Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Imprimir_Entrada.exe

Overview

General Information

Sample name:Imprimir_Entrada.exe
Analysis ID:1664024
MD5:4c9698e7feffaa7fe78749eacd39efbc
SHA1:7b123f6a4475ac602c561dc485447f9e1b430dcf
SHA256:b387dca776ec20a5f7c8cc1df2a473f7b76520b6a33e2993850a21999cf612b3
Tags:exeuser-abuse_ch
Infos:

Detection

Quasar, StormKitty
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Quasar RAT
Yara detected StormKitty Stealer
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Imprimir_Entrada.exe (PID: 6604 cmdline: "C:\Users\user\Desktop\Imprimir_Entrada.exe" MD5: 4C9698E7FEFFAA7FE78749EACD39EFBC)
    • schtasks.exe (PID: 6168 cmdline: "schtasks" /create /tn "Photoshop Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 6148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Client.exe (PID: 4212 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: 4C9698E7FEFFAA7FE78749EACD39EFBC)
      • schtasks.exe (PID: 5936 cmdline: "schtasks" /create /tn "Photoshop Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 6588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 7360 cmdline: "netsh" wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
        • conhost.exe (PID: 7368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Client.exe (PID: 7188 cmdline: C:\Users\user\AppData\Roaming\SubDir\Client.exe MD5: 4C9698E7FEFFAA7FE78749EACD39EFBC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat
NameDescriptionAttributionBlogpost URLsLink
Cameleon, StormKittyPWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Imprimir_Entrada.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\SubDir\Client.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1277368267.0000011F6EA82000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        00000000.00000002.1276901567.0000011F6C7D0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          00000000.00000002.1275681330.0000011F6C3D6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            0000000D.00000002.1320232290.0000026E98206000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
              00000000.00000000.1231929670.0000011F6C192000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
                Click to see the 5 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.Imprimir_Entrada.exe.11f6c7d0000.1.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                  0.2.Imprimir_Entrada.exe.11f6c7d0000.1.raw.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                    0.0.Imprimir_Entrada.exe.11f6c190000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security

                      Sigma Signatures

                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "Photoshop Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "Photoshop Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\Client.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\Client.exe, ParentProcessId: 4212, ParentProcessName: Client.exe, ProcessCommandLine: "schtasks" /create /tn "Photoshop Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 5936, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "Photoshop Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "Photoshop Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Imprimir_Entrada.exe", ParentImage: C:\Users\user\Desktop\Imprimir_Entrada.exe, ParentProcessId: 6604, ParentProcessName: Imprimir_Entrada.exe, ProcessCommandLine: "schtasks" /create /tn "Photoshop Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 6168, ProcessName: schtasks.exe

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Capture Wi-Fi password
                      Source: Process startedAuthor: Joe Security: Data: Command: "netsh" wlan show profiles, CommandLine: "netsh" wlan show profiles, CommandLine|base64offset|contains: V, Image: C:\Windows\System32\netsh.exe, NewProcessName: C:\Windows\System32\netsh.exe, OriginalFileName: C:\Windows\System32\netsh.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\Client.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\Client.exe, ParentProcessId: 4212, ParentProcessName: Client.exe, ProcessCommandLine: "netsh" wlan show profiles, ProcessId: 7360, ProcessName: netsh.exe

