FA3 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, |
1_2_00EBE1D4 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: GetLocaleInfoW,_GetPrimaryLen, |
1_2_00EBE970 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, |
1_2_00EB8969 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: GetLocaleInfoW,_GetPrimaryLen, |
1_2_00EBE970 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, |
1_2_00EA4194 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, |
1_2_00EBEA44 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: _GetPrimaryLen,EnumSystemLocalesW, |
1_2_00EBE4A4 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, |
1_2_00EB4CB1 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: EnumSystemLocalesW, |
1_2_00EBE448 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free, |
1_2_00EA26FB |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, |
1_2_00EBE5A4 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, |
1_2_00EB9D92 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free, |
1_2_00EB8529 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: _GetPrimaryLen,EnumSystemLocalesW, |
1_2_00EBE521 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, |
1_2_00EB8FA3 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free, |
1_2_00EB8529 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free, |
1_2_00EA67B8 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: GetLocaleInfoW, |
1_2_00EB9FDB |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, |
1_2_00EB8FA3 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, |
1_2_00EBE799 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free, |
1_2_00EBA75F |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
2_2_00EBE8C3 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, |
2_2_00EB8FA3 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: __malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free, |
2_2_00EA1110 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, |
2_2_00EBE1D4 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: GetLocaleInfoW,_GetPrimaryLen, |
2_2_00EBE970 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, |
2_2_00EB8969 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: GetLocaleInfoW,_GetPrimaryLen, |
2_2_00EBE970 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, |
2_2_00EA4194 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, |
2_2_00EBEA44 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: _GetPrimaryLen,EnumSystemLocalesW, |
2_2_00EBE4A4 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, |
2_2_00EB4CB1 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: EnumSystemLocalesW, |
2_2_00EBE448 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free, |
2_2_00EA26FB |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, |
2_2_00EB9D92 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free, |
2_2_00EB8529 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: _GetPrimaryLen,EnumSystemLocalesW, |
2_2_00EBE521 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, |
2_2_00EB8FA3 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free, |
2_2_00EB8529 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free, |
2_2_00EA67B8 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: GetLocaleInfoW, |
2_2_00EB9FDB |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, |
2_2_00EB8FA3 |
| Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe |
Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, |
2_2_00EBE799 |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet