Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fptlVDDPkS.dll

Overview

General Information

Sample name:fptlVDDPkS.dll
renamed because original name is a hash value
Original sample name:74442c540f07200122c8b3eab2a8bfd91709414c6571e1492c7b5ab7d1e0a7e7.exe
Analysis ID:1498418
MD5:ce2bb4e0e06fa9ed9b54af794b109370
SHA1:397c7c5907759587762fc06f1bdbe0fd30a9bf1e
SHA256:74442c540f07200122c8b3eab2a8bfd91709414c6571e1492c7b5ab7d1e0a7e7
Tags:BlotchyQuasarexe
Infos:

Detection

Quasar
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Quasar RAT
Machine Learning detection for sample
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 3156 cmdline: loaddll64.exe "C:\Users\user\Desktop\fptlVDDPkS.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 1516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5500 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 1544 cmdline: rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 2008 cmdline: rundll32.exe C:\Users\user\Desktop\fptlVDDPkS.dll,V_FixDoubleSlashes MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6460 cmdline: rundll32.exe C:\Users\user\Desktop\fptlVDDPkS.dll,V_FixSlashes MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 4888 cmdline: rundll32.exe C:\Users\user\Desktop\fptlVDDPkS.dll,V_IsAbsolutePath MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6936 cmdline: rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_FixDoubleSlashes MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6960 cmdline: rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_FixSlashes MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 4916 cmdline: rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_IsAbsolutePath MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 1856 cmdline: rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_vsnwprintf MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 4904 cmdline: rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_strncpy MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6560 cmdline: rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_strncat_length MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 4852 cmdline: rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_strncat MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 824 cmdline: rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_snprintf MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 2120 cmdline: rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_UTF8ToUTF16 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6720 cmdline: rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_UTF16ToUTF8 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6776 cmdline: rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_StripTrailingSlash MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 6740 cmdline: rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_StripLastDir MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 3244 cmdline: rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_RemoveDotSlashes MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
fptlVDDPkS.dllJoeSecurity_QuasarYara detected Quasar RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.1668412370.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000004.00000002.1666955684.0000020918002000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        00000010.00000002.3523087270.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          00000013.00000002.1779910260.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            00000003.00000002.1668395234.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
              Click to see the 36 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              13.2.rundll32.exe.7ffdfaf00000.1.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                9.2.rundll32.exe.2839b600000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                  8.2.rundll32.exe.1f642760000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                    4.2.rundll32.exe.20918000000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                      7.2.rundll32.exe.7ffdfaf00000.1.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                        Click to see the 29 entries

                        Sigma Signatures

                        No Sigma rule has matched

                        Suricata Signatures

                        Timestamp:2024-08-24T15:33:36.158142+0200
                        SID:2814030
                        Severity:1
                        Source Port:49745
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-08-24T15:33:33.626767+0200
                        SID:2814031
                        Severity:1
                        Source Port:49735
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Multi AV Scanner detection for submitted file
                        Source: fptlVDDPkS.dllReversingLabs: Detection: 55%
                        Source: fptlVDDPkS.dllVirustotal: Detection: 70%Perma Link
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: fptlVDDPkS.dll, type: SAMPLE
                        Source: Yara matchFile source: 13.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.2839b600000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.1f642760000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.20918000000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.1fb23c10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.1caee260000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.2904bc50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.23caa570000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.23bdebe0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.1d35a0b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.19c54e40000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.248ade40000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.26cfa220000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.2bed4880000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.1913f180000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.1bc60be0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.12098000000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.1dc50a90000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.1668412370.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1666955684.0000020918002000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.3523087270.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1779910260.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1668395234.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1778990439.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1765732103.000002839B602000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1775787220.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1773163697.0000023BDEBE2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1767938482.0000019C54E42000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1775949797.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1769289446.000001FB23C12000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1774386818.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1769582440.000002904BC52000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1776417055.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1777637531.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1772006527.000001DC50A92000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1695695577.00000248ADE42000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1727589413.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1771066252.000001D35A0B2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1776033093.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1769466887.000001CAEE262000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1771215742.0000026CFA222000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.3521166027.000002BED4882000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1776484924.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1771163576.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1726303377.000001913F182000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1696549339.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1667472107.000001BC60BE2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1776419485.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1769938139.000001F642762000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1766023435.0000012098002000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1769892834.0000023CAA572000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1778180373.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2008, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1544, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6460, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4888, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6936, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6960, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4916, type: MEMORYSTR
                        Machine Learning detection for sample
                        Source: fptlVDDPkS.dllJoe Sandbox ML: detected
                        Source: unknownHTTPS traffic detected: 34.107.226.223:443 -> 192.168.2.4:49734 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 88.198.193.213:443 -> 192.168.2.4:49738 version: TLS 1.0
                        Source: fptlVDDPkS.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2814031 - Severity 1 - ETPRO MALWARE W32/Quasar RAT Connectivity Check : 192.168.2.4:49735 -> 88.198.193.213:80
                        Source: Network trafficSuricata IDS: 2814030 - Severity 1 - ETPRO MALWARE W32/Quasar RAT Connectivity Check 2 : 192.168.2.4:49745 -> 15.197.148.33:80
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 104.26.12.205 80Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 88.198.193.213 443Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 15.197.148.33 80Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 54.233.85.151 443Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 34.107.226.223 443Jump to behavior
                        Source: global trafficHTTP traffic detected: POST /user.json HTTP/1.1Content-Type: application/json; charset=utf-8Host: liga-730ce-default-rtdb.europe-west1.firebasedatabase.appContent-Length: 76Expect: 100-continueConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 15.197.148.33 15.197.148.33
                        Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                        Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                        Source: Joe Sandbox ViewASN Name: TANDEMUS TANDEMUS
                        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                        Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                        Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                        Source: unknownDNS query: name: freegeoip.net
                        Source: unknownDNS query: name: api.ipify.org
                        Source: unknownDNS query: name: api.ipify.org
                        Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive
                        Source: unknownHTTPS traffic detected: 34.107.226.223:443 -> 192.168.2.4:49734 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 88.198.193.213:443 -> 192.168.2.4:49738 version: TLS 1.0
                        Source: unknownTCP traffic detected without corresponding DNS query: 54.233.85.151
                        Source: unknownTCP traffic detected without corresponding DNS query: 54.233.85.151
                        Source: unknownTCP traffic detected without corresponding DNS query: 54.233.85.151
                        Source: unknownTCP traffic detected without corresponding DNS query: 54.233.85.151
                        Source: unknownTCP traffic detected without corresponding DNS query: 54.233.85.151
                        Source: unknownTCP traffic detected without corresponding DNS query: 54.233.85.151
                        Source: unknownTCP traffic detected without corresponding DNS query: 54.233.85.151
                        Source: unknownTCP traffic detected without corresponding DNS query: 54.233.85.151
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: liga-730ce-default-rtdb.europe-west1.firebasedatabase.app
                        Source: global trafficDNS traffic detected: DNS query: telize.com
                        Source: global trafficDNS traffic detected: DNS query: www.telize.com
                        Source: global trafficDNS traffic detected: DNS query: freegeoip.net
                        Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                        Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
                        Source: unknownHTTP traffic detected: POST /user.json HTTP/1.1Content-Type: application/json; charset=utf-8Host: liga-730ce-default-rtdb.europe-west1.firebasedatabase.appContent-Length: 76Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 24 Aug 2024 13:33:33 GMTContent-Type: application/json; charset=utf-8Content-Length: 136Connection: closeAccess-Control-Allow-Origin: *Cache-Control: no-cacheStrict-Transport-Security: max-age=31556926; includeSubDomains; preload{ "error" : "Firebase error. Please ensure that you have the URL of your Firebase Realtime Database instance configured correctly."}
                        Source: rundll32.exe, rundll32.exe, 00000007.00000002.1767938482.0000019C54E42000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1774386818.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1776484924.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1769938139.000001F642762000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.1765732103.000002839B602000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.1771163576.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://api.ipify.org/
                        Source: rundll32.exe, rundll32.exe, 00000007.00000002.1767938482.0000019C54E42000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1774386818.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1776484924.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1769938139.000001F642762000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.1765732103.000002839B602000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.1771163576.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://freegeoip.net/xml/
                        Source: rundll32.exe, rundll32.exe, 00000007.00000002.1767938482.0000019C54E42000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1774386818.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1776484924.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1769938139.000001F642762000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.1765732103.000002839B602000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.1771163576.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://telize.com/geoip
                        Source: rundll32.exe, rundll32.exe, 00000007.00000002.1767938482.0000019C54E42000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1774386818.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1776484924.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1769938139.000001F642762000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.1765732103.000002839B602000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.1771163576.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://liga-730ce-default-rtdb.europe-west1.firebasedatabase.app/user.json
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443

                        E-Banking Fraud

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: fptlVDDPkS.dll, type: SAMPLE
                        Source: Yara matchFile source: 13.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.2839b600000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.1f642760000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.20918000000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.1fb23c10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.1caee260000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.2904bc50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.23caa570000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.23bdebe0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.1d35a0b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.19c54e40000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.248ade40000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.26cfa220000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.2bed4880000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.1913f180000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.1bc60be0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.12098000000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.1dc50a90000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.1668412370.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1666955684.0000020918002000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.3523087270.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1779910260.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1668395234.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1778990439.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1765732103.000002839B602000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1775787220.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1773163697.0000023BDEBE2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1767938482.0000019C54E42000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1775949797.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1769289446.000001FB23C12000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1774386818.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1769582440.000002904BC52000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1776417055.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1777637531.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1772006527.000001DC50A92000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1695695577.00000248ADE42000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1727589413.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1771066252.000001D35A0B2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1776033093.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1769466887.000001CAEE262000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1771215742.0000026CFA222000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.3521166027.000002BED4882000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1776484924.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1771163576.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1726303377.000001913F182000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1696549339.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1667472107.000001BC60BE2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1776419485.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1769938139.000001F642762000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1766023435.0000012098002000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1769892834.0000023CAA572000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1778180373.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2008, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1544, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6460, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4888, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6936, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6960, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4916, type: MEMORYSTR
                        Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\system32\Data.logJump to behavior
                        Source: fptlVDDPkS.dllStatic PE information: invalid certificate
                        Source: classification engineClassification label: mal76.troj.evad.winDLL@38/2@6/5
                        Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.logJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1516:120:WilError_03
                        Source: C:\Windows\System32\rundll32.exeMutant created: NULL
                        Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\e4d6a6ec-320d-48ee-b6b2-fa24f03760d4
                        Source: fptlVDDPkS.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: fptlVDDPkS.dllStatic file information: TRID: Win64 Dynamic Link Library (generic) Net Framework (111504/3) 44.42%
                        Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fptlVDDPkS.dll,V_FixDoubleSlashes
                        Source: fptlVDDPkS.dllReversingLabs: Detection: 55%
                        Source: fptlVDDPkS.dllVirustotal: Detection: 70%
                        Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\fptlVDDPkS.dll"
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",#1
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fptlVDDPkS.dll,V_FixDoubleSlashes
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",#1
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fptlVDDPkS.dll,V_FixSlashes
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fptlVDDPkS.dll,V_IsAbsolutePath
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_FixDoubleSlashes
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_FixSlashes
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_IsAbsolutePath
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_vsnwprintf
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_strncpy
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_strncat_length
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_strncat
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_snprintf
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_UTF8ToUTF16
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_UTF16ToUTF8
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_StripTrailingSlash
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_StripLastDir
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_RemoveDotSlashes
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",#1Jump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fptlVDDPkS.dll,V_FixDoubleSlashesJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fptlVDDPkS.dll,V_FixSlashesJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\fptlVDDPkS.dll,V_IsAbsolutePathJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_FixDoubleSlashesJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_FixSlashesJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_IsAbsolutePathJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_vsnwprintfJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_strncpyJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_strncat_lengthJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_strncatJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_snprintfJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_UTF8ToUTF16Jump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_UTF16ToUTF8Jump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_StripTrailingSlashJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_StripLastDirJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_RemoveDotSlashesJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",#1Jump to behavior
                        Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: fptlVDDPkS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: fptlVDDPkS.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: fptlVDDPkS.dllStatic PE information: Image base 0x180000000 > 0x60000000
                        Source: fptlVDDPkS.dllStatic file information: File size 8928616 > 1048576
                        Source: fptlVDDPkS.dllStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x880400
                        Source: fptlVDDPkS.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 632Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 583Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 729Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 7813Jump to behavior
                        Source: C:\Windows\System32\loaddll64.exe TID: 5828Thread sleep time: -120000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 7448Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 7448Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 7472Thread sleep time: -1822500s >= -30000sJump to behavior
                        Source: C:\Windows\System32\rundll32.exe TID: 7472Thread sleep time: -19532500s >= -30000sJump to behavior
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 104.26.12.205 80Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 88.198.193.213 443Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 15.197.148.33 80Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 54.233.85.151 443Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeNetwork Connect: 34.107.226.223 443Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",#1Jump to behavior
                        Source: rundll32.exe, rundll32.exe, 00000007.00000002.1767938482.0000019C54E42000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.1774386818.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.1776484924.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: Shell_TrayWnd
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\fptlVDDPkS.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\fptlVDDPkS.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\fptlVDDPkS.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\fptlVDDPkS.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\fptlVDDPkS.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\fptlVDDPkS.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\fptlVDDPkS.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\fptlVDDPkS.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\fptlVDDPkS.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\fptlVDDPkS.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\fptlVDDPkS.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\fptlVDDPkS.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\fptlVDDPkS.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\fptlVDDPkS.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\fptlVDDPkS.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\fptlVDDPkS.dll VolumeInformation
                        Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\fptlVDDPkS.dll VolumeInformation
                        Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: fptlVDDPkS.dll, type: SAMPLE
                        Source: Yara matchFile source: 13.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.2839b600000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.1f642760000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.20918000000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.1fb23c10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.1caee260000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.2904bc50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.23caa570000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.23bdebe0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.1d35a0b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.19c54e40000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.248ade40000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.26cfa220000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.2bed4880000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.1913f180000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.1bc60be0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.12098000000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.1dc50a90000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.1668412370.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1666955684.0000020918002000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.3523087270.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1779910260.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1668395234.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1778990439.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1765732103.000002839B602000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1775787220.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1773163697.0000023BDEBE2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1767938482.0000019C54E42000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1775949797.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1769289446.000001FB23C12000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1774386818.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1769582440.000002904BC52000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1776417055.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1777637531.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1772006527.000001DC50A92000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1695695577.00000248ADE42000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1727589413.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1771066252.000001D35A0B2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1776033093.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1769466887.000001CAEE262000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1771215742.0000026CFA222000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.3521166027.000002BED4882000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1776484924.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1771163576.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1726303377.000001913F182000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1696549339.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1667472107.000001BC60BE2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1776419485.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1769938139.000001F642762000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1766023435.0000012098002000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1769892834.0000023CAA572000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1778180373.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2008, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1544, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6460, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4888, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6936, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6960, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4916, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: fptlVDDPkS.dll, type: SAMPLE
                        Source: Yara matchFile source: 13.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.2839b600000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.1f642760000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.20918000000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.1fb23c10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.1caee260000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.2904bc50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.23caa570000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.23bdebe0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.1d35a0b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 14.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.rundll32.exe.19c54e40000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.248ade40000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.26cfa220000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.2bed4880000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 15.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.1913f180000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.1bc60be0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.12098000000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 19.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.1dc50a90000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 10.2.rundll32.exe.7ffdfaf00000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.1668412370.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.1666955684.0000020918002000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.3523087270.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1779910260.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1668395234.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1778990439.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1765732103.000002839B602000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1775787220.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000013.00000002.1773163697.0000023BDEBE2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1767938482.0000019C54E42000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1775949797.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.1769289446.000001FB23C12000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.1774386818.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1769582440.000002904BC52000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1776417055.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1777637531.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000C.00000002.1772006527.000001DC50A92000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1695695577.00000248ADE42000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1727589413.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.1771066252.000001D35A0B2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.1776033093.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.1769466887.000001CAEE262000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1771215742.0000026CFA222000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.3521166027.000002BED4882000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1776484924.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1771163576.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1726303377.000001913F182000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.1696549339.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1667472107.000001BC60BE2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1776419485.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.1769938139.000001F642762000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1766023435.0000012098002000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.1769892834.0000023CAA572000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000A.00000002.1778180373.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2008, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1544, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6460, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4888, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6936, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6960, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4916, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                        DLL Side-Loading                        		112
                        Process Injection                        		11
                        Masquerading                        		OS Credential Dumping1
                        Process Discovery                        		Remote ServicesData from Local System1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		LSASS Memory21
                        Virtualization/Sandbox Evasion                        		Remote Desktop ProtocolData from Removable Media3
                        Ingress Tool Transfer                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)21
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Application Window Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive4
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook112
                        Process Injection                        		NTDS1
                        System Network Configuration Discovery                        		Distributed Component Object ModelInput Capture15
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Rundll32                        		LSA Secrets12
                        System Information Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        DLL Side-Loading                        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        fptlVDDPkS.dll55%ReversingLabsByteCode-MSIL.Trojan.Zilla
                        fptlVDDPkS.dll71%VirustotalBrowse
                        fptlVDDPkS.dll100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        SourceDetectionScannerLabelLink
                        liga-730ce-default-rtdb.europe-west1.firebasedatabase.app1%VirustotalBrowse
                        telize.com2%VirustotalBrowse
                        www.telize.com2%VirustotalBrowse
                        api.ipify.org2%VirustotalBrowse
                        freegeoip.net0%VirustotalBrowse
                        15.164.165.52.in-addr.arpa0%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        https://www.telize.com/geoip0%Avira URL Cloudsafe
                        http://freegeoip.net/xml/0%Avira URL Cloudsafe
                        https://liga-730ce-default-rtdb.europe-west1.firebasedatabase.app/user.json0%Avira URL Cloudsafe
                        http://api.ipify.org/0%Avira URL Cloudsafe
                        http://telize.com/geoip0%Avira URL Cloudsafe
                        https://www.telize.com/geoip1%VirustotalBrowse
                        https://liga-730ce-default-rtdb.europe-west1.firebasedatabase.app/user.json0%VirustotalBrowse
                        http://api.ipify.org/2%VirustotalBrowse
                        http://freegeoip.net/xml/0%VirustotalBrowse
                        http://telize.com/geoip2%VirustotalBrowse

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        liga-730ce-default-rtdb.europe-west1.firebasedatabase.app
                        		34.107.226.223
                        		truefalseunknown
                        telize.com
                        		88.198.193.213
                        		truetrueunknown
                        www.telize.com
                        		88.198.193.213
                        		truetrueunknown
                        api.ipify.org
                        		104.26.12.205
                        		truetrueunknown
                        freegeoip.net
                        		15.197.148.33
                        		truetrueunknown
                        15.164.165.52.in-addr.arpa
                        		unknown
                        		unknownfalseunknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://api.ipify.org/true
                        • 2%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://freegeoip.net/xml/true
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://telize.com/geoiptrue
                        • 2%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://liga-730ce-default-rtdb.europe-west1.firebasedatabase.app/user.jsonfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.telize.com/geoiptrue
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        15.197.148.33
                        		freegeoip.netUnited States
                        		7430TANDEMUStrue
                        104.26.12.205
                        		api.ipify.orgUnited States
                        		13335CLOUDFLARENETUStrue
                        88.198.193.213
                        		telize.comGermany
                        		24940HETZNER-ASDEtrue
                        54.233.85.151
                        		unknownUnited States
                        		16509AMAZON-02UStrue
                        34.107.226.223
                        		liga-730ce-default-rtdb.europe-west1.firebasedatabase.appUnited States
                        		15169GOOGLEUSfalse