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\LM6C8EYHXFcK.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen7
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeReversingLabs: Detection: 33%
                      Multi AV Scanner detection for submitted file
                      Source: Imprimir_Entrada.exeVirustotal: Detection: 48%Perma Link
                      Source: Imprimir_Entrada.exeReversingLabs: Detection: 33%
                      Yara detected Quasar RAT
                      Source: Yara matchFile source: Imprimir_Entrada.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.Imprimir_Entrada.exe.11f6c7d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Imprimir_Entrada.exe.11f6c7d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.Imprimir_Entrada.exe.11f6c190000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1277368267.0000011F6EA82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1276901567.0000011F6C7D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1275681330.0000011F6C3D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.1320232290.0000026E98206000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1231929670.0000011F6C192000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Imprimir_Entrada.exe PID: 6604, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 4212, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7188, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleNeural Call Log Analysis: 99.8%
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B6F147E CryptUnprotectData,4_2_00007FF88B6F147E
                      Source: Imprimir_Entrada.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 15.204.213.5:443 -> 192.168.2.6:49689 version: TLS 1.2
                      Source: Imprimir_Entrada.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: costura.sharpdx.pdb.compressedx source: Client.exe, 00000004.00000002.3690793107.000001D838311000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.sharpdx.direct3d11.pdb.compressed source: Imprimir_Entrada.exe, Client.exe.0.dr
                      Source: Binary string: costura.sharpdx.dxgi.pdb.compressed|||SharpDX.DXGI.pdb|D73E59804E3EE494A4612185771F7F67B2FD64AE|34752 source: Imprimir_Entrada.exe, Client.exe.0.dr
                      Source: Binary string: costura.sharpdx.dxgi.pdb.compressed source: Imprimir_Entrada.exe, Client.exe.0.dr
                      Source: Binary string: )costura.sharpdx.direct3d11.pdb.compressed8 source: Client.exe, 00000004.00000002.3690793107.000001D838311000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.sharpdx.pdb.compressed|||SharpDX.pdb|1A7C10AA582CCEEBFFD9BC77A11353AAAE6417E9|42824 source: Imprimir_Entrada.exe, Client.exe.0.dr
                      Source: Binary string: ClientClient.exemscorlibSystem.Windows.FormsPulsar.CommonSystemSystem.DrawingSystem.CoreSystem.Runtime.SerializationNAudio.WinMMNAudio.CoreNAudio.WasapiGma.System.MouseKeyHookSystem.IO.CompressionSystem.ManagementSharpDX.Direct3D11SharpDX.DXGISharpDXAForge.Video.DirectShowAForge.VideoSystem.SecurityNAudio.WinFormsSystem.IO.Compression.FileSystemSystem.Webnetstandarduser32.dllkernel32.dlliphlpapi.dllDbgHelp.dllgdi32.dllntdll.dllrstrtmgr.dllbcrypt.dllcrypt32.dllmsvcrt.dlladvapi32.dllkernelbase.dllucrtbase.dllntdllwin32u.dllPulsar.Client.Properties.Resources.resourcescostura.aforge.dll.compressedcostura.aforge.video.dll.compressedcostura.aforge.video.directshow.dll.compressedcostura.gma.system.mousekeyhook.dll.compressedcostura.naudio.core.dll.compressedcostura.naudio.wasapi.dll.compressedcostura.naudio.winforms.dll.compressedcostura.naudio.winmm.dll.compressedcostura.protobuf-net.dll.compressedcostura.sharpdx.dll.compressedcostura.sharpdx.pdb.compressedcostura.sharpdx.direct3d11.dll.compressedcostura.sharpdx.direct3d11.pdb.compressedcostura.sharpdx.dxgi.dll.compressedcostura.sharpdx.dxgi.pdb.compressedcostura.pulsar.common.dll.compressedcostura.metadata source: Imprimir_Entrada.exe, Client.exe.0.dr
                      Source: Binary string: #costura.sharpdx.dxgi.pdb.compressed source: Imprimir_Entrada.exe, 00000000.00000002.1271263351.0000011F00001000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3690793107.000001D838311000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000D.00000002.1322310229.0000026E99CC1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.sharpdx.direct3d11.pdb.compressed|||SharpDX.Direct3D11.pdb|A2259A45EA284247B3AA65EC9C1DBEBD47FE208F|78220 source: Imprimir_Entrada.exe, Client.exe.0.dr
                      Source: Binary string: System.IO.Compression.pdbqj source: Client.exe, 00000004.00000002.3698641246.000001D850C80000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.IO.Compression.pdb source: Client.exe, 00000004.00000002.3690793107.000001D8386C3000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: Client.exe, 00000004.00000002.3700500597.000001D850EA0000.00000004.08000000.00040000.00000000.sdmp, Client.exe, 00000004.00000002.3696329902.000001D8483B5000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3696329902.000001D84832D000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.sharpdx.pdb.compressed source: Imprimir_Entrada.exe, Client.exe.0.dr
                      Source: Binary string: .pdbHJ source: Client.exe, 00000004.00000002.3689486754.000000C38DCF6000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: )costura.sharpdx.direct3d11.pdb.compressed source: Imprimir_Entrada.exe, 00000000.00000002.1271263351.0000011F00001000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000D.00000002.1322310229.0000026E99CC1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256= source: Client.exe, 00000004.00000002.3700500597.000001D850EA0000.00000004.08000000.00040000.00000000.sdmp, Client.exe, 00000004.00000002.3696329902.000001D8483B5000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3696329902.000001D84832D000.00000004.00000800.00020000.00000000.sdmp
                      Source: global trafficTCP traffic: 192.168.2.6:49687 -> 176.65.141.202:4782
                      Source: Joe Sandbox ViewIP Address: 15.204.213.5 15.204.213.5
