Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vstdlib_s64.dll.dll

Overview

General Information

Sample name:vstdlib_s64.dll.dll
(renamed file extension from exe to dll)
Original sample name:vstdlib_s64.dll.exe
Analysis ID:1629406
MD5:151b39cf4263b51c7e7997f709808891
SHA1:11944a076090d1b5b39ba6b52c3a8a9d9683f416
SHA256:68cc07802289ffde1c9047856d1c15e94482d874c60f5e1fc470e8bc59b20f32
Tags:dllexeuser-aachum
Infos:

Detection

RHADAMANTHYS
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected RHADAMANTHYS Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Compiles C# or VB.Net code
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Uncommon Svchost Parent Process
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 7288 cmdline: loaddll64.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7340 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 7364 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • aspnet_wp.exe (PID: 7404 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" MD5: EF2DCDFF05E9679F8D0E2895D9A2E3BB)
          • svchost.exe (PID: 7512 cmdline: "C:\Windows\System32\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
            • fontdrvhost.exe (PID: 7788 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
          • WerFault.exe (PID: 7576 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7404 -s 588 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7348 cmdline: rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,0JtuASf5KRJM1m7CP2DvOGzERQL MD5: EF3179D498793BF4234F708D3BE28633)
      • aspnet_wp.exe (PID: 7396 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" MD5: EF2DCDFF05E9679F8D0E2895D9A2E3BB)
        • WerFault.exe (PID: 7496 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7396 -s 468 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7608 cmdline: rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,0jAhJvcYIPDZ24PSXVYavD8K MD5: EF3179D498793BF4234F708D3BE28633)
      • aspnet_wp.exe (PID: 7628 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" MD5: EF2DCDFF05E9679F8D0E2895D9A2E3BB)
        • WerFault.exe (PID: 7676 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7628 -s 464 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7712 cmdline: rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,173IY60Q MD5: EF3179D498793BF4234F708D3BE28633)
      • aspnet_wp.exe (PID: 7732 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" MD5: EF2DCDFF05E9679F8D0E2895D9A2E3BB)
        • WerFault.exe (PID: 7768 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7732 -s 464 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7804 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",0JtuASf5KRJM1m7CP2DvOGzERQL MD5: EF3179D498793BF4234F708D3BE28633)
      • aspnet_wp.exe (PID: 7852 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" MD5: EF2DCDFF05E9679F8D0E2895D9A2E3BB)
    • rundll32.exe (PID: 7812 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",0jAhJvcYIPDZ24PSXVYavD8K MD5: EF3179D498793BF4234F708D3BE28633)
      • aspnet_wp.exe (PID: 7872 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" MD5: EF2DCDFF05E9679F8D0E2895D9A2E3BB)
    • rundll32.exe (PID: 7828 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",173IY60Q MD5: EF3179D498793BF4234F708D3BE28633)
      • aspnet_wp.exe (PID: 7908 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" MD5: EF2DCDFF05E9679F8D0E2895D9A2E3BB)
    • rundll32.exe (PID: 7860 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",zTUCjK713b MD5: EF3179D498793BF4234F708D3BE28633)
      • aspnet_wp.exe (PID: 7928 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" MD5: EF2DCDFF05E9679F8D0E2895D9A2E3BB)
      • csc.exe (PID: 8036 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
    • rundll32.exe (PID: 7888 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",zBSEjmNmvbnuGbbjL67CPQatDx8WVg MD5: EF3179D498793BF4234F708D3BE28633)
      • aspnet_wp.exe (PID: 7952 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" MD5: EF2DCDFF05E9679F8D0E2895D9A2E3BB)
      • csc.exe (PID: 8060 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
    • rundll32.exe (PID: 7916 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",yx6HRSAvXu71cki2UP MD5: EF3179D498793BF4234F708D3BE28633)
      • aspnet_wp.exe (PID: 7996 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" MD5: EF2DCDFF05E9679F8D0E2895D9A2E3BB)
    • rundll32.exe (PID: 7944 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",ymPj70lSkYuvU1IX343v MD5: EF3179D498793BF4234F708D3BE28633)
      • aspnet_wp.exe (PID: 8044 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" MD5: EF2DCDFF05E9679F8D0E2895D9A2E3BB)
    • rundll32.exe (PID: 7976 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",yWHf8uRZL MD5: EF3179D498793BF4234F708D3BE28633)
      • aspnet_wp.exe (PID: 8092 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" MD5: EF2DCDFF05E9679F8D0E2895D9A2E3BB)
    • rundll32.exe (PID: 8020 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",yLhJlDeDsE13qMVifgCiU6Sio MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 8068 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",yLdl32GLsBqQrfNqVsRCiWV7d8e6 MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RhadamanthysAccording to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://83.217.208.36:3876/4eaee7bb9ded9b9d0e847/8p4mevio.ek43q"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000003.1735563445.00000000050A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
    00000029.00000003.1818743431.0000000007A50000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000029.00000003.1820255773.0000000007C70000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000027.00000003.1813244913.00000000078A0000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000005.00000003.1675833208.0000000004D20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
            Click to see the 31 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            25.3.aspnet_wp.exe.76c0000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              25.3.aspnet_wp.exe.76c0000.6.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                25.3.aspnet_wp.exe.78e0000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  6.3.aspnet_wp.exe.7080000.6.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    41.3.aspnet_wp.exe.7c70000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      Click to see the 12 entries

                      Sigma Signatures

                      Sigma detected: Uncommon Svchost Parent Process
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe, ParentProcessId: 7404, ParentProcessName: aspnet_wp.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 7512, ProcessName: svchost.exe
                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe, ParentProcessId: 7404, ParentProcessName: aspnet_wp.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 7512, ProcessName: svchost.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-04T17:43:15.947848+010028548021Domain Observed Used for C2 Detected83.217.208.363876192.168.2.449730TCP
                      2025-03-04T17:43:27.503570+010028548021Domain Observed Used for C2 Detected83.217.208.363876192.168.2.449735TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000028.00000002.1769670195.00000275F9C00000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Rhadamanthys {"C2 url": "https://83.217.208.36:3876/4eaee7bb9ded9b9d0e847/8p4mevio.ek43q"}
                      Multi AV Scanner detection for submitted file
                      Source: vstdlib_s64.dll.dllVirustotal: Detection: 11%Perma Link
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                      Source: vstdlib_s64.dll.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: wkernel32.pdb source: aspnet_wp.exe, 00000006.00000003.1679307892.0000000007080000.00000004.00000001.00020000.00000000.sdmp, aspnet_wp.exe, 00000006.00000003.1679438513.00000000071A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1690690612.0000000004A00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1690800404.0000000004B20000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdb source: aspnet_wp.exe, 00000006.00000003.1679891251.0000000007080000.00000004.00000001.00020000.00000000.sdmp, aspnet_wp.exe, 00000006.00000003.1680205438.00000000072A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1691005457.0000000004A00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1691208458.0000000004C20000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: aspnet_wp.exe, 00000006.00000003.1677139668.0000000007270000.00000004.00000001.00020000.00000000.sdmp, aspnet_wp.exe, 00000006.00000003.1676801522.0000000007080000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1689458714.0000000004A00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1689771730.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: aspnet_wp.exe, 00000006.00000003.1678162243.0000000007220000.00000004.00000001.00020000.00000000.sdmp, aspnet_wp.exe, 00000006.00000003.1677694317.0000000007080000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1690294516.0000000004BA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1690064045.0000000004A00000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: aspnet_wp.exe, 00000006.00000003.1677139668.0000000007270000.00000004.00000001.00020000.00000000.sdmp, aspnet_wp.exe, 00000006.00000003.1676801522.0000000007080000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1689458714.0000000004A00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1689771730.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: aspnet_wp.exe, 00000006.00000003.1678162243.0000000007220000.00000004.00000001.00020000.00000000.sdmp, aspnet_wp.exe, 00000006.00000003.1677694317.0000000007080000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1690294516.0000000004BA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1690064045.0000000004A00000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdbUGP source: aspnet_wp.exe, 00000006.00000003.1679891251.0000000007080000.00000004.00000001.00020000.00000000.sdmp, aspnet_wp.exe, 00000006.00000003.1680205438.00000000072A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1691005457.0000000004A00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1691208458.0000000004C20000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdbUGP source: aspnet_wp.exe, 00000006.00000003.1679307892.0000000007080000.00000004.00000001.00020000.00000000.sdmp, aspnet_wp.exe, 00000006.00000003.1679438513.00000000071A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1690690612.0000000004A00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1690800404.0000000004B20000.00000004.00000001.00020000.00000000.sdmp
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 4x nop then dec esp21_2_000001D989A30511

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 83.217.208.36:3876 -> 192.168.2.4:49730
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 83.217.208.36:3876 -> 192.168.2.4:49735
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 83.217.208.36 3876Jump to behavior
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: https://83.217.208.36:3876/4eaee7bb9ded9b9d0e847/8p4mevio.ek43q
                      Source: global trafficTCP traffic: 192.168.2.4:49730 -> 83.217.208.36:3876
                      Source: Joe Sandbox ViewASN Name: INF-NET-ASRU INF-NET-ASRU
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: unknownTCP traffic detected without corresponding DNS query: 83.217.208.36
                      Source: svchost.exe, 0000000A.00000002.1747423478.000000000248C000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1747733306.000000000290C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exeString found in binary or memory: https://83.217.208.36:3876/4eaee7bb9ded9b9d0e847/8p4mevio.ek43q
                      Source: svchost.exe, 0000000A.00000002.1747733306.000000000290C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://83.217.208.36:3876/4eaee7bb9ded9b9d0e847/8p4mevio.ek43qkernelbasentdllkernel32GetProcessMiti
                      Source: svchost.exe, 0000000A.00000002.1747423478.000000000248C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://83.217.208.36:3876/4eaee7bb9ded9b9d0e847/8p4mevio.ek43qx
                      Source: loaddll64.exe, 00000000.00000002.3046697342.00007FFDFB6E1000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1667842106.00007FFDFB4C1000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1668111768.00007FFDFB72C000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1668112581.00007FFDFB72C000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1667840735.00007FFDFB4C1000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1697629039.00007FFDFB72C000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000D.00000002.1697045199.00007FFDFB4C1000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000028.00000002.1792161642.00007FFDFB94C000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet-warnings/
                      Source: svchost.exe, 0000000A.00000003.1708021828.000000000299F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cloudflare-dns.com/dns-query
                      Source: svchost.exe, 0000000A.00000003.1708021828.000000000299F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi
                      Source: aspnet_wp.exe, 00000006.00000003.1679891251.0000000007080000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_798baba4-d
                      Source: aspnet_wp.exe, 00000006.00000003.1679891251.0000000007080000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_4a86f954-d
                      Source: Yara matchFile source: 25.3.aspnet_wp.exe.76c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.3.aspnet_wp.exe.76c0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.3.aspnet_wp.exe.78e0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.aspnet_wp.exe.7080000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 41.3.aspnet_wp.exe.7c70000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.aspnet_wp.exe.7080000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 39.3.csc.exe.78a0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.svchost.exe.4a00000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 39.3.csc.exe.7680000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 25.3.aspnet_wp.exe.76c0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.3.aspnet_wp.exe.7420000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 41.3.aspnet_wp.exe.7c70000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.aspnet_wp.exe.7080000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.aspnet_wp.exe.72a0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.svchost.exe.4c20000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 41.3.aspnet_wp.exe.7a50000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 27.3.aspnet_wp.exe.7200000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000029.00000003.1818743431.0000000007A50000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000003.1820255773.0000000007C70000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000003.1813244913.00000000078A0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.1814098812.00000000076C0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000003.1815614888.0000000007420000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.1679891251.0000000007080000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000003.1810929790.0000000007680000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.1680205438.00000000072A0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000003.1815228959.0000000007200000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.1691208458.0000000004C20000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.1691005457.0000000004A00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.1814532754.00000000078E0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: aspnet_wp.exe PID: 7404, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7512, type: MEMORYSTR
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 21_2_000001D989A31AA4 NtAcceptConnectPort,NtAcceptConnectPort,21_2_000001D989A31AA4
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 21_2_000001D989A31CF4 NtAcceptConnectPort,CloseHandle,21_2_000001D989A31CF4
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 21_2_000001D989A315C0 NtAcceptConnectPort,21_2_000001D989A315C0
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 21_2_000001D989A30AC8 NtAcceptConnectPort,NtAcceptConnectPort,21_2_000001D989A30AC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_0046CC255_3_0046CC25
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_0045C09A5_3_0045C09A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_004611705_3_00461170
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_0045F13B5_3_0045F13B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_0046264D5_3_0046264D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_0045C3DC5_3_0045C3DC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_00466F895_3_00466F89
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_3_0046CC256_3_0046CC25
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_3_0045C09A6_3_0045C09A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_3_004611706_3_00461170
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_3_0045F13B6_3_0045F13B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_3_0046264D6_3_0046264D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_3_0045C3DC6_3_0045C3DC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_3_00466F896_3_00466F89
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 14_3_0046CC2514_3_0046CC25
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 14_3_0045C09A14_3_0045C09A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 14_3_0046117014_3_00461170
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 14_3_0045F13B14_3_0045F13B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 14_3_0046264D14_3_0046264D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 14_3_0045C3DC14_3_0045C3DC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 14_3_00466F8914_3_00466F89
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 18_3_0046CC2518_3_0046CC25
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 18_3_0045C09A18_3_0045C09A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 18_3_0046117018_3_00461170
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 18_3_0045F13B18_3_0045F13B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 18_3_0046264D18_3_0046264D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 18_3_0045C3DC18_3_0045C3DC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 18_3_00466F8918_3_00466F89
                      Source: C:\Windows\System32\fontdrvhost.exeCode function: 21_2_000001D989A30C7021_2_000001D989A30C70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 25_3_0046CC2525_3_0046CC25
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 25_3_0045C09A25_3_0045C09A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 25_3_0046117025_3_00461170
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 25_3_0045F13B25_3_0045F13B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 25_3_0046264D25_3_0046264D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 25_3_0045C3DC25_3_0045C3DC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 25_3_00466F8925_3_00466F89
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 27_3_0046CC2527_3_0046CC25
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 27_3_0045C09A27_3_0045C09A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 27_3_0046117027_3_00461170
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 27_3_0045F13B27_3_0045F13B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 27_3_0046264D27_3_0046264D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 27_3_0045C3DC27_3_0045C3DC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 27_3_00466F8927_3_00466F89
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: String function: 00464E65 appears 54 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: String function: 0046A825 appears 108 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: String function: 00458EF3 appears 48 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: String function: 0045503C appears 60 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: String function: 00457FB0 appears 228 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7396 -s 468
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@140/0@0/1
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7296:120:WilError_03
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-1b2c4b00-70a6-c0ea79-1af52c864a93}
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\069ffa2c-9c43-44c1-b99f-7dfa426dba0dJump to behavior
                      Source: vstdlib_s64.dll.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,0JtuASf5KRJM1m7CP2DvOGzERQL
                      Source: vstdlib_s64.dll.dllVirustotal: Detection: 11%
                      Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,0JtuASf5KRJM1m7CP2DvOGzERQL
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7396 -s 468
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7404 -s 588
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,0jAhJvcYIPDZ24PSXVYavD8K
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7628 -s 464
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,173IY60Q