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1498418
                        Start date and time:2024-08-24 15:32:27 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 11m 1s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Run name:Run with higher sleep bypass
                        Number of analysed new started processes analysed:25
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:fptlVDDPkS.dll
                        renamed because original name is a hash value
                        Original Sample Name:74442c540f07200122c8b3eab2a8bfd91709414c6571e1492c7b5ab7d1e0a7e7.exe
                        Detection:MAL
                        Classification:mal76.troj.evad.winDLL@38/2@6/5
                        EGA Information:Failed
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .dll
                        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        09:34:12API Interceptor3618342x Sleep call for process: rundll32.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        15.197.148.33zE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                        • freegeoip.net/xml/
                        zE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                        • freegeoip.net/xml/
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • freegeoip.net/xml/
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • freegeoip.net/xml/
                        Atlas Copco- WEPCO.exeGet hashmaliciousFormBookBrowse
                        • www.chamadaslotgiris.net/u4mm/
                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.29807.9267.rtfGet hashmaliciousFormBookBrowse
                        • www.atlpicsstudios.com/pbzm/
                        PO-0122-08-2024.xlsGet hashmaliciousFormBookBrowse
                        • www.hourglasspoise.net/5gvb/
                        irlsever.docGet hashmaliciousFormBookBrowse
                        • www.doonsideproperty.com/4fya/
                        Fzfee1Lgc2.elfGet hashmaliciousUnknownBrowse
                        • velumani.in/
                        104.26.12.205zE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                        • api.ipify.org/
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • api.ipify.org/
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • api.ipify.org/
                        SecuriteInfo.com.Win64.DropperX-gen.20063.4917.exeGet hashmaliciousStealcBrowse
                        • api.ipify.org/
                        Zoom_workspace.htaGet hashmaliciousCobalt Strike, Clipboard HijackerBrowse
                        • api.ipify.org/
                        SecuriteInfo.com.Win64.Evo-gen.28044.10443.exeGet hashmaliciousUnknownBrowse
                        • api.ipify.org/
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • api.ipify.org/
                        6OiUEubyA8.msiGet hashmaliciousQuasarBrowse
                        • api.ipify.org/
                        SecuriteInfo.com.Win64.RansomX-gen.22171.1307.exeGet hashmaliciousConti, PureLog Stealer, Targeted RansomwareBrowse
                        • api.ipify.org/
                        482730621.exeGet hashmaliciousStealitBrowse
                        • api.ipify.org/?format=json

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        telize.comzE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        zE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        6OiUEubyA8.msiGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        freegeoip.netzE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                        • 15.197.148.33
                        zE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                        • 15.197.148.33
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 3.33.130.190
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 15.197.148.33
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 3.33.130.190
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 15.197.148.33
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 3.33.130.190
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 3.33.130.190
                        6OiUEubyA8.msiGet hashmaliciousQuasarBrowse
                        • 15.197.148.33
                        api.ipify.orgzE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                        • 172.67.74.152
                        zE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                        • 104.26.12.205
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 104.26.13.205
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 104.26.13.205
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 104.26.12.205
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 104.26.12.205
                        file.exeGet hashmaliciousMeduza StealerBrowse
                        • 104.26.13.205
                        file.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                        • 104.26.12.205
                        SecuriteInfo.com.BackDoor.SpyBotNET.75.13901.13013.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.26.12.205
                        www.telize.comzE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exeGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        XIiRHEaA9R.exeGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        svchost.exeGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        conn.exeGet hashmaliciousQuasarBrowse
                        • 88.198.193.213

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        CLOUDFLARENETUSzE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                        • 172.67.74.152
                        zE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                        • 104.26.12.205
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 104.26.13.205
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 104.26.13.205
                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                        • 172.64.41.3
                        file.exeGet hashmaliciousUnknownBrowse
                        • 172.64.41.3
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 104.26.12.205
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 104.26.12.205
                        file.exeGet hashmaliciousLummaC, VidarBrowse
                        • 104.21.16.180
                        TANDEMUSzE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                        • 15.197.148.33
                        zE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                        • 15.197.148.33
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 15.197.148.33
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 15.197.148.33
                        https://new-update-108047.weeblysite.com/Get hashmaliciousUnknownBrowse
                        • 15.197.193.217
                        https://att-customer-service-109909.weeblysite.com/Get hashmaliciousUnknownBrowse
                        • 15.197.193.217
                        https://7667lghjgfmank85387sg387sfyruk53k538gfm.weeblysite.com/Get hashmaliciousUnknownBrowse
                        • 15.197.193.217
                        Bonelessness.exeGet hashmaliciousSimda StealerBrowse
                        • 15.197.240.20
                        roundwood.exeGet hashmaliciousSimda StealerBrowse
                        • 15.197.240.20
                        AMAZON-02USzE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                        • 54.233.85.151
                        zE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                        • 54.233.85.151
                        T-7750.732.msiGet hashmaliciousUnknownBrowse
                        • 15.228.186.93
                        T-7065.750.msiGet hashmaliciousUnknownBrowse
                        • 15.228.186.93
                        file.exeGet hashmaliciousUnknownBrowse
                        • 52.222.236.120
                        file.exeGet hashmaliciousUnknownBrowse
                        • 52.222.236.48
                        file.exeGet hashmaliciousUnknownBrowse
                        • 52.222.236.80
                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                        • 52.222.236.80
                        file.exeGet hashmaliciousUnknownBrowse
                        • 52.222.236.48
                        HETZNER-ASDEzE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        zE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        01EtoWGHZI.exeGet hashmaliciousRedLineBrowse
                        • 148.251.234.93
                        https://badcord.ct8.pl/paste?id=f661b88d-6112-11ef-a650-6cb311233542Get hashmaliciousUnknownBrowse
                        • 136.243.156.120
                        http://solarrebater.org/Get hashmaliciousUnknownBrowse
                        • 136.243.148.216

                        JA3 Fingerprints

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        54328bd36c14bd82ddaa0c04b25ed9adzE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        • 34.107.226.223
                        zE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        • 34.107.226.223
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        • 34.107.226.223
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        • 34.107.226.223
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        • 34.107.226.223
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • 88.198.193.213
                        • 34.107.226.223
                        N8LgG4xO0F.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                        • 88.198.193.213
                        • 34.107.226.223
                        Order number HMFZ0772 [Order].exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                        • 88.198.193.213
                        • 34.107.226.223
                        Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                        • 88.198.193.213
                        • 34.107.226.223

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):42
                        Entropy (8bit):4.0050635535766075
                        Encrypted:false
                        SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                        MD5:84CFDB4B995B1DBF543B26B86C863ADC
                        SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                        SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                        SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                        Malicious:false
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                        C:\Windows\System32\Data.log

                        Download File
                        Process:C:\Windows\System32\rundll32.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):10
                        Entropy (8bit):2.246439344671016
                        Encrypted:false
                        SSDEEP:3:plRn:F
                        MD5:AD22A8309F02730388A71BB1214D22AE
                        SHA1:58FA3911233247E8B1E44D5B026DB2BF82500C33
                        SHA-256:E90F79ECE2F2632740BED9B19311D12DBF3C3EA9A572DD97528EC65966B6F736
                        SHA-512:12C3E14BF50FAB2DA93B5CAB4CF0E191448EC4277C85D3C14D09DF9E958F1DE87F75B8311F1260B7D1340286051C7327974AAC05EE613C3C31786368F309076F
                        Malicious:false
                        Preview:24:08:2024

                        Static File Info

                        General

                        File type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):4.436165769648354
                        TrID:
                        • Win64 Dynamic Link Library (generic) Net Framework (111504/3) 44.42%
                        • Win64 Dynamic Link Library (generic) (102004/3) 40.63%
                        • Win64 Executable (generic) Net Framework (21505/4) 8.57%
                        • Win64 Executable (generic) (12005/4) 4.78%
                        • Generic Win/DOS Executable (2004/3) 0.80%
                        File name:fptlVDDPkS.dll
                        File size:8'928'616 bytes
                        MD5:ce2bb4e0e06fa9ed9b54af794b109370
                        SHA1:397c7c5907759587762fc06f1bdbe0fd30a9bf1e
                        SHA256:74442c540f07200122c8b3eab2a8bfd91709414c6571e1492c7b5ab7d1e0a7e7
                        SHA512:d729d543e7bb3ce001683ed86807ad00e0a26bb252f366e721516aa9033bf8f6530f6df6ae8d726ced8187612d0d0b2dce5214ce4c3c5c1512abf5827d30b41d
                        SSDEEP:24576:2rGQMfv6Uz+nLooxsIB19rbitrC4cOvRoN8Swd1FSM6ej4ZLUr6pp6YXCexFry4N:5LOujLIdb
                        TLSH:6A96538CE43AA4D8DD4235F07C92198C79895DE59FBD431A442CC4A522FB6BD028BBFD
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........." .................#... ........... ....................................@...@......@............... .....