                      Source: Joe Sandbox ViewIP Address: 15.204.213.5 15.204.213.5
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: ipwho.is
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.141.202
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: ipwho.is
                      Source: Client.exe, 00000004.00000002.3689801664.000001D836900000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: Client.exe, 00000004.00000002.3697591915.000001D850B80000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: Client.exe, 00000004.00000002.3690793107.000001D8384E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                      Source: Client.exe, 00000004.00000002.3690793107.000001D8384E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/iweuuebcijm
                      Source: Imprimir_Entrada.exe, 00000000.00000002.1271263351.0000011F00001000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3690793107.000001D838328000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Client.exe, 00000004.00000002.3696329902.000001D848495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                      Source: Client.exe, 00000004.00000002.3696329902.000001D848495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: Client.exe, 00000004.00000002.3696329902.000001D848495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: Client.exe, 00000004.00000002.3696329902.000001D848495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: Client.exe, 00000004.00000002.3696329902.000001D848495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: Client.exe, 00000004.00000002.3696329902.000001D848495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20-
                      Source: Client.exe, 00000004.00000002.3696329902.000001D848495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: Client.exe, 00000004.00000002.3696329902.000001D848495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                      Source: Client.exe, 00000004.00000002.3690793107.000001D83865C000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3690793107.000001D8388E7000.00000004.00000800.00020000.00000000.sdmp, LM6C8EYHXFcK.exe.4.drString found in binary or memory: https://github.com/LimerBoy/StormKitty
                      Source: Client.exe, 00000004.00000002.3700436204.000001D850E90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/gmamaladze/globalmousekeyhook
                      Source: Client.exe, 00000004.00000002.3700436204.000001D850E90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/gmamaladze/globalmousekeyhookF
                      Source: Client.exe, 00000004.00000002.3696329902.000001D84832D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                      Source: Client.exe, 00000004.00000002.3700500597.000001D850EA0000.00000004.08000000.00040000.00000000.sdmp, Client.exe, 00000004.00000002.3696329902.000001D8483B5000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3696329902.000001D84832D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net6
                      Source: Client.exe, 00000004.00000002.3700500597.000001D850EA0000.00000004.08000000.00040000.00000000.sdmp, Client.exe, 00000004.00000002.3696329902.000001D8483B5000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3696329902.000001D84832D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                      Source: Client.exe, 00000004.00000002.3700500597.000001D850EA0000.00000004.08000000.00040000.00000000.sdmp, Client.exe, 00000004.00000002.3696329902.000001D8483B5000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3696329902.000001D84832D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                      Source: Client.exe, 00000004.00000002.3690793107.000001D838485000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
                      Source: Client.exe, 00000004.00000002.3690793107.000001D838485000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is/
                      Source: Client.exe, 00000004.00000002.3700500597.000001D850EA0000.00000004.08000000.00040000.00000000.sdmp, Client.exe, 00000004.00000002.3696329902.000001D8483B5000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3696329902.000001D84832D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                      Source: Client.exe, 00000004.00000002.3700500597.000001D850EA0000.00000004.08000000.00040000.00000000.sdmp, Client.exe, 00000004.00000002.3696329902.000001D8483B5000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3690793107.000001D838328000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3696329902.000001D84832D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                      Source: Client.exe, 00000004.00000002.3700500597.000001D850EA0000.00000004.08000000.00040000.00000000.sdmp, Client.exe, 00000004.00000002.3696329902.000001D8483B5000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3696329902.000001D84832D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                      Source: Client.exe, 00000004.00000002.3698641246.000001D850D06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                      Source: Client.exe, 00000004.00000002.3696329902.000001D848495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                      Source: Client.exe, 00000004.00000002.3696329902.000001D848495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                      Source: Client.exe, 00000004.00000002.3698641246.000001D850D06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
                      Source: Client.exe, 00000004.00000002.3698641246.000001D850D06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                      Source: Client.exe, 00000004.00000002.3698641246.000001D850D06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
                      Source: unknownHTTPS traffic detected: 15.204.213.5:443 -> 192.168.2.6:49689 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Installs a global keyboard hook
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\Client.exeJump to behavior