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7732 -s 464
                      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",0JtuASf5KRJM1m7CP2DvOGzERQL
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",0jAhJvcYIPDZ24PSXVYavD8K
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",173IY60Q
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",zTUCjK713b
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",zBSEjmNmvbnuGbbjL67CPQatDx8WVg
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",yx6HRSAvXu71cki2UP
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",ymPj70lSkYuvU1IX343v
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",yWHf8uRZL
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",yLhJlDeDsE13qMVifgCiU6Sio
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",yLdl32GLsBqQrfNqVsRCiWV7d8e6
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,0JtuASf5KRJM1m7CP2DvOGzERQLJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,0jAhJvcYIPDZ24PSXVYavD8KJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,173IY60QJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",0JtuASf5KRJM1m7CP2DvOGzERQLJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",0jAhJvcYIPDZ24PSXVYavD8KJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",173IY60QJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",zTUCjK713bJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",zBSEjmNmvbnuGbbjL67CPQatDx8WVgJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",yx6HRSAvXu71cki2UPJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",ymPj70lSkYuvU1IX343vJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",yWHf8uRZLJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",yLhJlDeDsE13qMVifgCiU6SioJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",yLdl32GLsBqQrfNqVsRCiWV7d8e6Jump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7396 -s 468Jump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: unknown unknown
                      Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknown
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess created: unknown unknown
                      Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: vstdlib_s64.dll.dllStatic PE information: More than 614 > 100 exports found
                      Source: vstdlib_s64.dll.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: vstdlib_s64.dll.dllStatic PE information: Image base 0x180000000 > 0x60000000
                      Source: vstdlib_s64.dll.dllStatic file information: File size 5885440 > 1048576
                      Source: vstdlib_s64.dll.dllStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x310000
                      Source: vstdlib_s64.dll.dllStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x24fe00
                      Source: vstdlib_s64.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: vstdlib_s64.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: vstdlib_s64.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: vstdlib_s64.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: vstdlib_s64.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: vstdlib_s64.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: vstdlib_s64.dll.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                      Source: vstdlib_s64.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: wkernel32.pdb source: aspnet_wp.exe, 00000006.00000003.1679307892.0000000007080000.00000004.00000001.00020000.00000000.sdmp, aspnet_wp.exe, 00000006.00000003.1679438513.00000000071A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1690690612.0000000004A00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1690800404.0000000004B20000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdb source: aspnet_wp.exe, 00000006.00000003.1679891251.0000000007080000.00000004.00000001.00020000.00000000.sdmp, aspnet_wp.exe, 00000006.00000003.1680205438.00000000072A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1691005457.0000000004A00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1691208458.0000000004C20000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: aspnet_wp.exe, 00000006.00000003.1677139668.0000000007270000.00000004.00000001.00020000.00000000.sdmp, aspnet_wp.exe, 00000006.00000003.1676801522.0000000007080000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1689458714.0000000004A00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1689771730.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: aspnet_wp.exe, 00000006.00000003.1678162243.0000000007220000.00000004.00000001.00020000.00000000.sdmp, aspnet_wp.exe, 00000006.00000003.1677694317.0000000007080000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1690294516.0000000004BA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1690064045.0000000004A00000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: aspnet_wp.exe, 00000006.00000003.1677139668.0000000007270000.00000004.00000001.00020000.00000000.sdmp, aspnet_wp.exe, 00000006.00000003.1676801522.0000000007080000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1689458714.0000000004A00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1689771730.0000000004BF0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: aspnet_wp.exe, 00000006.00000003.1678162243.0000000007220000.00000004.00000001.00020000.00000000.sdmp, aspnet_wp.exe, 00000006.00000003.1677694317.0000000007080000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1690294516.0000000004BA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1690064045.0000000004A00000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdbUGP source: aspnet_wp.exe, 00000006.00000003.1679891251.0000000007080000.00000004.00000001.00020000.00000000.sdmp, aspnet_wp.exe, 00000006.00000003.1680205438.00000000072A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1691005457.0000000004A00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1691208458.0000000004C20000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdbUGP source: aspnet_wp.exe, 00000006.00000003.1679307892.0000000007080000.00000004.00000001.00020000.00000000.sdmp, aspnet_wp.exe, 00000006.00000003.1679438513.00000000071A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1690690612.0000000004A00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000003.1690800404.0000000004B20000.00000004.00000001.00020000.00000000.sdmp
                      Source: vstdlib_s64.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: vstdlib_s64.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: vstdlib_s64.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: vstdlib_s64.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: vstdlib_s64.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
                      Source: vstdlib_s64.dll.dllStatic PE information: section name: _RDATA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_004719B4 push ecx; ret 5_3_004719C7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_067F525D push es; ret 5_3_067F5264
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_067F0F6A push eax; ret 5_3_067F0F75
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_067F3FD4 push ss; retf 5_3_067F3FF5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_067F3F89 push edi; iretd 5_3_067F3F96