                        File Icon

                        Icon Hash:7ae282899bbab082

                        Static PE Info

                        General

                        Entrypoint:0x1808823c6
                        Entrypoint Section:.text
                        Digitally signed:true
                        Imagebase:0x180000000
                        Subsystem:windows cui
                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66AEC11B [Sat Aug 3 23:45:31 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:dae02f32a21e03ce65412f6e56942daa

                        Authenticode Signature

                        Signature Valid:false
                        Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                        Signature Validation Error:The digital signature of the object did not verify
                        Error Number:-2146869232
                        Not Before, Not After
                        • 07/10/2021 01:00:00 10/10/2024 00:59:59
                        Subject Chain
                        • CN=Valve Corp., O=Valve Corp., L=Bellevue, S=Washington, C=US
                        Version:3
                        Thumbprint MD5:83896ECC20DB9E84A1A1D6D5B5B15A5D
                        Thumbprint SHA-1:935767D66FAD4AD2D1F03A095C49370DC74DF607
                        Thumbprint SHA-256:E98CCA8343960798A47BDB3CDD319DB4B9C6DBD8BC7574C13F6C09A925AEC0E9
                        Serial:0689B3BCEB4409890A32D71976B132A4

                        Entrypoint Preview

                        Instruction
                        dec eax
                        mov eax, dword ptr [80002000h]
                        add dword ptr [eax], eax
                        add byte ptr [eax], al
                        jmp eax
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x8840680x28.sdata
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x8823680x5b.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x8860000x33c.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x8810000x2d68
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x8880000x30.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x10.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20100x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x8803d20x88040045e3a6c0fc69c2013cb5dba94d4bd8ffunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .sdata0x8840000x1e30x2001b4c37998180aa57cb0c5dd48e3ffdfcFalse0.58984375data4.603473918101395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x8860000x33c0x400ce27641c5dafa5f5f18a5cf4c815357eFalse0.34375data2.617854134318074IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x8880000x300x20074b254b03f9e2e48e742aef08486d3a6False0.115234375data0.5880203660963527IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_VERSION0x8860580x2e4data0.4297297297297297

                        Imports

                        DLLImport
                        mscoree.dll_CorDllMain

                        Exports

                        NameOrdinalAddress
                        V_FixDoubleSlashes00x180002122
                        V_FixSlashes10x1800020d2
                        V_IsAbsolutePath20x180002112
                        V_RemoveDotSlashes30x180002102
                        V_StripLastDir40x1800020c2
                        V_StripTrailingSlash50x1800020b2
                        V_UTF16ToUTF860x1800020a2
                        V_UTF8ToUTF1670x180002092
                        V_snprintf80x180002062
                        V_strncat90x180002082
                        V_strncat_length100x1800020f2
                        V_strncpy110x1800020e2
                        V_vsnwprintf120x180002072

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                        2024-08-24T15:33:36.158142+0200TCP2814030ETPRO MALWARE W32/Quasar RAT Connectivity Check 214974580192.168.2.415.197.148.33
                        2024-08-24T15:33:33.626767+0200TCP2814031ETPRO MALWARE W32/Quasar RAT Connectivity Check14973580192.168.2.488.198.193.213

