Source: 2.0.zrztlh.exe.400000.6.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 2.0.zrztlh.exe.400000.6.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 2.0.zrztlh.exe.400000.8.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 2.0.zrztlh.exe.400000.8.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 1.2.zrztlh.exe.730000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.2.zrztlh.exe.730000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 2.2.zrztlh.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 2.2.zrztlh.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 2.2.zrztlh.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 2.2.zrztlh.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 2.0.zrztlh.exe.400000.8.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 2.0.zrztlh.exe.400000.8.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 2.0.zrztlh.exe.400000.6.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 2.0.zrztlh.exe.400000.6.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 2.0.zrztlh.exe.400000.4.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 2.0.zrztlh.exe.400000.4.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 1.2.zrztlh.exe.730000.0.raw.unpack, type: UNPACKEDPE | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 1.2.zrztlh.exe.730000.0.raw.unpack, type: UNPACKEDPE | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000002.00000002.532479062.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000002.00000002.532479062.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000001.00000002.447718606.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000001.00000002.447718606.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000002.00000002.533348401.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000002.00000002.533348401.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000003.00000000.509506176.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000003.00000000.509506176.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000003.00000000.489068141.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000003.00000000.489068141.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000002.00000000.445889127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000002.00000000.445889127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000000A.00000002.716275585.0000000000E30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000000A.00000002.716275585.0000000000E30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000002.00000000.443445716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000002.00000000.443445716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 2.0.zrztlh.exe.400000.6.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 2.0.zrztlh.exe.400000.6.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 2.0.zrztlh.exe.400000.8.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 2.0.zrztlh.exe.400000.8.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 1.2.zrztlh.exe.730000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 1.2.zrztlh.exe.730000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 2.2.zrztlh.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 2.2.zrztlh.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 2.2.zrztlh.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 2.2.zrztlh.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 2.0.zrztlh.exe.400000.8.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 2.0.zrztlh.exe.400000.8.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 2.0.zrztlh.exe.400000.6.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 2.0.zrztlh.exe.400000.6.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 2.0.zrztlh.exe.400000.4.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 2.0.zrztlh.exe.400000.4.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 1.2.zrztlh.exe.730000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 1.2.zrztlh.exe.730000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000002.00000002.532479062.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000002.00000002.532479062.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000001.00000002.447718606.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000001.00000002.447718606.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000002.00000002.533348401.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000002.00000002.533348401.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000003.00000000.509506176.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000003.00000000.509506176.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000003.00000000.489068141.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000003.00000000.489068141.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000002.00000000.445889127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000002.00000000.445889127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000000A.00000002.716275585.0000000000E30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000000A.00000002.716275585.0000000000E30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000002.00000000.443445716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000002.00000000.443445716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: 2_2_0041A330 NtCreateFile, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: 2_2_0041A3E0 NtReadFile, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: 2_2_0041A460 NtClose, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: 2_2_0041A510 NtAllocateVirtualMemory, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: 2_2_0041A32A NtCreateFile, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: 2_2_0041A3DB NtReadFile, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: 2_2_0041A45A NtClose, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399710 NtQueryInformationToken,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399780 NtMapViewOfSection,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399FE0 NtCreateMutant,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399660 NtAllocateVirtualMemory,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399A50 NtCreateFile,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399650 NtQueryValueKey,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033996E0 NtFreeVirtualMemory,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033996D0 NtCreateKey,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399910 NtAdjustPrivilegesToken,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399540 NtReadFile,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033999A0 NtCreateSection,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033995D0 NtClose,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399860 NtQuerySystemInformation,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399840 NtDelayExecution,LdrInitializeThunk, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399730 NtQueryVirtualMemory, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0339A710 NtOpenProcessToken, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399B00 NtSetValueKey, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399770 NtSetInformationFile, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0339A770 NtOpenThread, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399760 NtOpenProcess, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0339A3B0 NtGetContextThread, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033997A0 NtUnmapViewOfSection, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399A20 NtResumeThread, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399610 NtEnumerateValueKey, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399A10 NtQuerySection, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399A00 NtProtectVirtualMemory, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399670 NtQueryInformationProcess, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399A80 NtOpenDirectoryObject, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0339AD30 NtSetContextThread, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399520 NtWaitForSingleObject, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399560 NtWriteFile, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399950 NtQueueApcThread, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033995F0 NtQueryInformationFile, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033999D0 NtCreateProcessEx, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03399820 NtEnumerateKey, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0339B040 NtSuspendThread, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033998A0 NtWriteVirtualMemory, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033998F0 NtReadVirtualMemory, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_007DA330 NtCreateFile, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_007DA3E0 NtReadFile, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_007DA460 NtClose, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_007DA510 NtAllocateVirtualMemory, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_007DA32A NtCreateFile, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_007DA3DB NtReadFile, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_007DA45A NtClose, |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338E730 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03428B58 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03354F2E mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03354F2E mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0337F716 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03428F6A mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033EFF10 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033EFF10 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338A70E mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338A70E mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03383B7A mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03383B7A mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0342070D mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0342070D mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0335DB60 mov ecx, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0336FF60 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0341131B mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0335F358 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0335DB40 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0336EF40 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03384BAD mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03384BAD mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03384BAD mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03368794 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338B390 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D7794 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D7794 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D7794 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03382397 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03361B8F mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03361B8F mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0340D380 mov ecx, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0341138A mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033937F5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033803E2 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033803E2 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033803E2 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033803E2 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033803E2 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033803E2 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0337DBE9 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03425BA5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D53CA mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D53CA mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0335E620 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03394A2C mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03394A2C mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0340B260 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0340B260 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03428A62 