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_067F2C39 push ecx; ret 5_3_067F2C59
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_067F10F9 push FFFFFF82h; iretd 5_3_067F10FB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_067F44F9 push edx; retf 5_3_067F44FC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_067F28EC push edi; ret 5_3_067F28F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_067F4D5E push esi; ret 5_3_067F4D69
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_067F21DC push eax; ret 5_3_067F21DD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_2_067F525D push es; ret 5_2_067F5264
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_2_067F0F6A push eax; ret 5_2_067F0F75
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_2_067F3FD4 push ss; retf 5_2_067F3FF5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_2_067F3F89 push edi; iretd 5_2_067F3F96
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_2_067F2C39 push ecx; ret 5_2_067F2C59
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_2_067F10F9 push FFFFFF82h; iretd 5_2_067F10FB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_2_067F44F9 push edx; retf 5_2_067F44FC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_2_067F28EC push edi; ret 5_2_067F28F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_2_067F4D5E push esi; ret 5_2_067F4D69
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_2_067F21DC push eax; ret 5_2_067F21DD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_3_004719B4 push ecx; ret 6_3_004719C7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_3_065E525D push es; ret 6_3_065E5264
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_3_065E0F6A push eax; ret 6_3_065E0F75
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_3_065E3FD4 push ss; retf 6_3_065E3FF5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_3_065E3F89 push edi; iretd 6_3_065E3F96
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_3_065E2C39 push ecx; ret 6_3_065E2C59
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_3_065E10F9 push FFFFFF82h; iretd 6_3_065E10FB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_3_065E44F9 push edx; retf 6_3_065E44FC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_3_065E28EC push edi; ret 6_3_065E28F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_3_065E4D5E push esi; ret 6_3_065E4D69
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                      Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                      Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 4D5B83A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: svchost.exe, 0000000A.00000002.1747705067.000000000285C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWMSAFD L2CAP [Bluetooth]en-USen-GBn
                      Source: svchost.exe, 0000000A.00000003.1691208458.0000000004C20000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                      Source: svchost.exe, 0000000A.00000002.1747608739.0000000002800000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 0000000A.00000002.1747639342.0000000002812000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
                      Source: svchost.exe, 0000000A.00000003.1691208458.0000000004C20000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_00454ED5 LdrInitializeThunk,VirtualFree,5_3_00454ED5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_00457D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_3_00457D4D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_067F0277 mov eax, dword ptr fs:[00000030h]5_3_067F0277
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_2_067F0277 mov eax, dword ptr fs:[00000030h]5_2_067F0277
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_3_065E0277 mov eax, dword ptr fs:[00000030h]6_3_065E0277
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_2_065E0277 mov eax, dword ptr fs:[00000030h]6_2_065E0277
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_3_02490283 mov eax, dword ptr fs:[00000030h]10_3_02490283
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 14_3_06E40277 mov eax, dword ptr fs:[00000030h]14_3_06E40277
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 14_2_06E40277 mov eax, dword ptr fs:[00000030h]14_2_06E40277
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 18_3_05190277 mov eax, dword ptr fs:[00000030h]18_3_05190277
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 18_2_05190277 mov eax, dword ptr fs:[00000030h]18_2_05190277
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 25_3_06B80277 mov eax, dword ptr fs:[00000030h]25_3_06B80277
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 25_2_06B80277 mov eax, dword ptr fs:[00000030h]25_2_06B80277
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 27_3_06740277 mov eax, dword ptr fs:[00000030h]27_3_06740277
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 27_2_06740277 mov eax, dword ptr fs:[00000030h]27_2_06740277
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_0045800F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_3_0045800F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_00457D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_3_00457D4D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_00464B0C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_3_00464B0C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_3_0045800F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_3_0045800F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_3_00457D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_3_00457D4D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 6_3_00464B0C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_3_00464B0C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 14_3_0045800F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_3_0045800F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 14_3_00457D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_3_00457D4D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 14_3_00464B0C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_3_00464B0C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 18_3_0045800F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_3_0045800F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 18_3_00457D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_3_00457D4D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 18_3_00464B0C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_3_00464B0C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 25_3_0045800F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,25_3_0045800F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 25_3_00457D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_3_00457D4D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 25_3_00464B0C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_3_00464B0C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 27_3_0045800F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,27_3_0045800F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 27_3_00457D4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_3_00457D4D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 27_3_00464B0C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_3_00464B0C