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Aug 24, 2024 15:33:32.700786114 CEST49734443192.168.2.434.107.226.223
                        Aug 24, 2024 15:33:32.700824976 CEST4434973434.107.226.223192.168.2.4
                        Aug 24, 2024 15:33:32.700922012 CEST49734443192.168.2.434.107.226.223
                        Aug 24, 2024 15:33:32.727216959 CEST49734443192.168.2.434.107.226.223
                        Aug 24, 2024 15:33:32.727232933 CEST4434973434.107.226.223192.168.2.4
                        Aug 24, 2024 15:33:32.926460981 CEST4973580192.168.2.488.198.193.213
                        Aug 24, 2024 15:33:32.931509972 CEST804973588.198.193.213192.168.2.4
                        Aug 24, 2024 15:33:32.931582928 CEST4973580192.168.2.488.198.193.213
                        Aug 24, 2024 15:33:32.932059050 CEST4973580192.168.2.488.198.193.213
                        Aug 24, 2024 15:33:32.938589096 CEST804973588.198.193.213192.168.2.4
                        Aug 24, 2024 15:33:33.273761034 CEST4434973434.107.226.223192.168.2.4
                        Aug 24, 2024 15:33:33.273840904 CEST49734443192.168.2.434.107.226.223
                        Aug 24, 2024 15:33:33.279783010 CEST49734443192.168.2.434.107.226.223
                        Aug 24, 2024 15:33:33.279793024 CEST4434973434.107.226.223192.168.2.4
                        Aug 24, 2024 15:33:33.280073881 CEST4434973434.107.226.223192.168.2.4
                        Aug 24, 2024 15:33:33.329876900 CEST49734443192.168.2.434.107.226.223
                        Aug 24, 2024 15:33:33.352639914 CEST49734443192.168.2.434.107.226.223
                        Aug 24, 2024 15:33:33.396503925 CEST4434973434.107.226.223192.168.2.4
                        Aug 24, 2024 15:33:33.568356037 CEST4434973434.107.226.223192.168.2.4
                        Aug 24, 2024 15:33:33.575335026 CEST804973588.198.193.213192.168.2.4
                        Aug 24, 2024 15:33:33.585037947 CEST49738443192.168.2.488.198.193.213
                        Aug 24, 2024 15:33:33.585086107 CEST4434973888.198.193.213192.168.2.4
                        Aug 24, 2024 15:33:33.585261106 CEST49738443192.168.2.488.198.193.213
                        Aug 24, 2024 15:33:33.585997105 CEST49738443192.168.2.488.198.193.213
                        Aug 24, 2024 15:33:33.586009979 CEST4434973888.198.193.213192.168.2.4
                        Aug 24, 2024 15:33:33.611135960 CEST49734443192.168.2.434.107.226.223
                        Aug 24, 2024 15:33:33.623251915 CEST49734443192.168.2.434.107.226.223
                        Aug 24, 2024 15:33:33.623262882 CEST4434973434.107.226.223192.168.2.4
                        Aug 24, 2024 15:33:33.626766920 CEST4973580192.168.2.488.198.193.213
                        Aug 24, 2024 15:33:33.800563097 CEST4434973434.107.226.223192.168.2.4
                        Aug 24, 2024 15:33:33.803364038 CEST4434973434.107.226.223192.168.2.4
                        Aug 24, 2024 15:33:33.803452969 CEST49734443192.168.2.434.107.226.223
                        Aug 24, 2024 15:33:33.817711115 CEST49734443192.168.2.434.107.226.223
                        Aug 24, 2024 15:33:34.273195982 CEST4434973888.198.193.213192.168.2.4
                        Aug 24, 2024 15:33:34.273267984 CEST49738443192.168.2.488.198.193.213
                        Aug 24, 2024 15:33:34.274652004 CEST49738443192.168.2.488.198.193.213
                        Aug 24, 2024 15:33:34.274660110 CEST4434973888.198.193.213192.168.2.4
                        Aug 24, 2024 15:33:34.274894953 CEST4434973888.198.193.213192.168.2.4
                        Aug 24, 2024 15:33:34.275893927 CEST49738443192.168.2.488.198.193.213
                        Aug 24, 2024 15:33:34.316509962 CEST4434973888.198.193.213192.168.2.4
                        Aug 24, 2024 15:33:34.558087111 CEST4434973888.198.193.213192.168.2.4
                        Aug 24, 2024 15:33:34.558120966 CEST4434973888.198.193.213192.168.2.4
                        Aug 24, 2024 15:33:34.558187962 CEST49738443192.168.2.488.198.193.213
                        Aug 24, 2024 15:33:34.562916040 CEST49738443192.168.2.488.198.193.213
                        Aug 24, 2024 15:33:34.562928915 CEST4434973888.198.193.213192.168.2.4
                        Aug 24, 2024 15:33:34.563469887 CEST49742443192.168.2.488.198.193.213
                        Aug 24, 2024 15:33:34.563488960 CEST4434974288.198.193.213192.168.2.4
                        Aug 24, 2024 15:33:34.563559055 CEST49742443192.168.2.488.198.193.213
                        Aug 24, 2024 15:33:34.563759089 CEST49742443192.168.2.488.198.193.213
                        Aug 24, 2024 15:33:34.563767910 CEST4434974288.198.193.213192.168.2.4
                        Aug 24, 2024 15:33:35.251482964 CEST4434974288.198.193.213192.168.2.4
                        Aug 24, 2024 15:33:35.255418062 CEST49742443192.168.2.488.198.193.213
                        Aug 24, 2024 15:33:35.255430937 CEST4434974288.198.193.213192.168.2.4
                        Aug 24, 2024 15:33:35.550781965 CEST4434974288.198.193.213192.168.2.4
                        Aug 24, 2024 15:33:35.550834894 CEST4434974288.198.193.213192.168.2.4
                        Aug 24, 2024 15:33:35.551259041 CEST49742443192.168.2.488.198.193.213
                        Aug 24, 2024 15:33:35.551259041 CEST49742443192.168.2.488.198.193.213
                        Aug 24, 2024 15:33:35.626714945 CEST4974580192.168.2.415.197.148.33
                        Aug 24, 2024 15:33:35.631593943 CEST804974515.197.148.33192.168.2.4
                        Aug 24, 2024 15:33:35.631721973 CEST4974580192.168.2.415.197.148.33
                        Aug 24, 2024 15:33:35.631851912 CEST4974580192.168.2.415.197.148.33
                        Aug 24, 2024 15:33:35.636758089 CEST804974515.197.148.33192.168.2.4
                        Aug 24, 2024 15:33:35.856139898 CEST49742443192.168.2.488.198.193.213
                        Aug 24, 2024 15:33:35.856152058 CEST4434974288.198.193.213192.168.2.4
                        Aug 24, 2024 15:33:36.118235111 CEST804974515.197.148.33192.168.2.4
                        Aug 24, 2024 15:33:36.139420033 CEST4974680192.168.2.4104.26.12.205
                        Aug 24, 2024 15:33:36.144283056 CEST8049746104.26.12.205192.168.2.4
                        Aug 24, 2024 15:33:36.144462109 CEST4974680192.168.2.4104.26.12.205
                        Aug 24, 2024 15:33:36.144462109 CEST4974680192.168.2.4104.26.12.205
                        Aug 24, 2024 15:33:36.149322987 CEST8049746104.26.12.205192.168.2.4
                        Aug 24, 2024 15:33:36.158142090 CEST4974580192.168.2.415.197.148.33
                        Aug 24, 2024 15:33:36.620897055 CEST8049746104.26.12.205192.168.2.4
                        Aug 24, 2024 15:33:36.673670053 CEST4974680192.168.2.4104.26.12.205
                        Aug 24, 2024 15:33:37.800127029 CEST49748443192.168.2.454.233.85.151
                        Aug 24, 2024 15:33:37.800173998 CEST4434974854.233.85.151192.168.2.4
                        Aug 24, 2024 15:33:37.800276041 CEST49748443192.168.2.454.233.85.151
                        Aug 24, 2024 15:34:02.814508915 CEST49748443192.168.2.454.233.85.151
                        Aug 24, 2024 15:34:02.814522982 CEST4434974854.233.85.151192.168.2.4
                        Aug 24, 2024 15:34:27.826647997 CEST49748443192.168.2.454.233.85.151
                        Aug 24, 2024 15:34:27.826667070 CEST4434974854.233.85.151192.168.2.4
                        Aug 24, 2024 15:34:48.577738047 CEST804973588.198.193.213192.168.2.4
                        Aug 24, 2024 15:34:48.581227064 CEST4973580192.168.2.488.198.193.213
                        Aug 24, 2024 15:34:51.120421886 CEST804974515.197.148.33192.168.2.4
                        Aug 24, 2024 15:34:51.120479107 CEST4974580192.168.2.415.197.148.33
                        Aug 24, 2024 15:34:52.966629982 CEST49748443192.168.2.454.233.85.151
                        Aug 24, 2024 15:34:52.966644049 CEST4434974854.233.85.151192.168.2.4
                        Aug 24, 2024 15:35:13.585939884 CEST4973580192.168.2.488.198.193.213
                        Aug 24, 2024 15:35:13.586036921 CEST4974580192.168.2.415.197.148.33
                        Aug 24, 2024 15:35:13.586081028 CEST4974680192.168.2.4104.26.12.205
                        Aug 24, 2024 15:35:13.590900898 CEST804973588.198.193.213192.168.2.4
                        Aug 24, 2024 15:35:13.590914965 CEST804974515.197.148.33192.168.2.4
                        Aug 24, 2024 15:35:13.591247082 CEST8049746104.26.12.205192.168.2.4
                        Aug 24, 2024 15:35:13.591296911 CEST4974680192.168.2.4104.26.12.205
                        Aug 24, 2024 15:35:18.068676949 CEST49748443192.168.2.454.233.85.151
                        Aug 24, 2024 15:35:18.068698883 CEST4434974854.233.85.151192.168.2.4
                        Aug 24, 2024 15:35:43.166850090 CEST49748443192.168.2.454.233.85.151
                        Aug 24, 2024 15:35:43.166893005 CEST4434974854.233.85.151192.168.2.4
                        Aug 24, 2024 15:36:08.187843084 CEST49748443192.168.2.454.233.85.151
                        Aug 24, 2024 15:36:08.187869072 CEST4434974854.233.85.151192.168.2.4