                      E-Banking Fraud

                      barindex
                      Yara detected Quasar RAT
                      Source: Yara matchFile source: Imprimir_Entrada.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.Imprimir_Entrada.exe.11f6c7d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Imprimir_Entrada.exe.11f6c7d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.Imprimir_Entrada.exe.11f6c190000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1277368267.0000011F6EA82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1276901567.0000011F6C7D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1275681330.0000011F6C3D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.1320232290.0000026E98206000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1231929670.0000011F6C192000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Imprimir_Entrada.exe PID: 6604, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 4212, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7188, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4CCC46 CreateDesktopW,4_2_00007FF88B4CCC46
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeCode function: 0_2_00007FF88B4E0F960_2_00007FF88B4E0F96
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeCode function: 0_2_00007FF88B4E16C50_2_00007FF88B4E16C5
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeCode function: 0_2_00007FF88B4E1AF20_2_00007FF88B4E1AF2
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeCode function: 0_2_00007FF88B4E65B60_2_00007FF88B4E65B6
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeCode function: 0_2_00007FF88B4E16FA0_2_00007FF88B4E16FA
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeCode function: 0_2_00007FF88B4E06980_2_00007FF88B4E0698
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4DFC304_2_00007FF88B4DFC30
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4BC9B84_2_00007FF88B4BC9B8
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4BD0654_2_00007FF88B4BD065
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4F60104_2_00007FF88B4F6010
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4CEF954_2_00007FF88B4CEF95
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4B0F964_2_00007FF88B4B0F96
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4D9DD64_2_00007FF88B4D9DD6
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4C07704_2_00007FF88B4C0770
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4C07104_2_00007FF88B4C0710
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4C07304_2_00007FF88B4C0730
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4CA7A04_2_00007FF88B4CA7A0
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4B05084_2_00007FF88B4B0508
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4C4B754_2_00007FF88B4C4B75
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4B13664_2_00007FF88B4B1366
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4B130D4_2_00007FF88B4B130D
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4C01704_2_00007FF88B4C0170
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4E510D4_2_00007FF88B4E510D
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4B06984_2_00007FF88B4B0698
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B6789DF4_2_00007FF88B6789DF
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B67217D4_2_00007FF88B67217D
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B6F2DD04_2_00007FF88B6F2DD0
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B6F375D4_2_00007FF88B6F375D
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 13_2_00007FF88B4C16C513_2_00007FF88B4C16C5
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 13_2_00007FF88B4C1AEB13_2_00007FF88B4C1AEB
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 13_2_00007FF88B4C13DD13_2_00007FF88B4C13DD
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 13_2_00007FF88B4C0F9613_2_00007FF88B4C0F96
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 13_2_00007FF88B4C65B613_2_00007FF88B4C65B6
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 13_2_00007FF88B4C142713_2_00007FF88B4C1427
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 13_2_00007FF88B4C16F213_2_00007FF88B4C16F2
                      Source: Imprimir_Entrada.exe, 00000000.00000002.1275681330.0000011F6C3D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePulsar.Common.dll. vs Imprimir_Entrada.exe
                      Source: Imprimir_Entrada.exe, 00000000.00000002.1277368267.0000011F6EA82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe" vs Imprimir_Entrada.exe
                      Source: Imprimir_Entrada.exe, 00000000.00000000.1231929670.0000011F6C192000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe" vs Imprimir_Entrada.exe
                      Source: Imprimir_Entrada.exe, 00000000.00000002.1276901567.0000011F6C7D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePulsar.Common.dll. vs Imprimir_Entrada.exe