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 83.217.208.36 3876Jump to behavior
                      Allocates memory in foreign processes
                      Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 protect: page execute and read and write
                      Injects a PE file into a foreign processes
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 value starts with: 4D5A
                      Sample uses process hollowing technique
                      Source: C:\Windows\System32\rundll32.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base address: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base address: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base address: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base address: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base address: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base address: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base address: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base address: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base address: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeSection unmapped: unknown base address: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeSection unmapped: unknown base address: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeSection unmapped: unknown base address: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base address: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base address: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base address: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeSection unmapped: unknown base address: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base address: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base address: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeSection unmapped: unknown base address: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeSection unmapped: unknown base address: 400000
                      Writes to foreign memory regions
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 401000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 473000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 479000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47A000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47B000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 49DA008Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 401000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 473000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 479000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47A000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47B000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 4702008Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 401000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 473000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 479000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47A000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47B000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 4FF1008Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 401000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 473000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 479000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47A000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47B000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 4C7F008Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 401000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 473000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 479000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47A000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47B000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 4E0C008Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 401000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 473000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 479000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47A000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47B000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 4868008Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 401000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 473000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 479000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47A000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47B000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 51A8008Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 401000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 473000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 479000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 47A000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 47B000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 4C82008Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 401000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 473000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 479000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 47A000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 47B000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: ADF008Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 401000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 473000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 479000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 47A000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 47B000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 51D3008Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 401000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 473000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 479000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47A000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47B000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 46E2008Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 401000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 473000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 479000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47A000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47B000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 514B008Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 401000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 473000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 479000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47A000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47B000Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 4820008Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 401000
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 473000
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 479000
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47A000
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 47B000