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Aug 24, 2024 15:33:32.660587072 CEST5580753192.168.2.41.1.1.1
                        Aug 24, 2024 15:33:32.680145025 CEST53558071.1.1.1192.168.2.4
                        Aug 24, 2024 15:33:32.911850929 CEST4968253192.168.2.41.1.1.1
                        Aug 24, 2024 15:33:32.925682068 CEST53496821.1.1.1192.168.2.4
                        Aug 24, 2024 15:33:33.576294899 CEST5975053192.168.2.41.1.1.1
                        Aug 24, 2024 15:33:33.584511042 CEST53597501.1.1.1192.168.2.4
                        Aug 24, 2024 15:33:35.618319988 CEST6076353192.168.2.41.1.1.1
                        Aug 24, 2024 15:33:35.626183987 CEST53607631.1.1.1192.168.2.4
                        Aug 24, 2024 15:33:36.131463051 CEST5021953192.168.2.41.1.1.1
                        Aug 24, 2024 15:33:36.138794899 CEST53502191.1.1.1192.168.2.4
                        Aug 24, 2024 15:33:49.959908962 CEST5351359162.159.36.2192.168.2.4
                        Aug 24, 2024 15:33:50.433897972 CEST5257453192.168.2.41.1.1.1
                        Aug 24, 2024 15:33:50.441760063 CEST53525741.1.1.1192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Aug 24, 2024 15:33:32.660587072 CEST192.168.2.41.1.1.10xf41dStandard query (0)liga-730ce-default-rtdb.europe-west1.firebasedatabase.appA (IP address)IN (0x0001)false
                        Aug 24, 2024 15:33:32.911850929 CEST192.168.2.41.1.1.10x3eb9Standard query (0)telize.comA (IP address)IN (0x0001)false
                        Aug 24, 2024 15:33:33.576294899 CEST192.168.2.41.1.1.10xfe46Standard query (0)www.telize.comA (IP address)IN (0x0001)false
                        Aug 24, 2024 15:33:35.618319988 CEST192.168.2.41.1.1.10xc252Standard query (0)freegeoip.netA (IP address)IN (0x0001)false
                        Aug 24, 2024 15:33:36.131463051 CEST192.168.2.41.1.1.10x941cStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                        Aug 24, 2024 15:33:50.433897972 CEST192.168.2.41.1.1.10x8678Standard query (0)15.164.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Aug 24, 2024 15:33:32.680145025 CEST1.1.1.1192.168.2.40xf41dNo error (0)liga-730ce-default-rtdb.europe-west1.firebasedatabase.app34.107.226.223A (IP address)IN (0x0001)false
                        Aug 24, 2024 15:33:32.925682068 CEST1.1.1.1192.168.2.40x3eb9No error (0)telize.com88.198.193.213A (IP address)IN (0x0001)false
                        Aug 24, 2024 15:33:33.584511042 CEST1.1.1.1192.168.2.40xfe46No error (0)www.telize.com88.198.193.213A (IP address)IN (0x0001)false
                        Aug 24, 2024 15:33:35.626183987 CEST1.1.1.1192.168.2.40xc252No error (0)freegeoip.net15.197.148.33A (IP address)IN (0x0001)false
                        Aug 24, 2024 15:33:35.626183987 CEST1.1.1.1192.168.2.40xc252No error (0)freegeoip.net3.33.130.190A (IP address)IN (0x0001)false
                        Aug 24, 2024 15:33:36.138794899 CEST1.1.1.1192.168.2.40x941cNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                        Aug 24, 2024 15:33:36.138794899 CEST1.1.1.1192.168.2.40x941cNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                        Aug 24, 2024 15:33:36.138794899 CEST1.1.1.1192.168.2.40x941cNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                        Aug 24, 2024 15:33:50.441760063 CEST1.1.1.1192.168.2.40x8678Name error (3)15.164.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • liga-730ce-default-rtdb.europe-west1.firebasedatabase.app
                        • www.telize.com
                        • telize.com
                        • freegeoip.net
                        • api.ipify.org

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.44973588.198.193.213806720C:\Windows\System32\rundll32.exe
                        TimestampBytes transferredDirectionData
                        Aug 24, 2024 15:33:32.932059050 CEST144OUTGET /geoip HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                        Host: telize.com
                        Connection: Keep-Alive
                        Aug 24, 2024 15:33:33.575335026 CEST403INHTTP/1.1 301 Moved Permanently
                        Server: nginx
                        Date: Sat, 24 Aug 2024 13:33:33 GMT
                        Content-Type: text/html
                        Content-Length: 162
                        Connection: keep-alive
                        Location: https://www.telize.com/geoip
                        Strict-Transport-Security: max-age=63072000
                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        1192.168.2.44974515.197.148.33806720C:\Windows\System32\rundll32.exe
                        TimestampBytes transferredDirectionData
                        Aug 24, 2024 15:33:35.631851912 CEST146OUTGET /xml/ HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                        Host: freegeoip.net
                        Connection: Keep-Alive
                        Aug 24, 2024 15:33:36.118235111 CEST259INHTTP/1.1 200 OK
                        Server: openresty
                        Date: Sat, 24 Aug 2024 13:33:36 GMT
                        Content-Type: text/html
                        Content-Length: 114
                        Connection: keep-alive
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        2192.168.2.449746104.26.12.205806720C:\Windows\System32\rundll32.exe
                        TimestampBytes transferredDirectionData
                        Aug 24, 2024 15:33:36.144462109 CEST142OUTGET / HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                        Host: api.ipify.org
                        Connection: Keep-Alive
                        Aug 24, 2024 15:33:36.620897055 CEST227INHTTP/1.1 200 OK
                        Date: Sat, 24 Aug 2024 13:33:36 GMT
                        Content-Type: text/plain
                        Content-Length: 11
                        Connection: keep-alive
                        Vary: Origin
                        CF-Cache-Status: DYNAMIC
                        Server: cloudflare
                        CF-RAY: 8b83b70f783b7ce8-EWR
                        Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                        Data Ascii: 8.46.123.33