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0335AA16 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0335AA16 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338A61C mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338A61C mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03355210 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03355210 mov ecx, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03355210 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03355210 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03373A1C mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0335C600 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0335C600 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0335C600 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03388E00 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03368A0A mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0339927A mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0337AE73 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0337AE73 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0337AE73 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0337AE73 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0337AE73 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03411608 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0336766D mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033E4257 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03359240 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03359240 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03359240 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03359240 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03367E41 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03367E41 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03367E41 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03367E41 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03367E41 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03367E41 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0340FE3F mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0340FEC0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0336AAB0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0336AAB0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338FAB0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033552A5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033552A5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033552A5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033552A5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033552A5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03428ED6 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D46A7 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338D294 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338D294 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033EFE87 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033676E2 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033816E0 mov ecx, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03382AE4 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03420EA5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03420EA5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03420EA5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03382ACB mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033836CC mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03398EC7 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338513A mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338513A mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03384D3B mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03384D3B mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03384D3B mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0335AD30 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033DA537 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03374120 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03374120 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03374120 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03374120 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03374120 mov ecx, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03359100 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03359100 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03359100 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0337C577 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0337C577 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0335B171 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0335B171 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0335C962 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03377D50 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0337B944 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0337B944 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03428D34 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03393D43 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D3540 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D51BE mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D51BE mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D51BE mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D51BE mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03381DB5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03381DB5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03381DB5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033861A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033861A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033835A1 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D69A6 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338FD9B mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338FD9B mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0341FDE2 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0341FDE2 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0341FDE2 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0341FDE2 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03382990 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03408DF1 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0337C182 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03382581 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03382581 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03382581 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03382581 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338A185 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03352D8A mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03352D8A mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03352D8A mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03352D8A mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03352D8A mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0335B1E1 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0335B1E1 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0335B1E1 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033E41E8 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0336D5E0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0336D5E0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_034205AC mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_034205AC mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D6DC9 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D6DC9 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D6DC9 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D6DC9 mov ecx, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D6DC9 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D6DC9 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338BC2C mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338002D mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338002D mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338002D mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338002D mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338002D mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0336B02A mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0336B02A mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0336B02A mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0336B02A mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D7016 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D7016 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D7016 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03412073 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03421074 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D6C0A mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D6C0A mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D6C0A mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D6C0A mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0342740D mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0342740D mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0342740D mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03424015 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03424015 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0337746D mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03370050 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03370050 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033EC450 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033EC450 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338A44B mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338F0BF mov ecx, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338F0BF mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0338F0BF mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03428CD6 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033990AF mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033820A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033820A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033820A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033820A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033820A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033820A0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_0336849B mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_03359080 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D3884 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D3884 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_034114FB mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D6CF0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D6CF0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033D6CF0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033558EC mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033EB8D0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033EB8D0 mov ecx, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033EB8D0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033EB8D0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033EB8D0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\NETSTAT.EXE | Code function: 10_2_033EB8D0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: GetLocaleInfoW,_GetPrimaryLen, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: GetLocaleInfoW,_GetPrimaryLen, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: _GetPrimaryLen,EnumSystemLocalesW, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: EnumSystemLocalesW, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: _GetPrimaryLen,EnumSystemLocalesW, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: GetLocaleInfoW, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: __malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: GetLocaleInfoW,_GetPrimaryLen, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: GetLocaleInfoW,_GetPrimaryLen, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: _GetPrimaryLen,EnumSystemLocalesW, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: EnumSystemLocalesW, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: _GetPrimaryLen,EnumSystemLocalesW, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: GetLocaleInfoW, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, |
Source: C:\Users\user\AppData\Local\Temp\zrztlh.exe | Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, |