                      Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 4FD7008
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: unknown unknown
                      Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknown
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeProcess created: unknown unknown
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exeCode function: 5_3_0045781B cpuid 5_3_0045781B
                      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFDFB6DA40C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FFDFB6DA40C
                      Source: C:\Windows\SysWOW64\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 00000012.00000003.1735563445.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.1675833208.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.1675811127.0000000006620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.1680232731.0000000006980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000002.1820938464.0000000006D40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.1768244854.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.1812430141.0000000006FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000003.1791474152.0000000006630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.1822547934.00000000068C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1747941099.0000000002B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.1684159738.00000000025D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000003.1771354487.0000000005460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000003.1771188592.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.1704979970.0000000005240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000003.1791382667.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.1741124548.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1707237275.0000000007170000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.1821243654.0000000006D80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.1813557188.0000000006780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000003.1768828260.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.1825528405.0000000007110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1690762610.0000000006840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 00000012.00000003.1735563445.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.1675833208.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.1675811127.0000000006620000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.1680232731.0000000006980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000002.1820938464.0000000006D40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.1768244854.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.1812430141.0000000006FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000003.1791474152.0000000006630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000002.1822547934.00000000068C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1747941099.0000000002B00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.1684159738.00000000025D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000003.1771354487.0000000005460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000003.1771188592.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.1704979970.0000000005240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000003.1791382667.0000000006E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.1741124548.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1707237275.0000000007170000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000002.1821243654.0000000006D80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000026.00000002.1813557188.0000000006780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001B.00000003.1768828260.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000029.00000002.1825528405.0000000007110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1690762610.0000000006840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		511
                      Process Injection                      		1
                      Virtualization/Sandbox Evasion                      		21
                      Input Capture                      		1
                      System Time Discovery                      		Remote Services21
                      Input Capture                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Shared Modules                      		Boot or Logon Initialization Scripts1
                      DLL Side-Loading                      		511
                      Process Injection                      		LSASS Memory121
                      Security Software Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                      Deobfuscate/Decode Files or Information                      		Security Account Manager1
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
                      Obfuscated Files or Information                      		NTDS1
                      Process Discovery                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Rundll32                      		LSA Secrets124
                      System Information Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1629406 Sample: vstdlib_s64.dll.exe Startdate: 04/03/2025 Architecture: WINDOWS Score: 100 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 3 other signatures 2->62 10 loaddll64.exe 1 2->10         started        process3 process4 12 cmd.exe 1 10->12         started        14 rundll32.exe 10->14         started        17 rundll32.exe 10->17         started        19 12 other processes 10->19 signatures5 21 rundll32.exe 12->21         started        74 Writes to foreign memory regions 14->74 76 Allocates memory in foreign processes 14->76 78 Sample uses process hollowing technique 14->78 24 csc.exe 14->24         started        26 aspnet_wp.exe 14->26         started        80 Injects a PE file into a foreign processes 17->80 28 aspnet_wp.exe 17->28         started        30 aspnet_wp.exe 19->30         started        32 aspnet_wp.exe 19->32         started        34 aspnet_wp.exe 19->34         started        36 7 other processes 19->36 process6 signatures7 64 Writes to foreign memory regions 21->64 66 Allocates memory in foreign processes 21->66 68 Sample uses process hollowing technique 21->68 70 Injects a PE file into a foreign processes 21->70 38 aspnet_wp.exe 1 21->38         started        72 Switches to a custom stack to bypass stack traces 28->72 40 WerFault.exe 2 28->40         started        42 WerFault.exe 2 30->42         started        44 WerFault.exe 2 32->44         started        process8 process9 46 svchost.exe 38->46         started        50 WerFault.exe 2 38->50         started        dnsIp10 54 83.217.208.36, 3876, 49730, 49735 INF-NET-ASRU Russian Federation 46->54 82 System process connects to network (likely due to code injection or exploit) 46->82 84 Switches to a custom stack to bypass stack traces 46->84 52 fontdrvhost.exe 46->52         started        signatures11 process12

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.