                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.44973434.107.226.2234436720C:\Windows\System32\rundll32.exe
                        TimestampBytes transferredDirectionData
                        2024-08-24 13:33:33 UTC206OUTPOST /user.json HTTP/1.1
                        Content-Type: application/json; charset=utf-8
                        Host: liga-730ce-default-rtdb.europe-west1.firebasedatabase.app
                        Content-Length: 76
                        Expect: 100-continue
                        Connection: Keep-Alive
                        2024-08-24 13:33:33 UTC25INHTTP/1.1 100 Continue
                        2024-08-24 13:33:33 UTC1OUTData Raw: 7b
                        Data Ascii: {
                        2024-08-24 13:33:33 UTC75OUTData Raw: 22 4d 41 51 55 49 4e 41 22 3a 22 4d 7a 41 31 4d 44 6b 77 22 2c 22 44 41 54 41 22 3a 22 4d 6a 51 75 4d 44 67 75 4d 6a 41 79 4e 43 41 77 4f 54 6f 7a 4d 7a 6f 7a 4d 51 3d 3d 22 2c 22 50 4c 55 47 49 4e 22 3a 22 4d 41 3d 3d 22 7d
                        Data Ascii: "MAQUINA":"MzA1MDkw","DATA":"MjQuMDguMjAyNCAwOTozMzozMQ==","PLUGIN":"MA=="}
                        2024-08-24 13:33:33 UTC431INHTTP/1.1 404 Not Found
                        Server: nginx
                        Date: Sat, 24 Aug 2024 13:33:33 GMT
                        Content-Type: application/json; charset=utf-8
                        Content-Length: 136
                        Connection: close
                        Access-Control-Allow-Origin: *
                        Cache-Control: no-cache
                        Strict-Transport-Security: max-age=31556926; includeSubDomains; preload
                        {
                        "error" : "Firebase error. Please ensure that you have the URL of your Firebase Realtime Database instance configured correctly."
                        }


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        1192.168.2.44973888.198.193.2134436720C:\Windows\System32\rundll32.exe
                        TimestampBytes transferredDirectionData
                        2024-08-24 13:33:34 UTC148OUTGET /geoip HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                        Host: www.telize.com
                        Connection: Keep-Alive


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        2192.168.2.44974288.198.193.2134436720C:\Windows\System32\rundll32.exe
                        TimestampBytes transferredDirectionData
                        2024-08-24 13:33:35 UTC148OUTGET /geoip HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
                        Host: www.telize.com
                        Connection: Keep-Alive


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:09:33:16
                        Start date:24/08/2024
                        Path:C:\Windows\System32\loaddll64.exe
                        Wow64 process (32bit):false
                        Commandline:loaddll64.exe "C:\Users\user\Desktop\fptlVDDPkS.dll"
                        Imagebase:0x7ff6c62c0000
                        File size:165'888 bytes
                        MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:1
                        Start time:09:33:16
                        Start date:24/08/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:2
                        Start time:09:33:16
                        Start date:24/08/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",#1
                        Imagebase:0x7ff6ce5c0000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:3
                        Start time:09:33:16
                        Start date:24/08/2024
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe C:\Users\user\Desktop\fptlVDDPkS.dll,V_FixDoubleSlashes
                        Imagebase:0x7ff7f6ea0000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.1668395234.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.1667472107.000001BC60BE2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:4
                        Start time:09:33:16
                        Start date:24/08/2024
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",#1
                        Imagebase:0x7ff7f6ea0000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.1668412370.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.1666955684.0000020918002000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:5
                        Start time:09:33:19
                        Start date:24/08/2024
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe C:\Users\user\Desktop\fptlVDDPkS.dll,V_FixSlashes
                        Imagebase:0x7ff7f6ea0000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.1695695577.00000248ADE42000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.1696549339.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:6
                        Start time:09:33:22
                        Start date:24/08/2024
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe C:\Users\user\Desktop\fptlVDDPkS.dll,V_IsAbsolutePath
                        Imagebase:0x7ff7f6ea0000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.1727589413.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.1726303377.000001913F182000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:7
                        Start time:09:33:25
                        Start date:24/08/2024
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_FixDoubleSlashes
                        Imagebase:0x7ff7f6ea0000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.1767938482.0000019C54E42000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.1774386818.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:8
                        Start time:09:33:25
                        Start date:24/08/2024
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_FixSlashes
                        Imagebase:0x2f0000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000008.00000002.1776484924.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000008.00000002.1769938139.000001F642762000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:9
                        Start time:09:33:25
                        Start date:24/08/2024
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_IsAbsolutePath
                        Imagebase:0x7ff7f6ea0000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000009.00000002.1765732103.000002839B602000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000009.00000002.1771163576.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:10
                        Start time:09:33:25
                        Start date:24/08/2024
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_vsnwprintf
                        Imagebase:0x7ff7f6ea0000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.1771215742.0000026CFA222000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.1778180373.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:11
                        Start time:09:33:25
                        Start date:24/08/2024
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_strncpy
                        Imagebase:0x7ff7f6ea0000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.1776419485.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.1766023435.0000012098002000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Has exited:true

                        General

                        Target ID:12
                        Start time:09:33:25
                        Start date:24/08/2024
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_strncat_length
                        Imagebase:0x7ff7f6ea0000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000C.00000002.1778990439.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000C.00000002.1772006527.000001DC50A92000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Has exited:true

                        General

                        Target ID:13
                        Start time:09:33:25
                        Start date:24/08/2024
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_strncat
                        Imagebase:0x7ff7f6ea0000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000D.00000002.1777637531.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000D.00000002.1771066252.000001D35A0B2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Has exited:true

                        General

                        Target ID:14
                        Start time:09:33:25
                        Start date:24/08/2024
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_snprintf
                        Imagebase:0x7ff7f6ea0000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000E.00000002.1775949797.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000E.00000002.1769466887.000001CAEE262000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Has exited:true

                        General

                        Target ID:15
                        Start time:09:33:25
                        Start date:24/08/2024
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_UTF8ToUTF16
                        Imagebase:0x7ff7f6ea0000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000F.00000002.1776417055.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000F.00000002.1769892834.0000023CAA572000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Has exited:true

                        General

                        Target ID:16
                        Start time:09:33:25
                        Start date:24/08/2024
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_UTF16ToUTF8
                        Imagebase:0x7ff7f6ea0000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000010.00000002.3523087270.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000010.00000002.3521166027.000002BED4882000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Has exited:false

                        General

                        Target ID:17
                        Start time:09:33:25
                        Start date:24/08/2024
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_StripTrailingSlash
                        Imagebase:0x7ff7f6ea0000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000011.00000002.1775787220.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000011.00000002.1769289446.000001FB23C12000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Has exited:true

                        General

                        Target ID:18
                        Start time:09:33:25
                        Start date:24/08/2024
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_StripLastDir
                        Imagebase:0x7ff7f6ea0000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000012.00000002.1769582440.000002904BC52000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000012.00000002.1776033093.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Has exited:true

                        General

                        Target ID:19
                        Start time:09:33:25
                        Start date:24/08/2024
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe "C:\Users\user\Desktop\fptlVDDPkS.dll",V_RemoveDotSlashes
                        Imagebase:0x7ff7f6ea0000
                        File size:71'680 bytes
                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000013.00000002.1779910260.00007FFDFAF02000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000013.00000002.1773163697.0000023BDEBE2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Has exited:true

                        Disassembly

                        No disassembly