                      Source: Imprimir_Entrada.exeBinary or memory string: OriginalFilenameClient.exe" vs Imprimir_Entrada.exe
                      Source: Imprimir_Entrada.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      Source: Imprimir_Entrada.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: Client.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: Imprimir_Entrada.exe, tDiEDOl99m5ZDzK3AIdjFFQ.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: LM6C8EYHXFcK.exe.4.dr, --.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Imprimir_Entrada.exe.11f6c7d0000.1.raw.unpack, PayloadWriter.csSuspicious method names: .PayloadWriter.WriteInteger
                      Source: 0.2.Imprimir_Entrada.exe.11f6c7d0000.1.raw.unpack, PayloadWriter.csSuspicious method names: .PayloadWriter.WriteBytes
                      Source: 0.2.Imprimir_Entrada.exe.11f6c7d0000.1.raw.unpack, PayloadWriter.csSuspicious method names: .PayloadWriter.WriteMessage
                      Source: 0.2.Imprimir_Entrada.exe.11f6c7d0000.1.raw.unpack, PayloadWriter.csSuspicious method names: .PayloadWriter.Dispose
                      Source: 0.2.Imprimir_Entrada.exe.11f6c7d0000.1.raw.unpack, PayloadReader.csSuspicious method names: .PayloadReader.ReadInteger
                      Source: 0.2.Imprimir_Entrada.exe.11f6c7d0000.1.raw.unpack, PayloadReader.csSuspicious method names: .PayloadReader.ReadBytes
                      Source: 0.2.Imprimir_Entrada.exe.11f6c7d0000.1.raw.unpack, PayloadReader.csSuspicious method names: .PayloadReader.ReadMessage
                      Source: 0.2.Imprimir_Entrada.exe.11f6c7d0000.1.raw.unpack, PayloadReader.csSuspicious method names: .PayloadReader.Dispose
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@13/6@1/2
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeFile created: C:\Users\user\AppData\Roaming\SubDirJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6588:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMutant created: NULL
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMutant created: \Sessions\1\BaseNamedObjects\Local\d7e032b1-039d-4eff-a4d0-a08a88c753f5
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6148:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7368:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeFile created: C:\Users\user\AppData\Local\Temp\LM6C8EYHXFcK.exeJump to behavior
                      Source: Imprimir_Entrada.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: Imprimir_Entrada.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Client.exe, 00000004.00000002.3690793107.000001D8386CF000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3690793107.000001D838734000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: Imprimir_Entrada.exeVirustotal: Detection: 48%
                      Source: Imprimir_Entrada.exeReversingLabs: Detection: 33%
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeFile read: C:\Users\user\Desktop\Imprimir_Entrada.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Imprimir_Entrada.exe "C:\Users\user\Desktop\Imprimir_Entrada.exe"
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Photoshop Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Photoshop Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe C:\Users\user\AppData\Roaming\SubDir\Client.exe
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\System32\netsh.exe "netsh" wlan show profiles
                      Source: C:\Windows\System32\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Photoshop Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /fJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Photoshop Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /fJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\System32\netsh.exe "netsh" wlan show profilesJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptnet.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cabinet.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Imprimir_Entrada.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Imprimir_Entrada.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: Imprimir_Entrada.exeStatic file information: File size 1210880 > 1048576
                      Source: Imprimir_Entrada.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x109400
                      Source: Imprimir_Entrada.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: costura.sharpdx.pdb.compressedx source: Client.exe, 00000004.00000002.3690793107.000001D838311000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.sharpdx.direct3d11.pdb.compressed source: Imprimir_Entrada.exe, Client.exe.0.dr
                      Source: Binary string: costura.sharpdx.dxgi.pdb.compressed|||SharpDX.DXGI.pdb|D73E59804E3EE494A4612185771F7F67B2FD64AE|34752 source: Imprimir_Entrada.exe, Client.exe.0.dr
                      Source: Binary string: costura.sharpdx.dxgi.pdb.compressed source: Imprimir_Entrada.exe, Client.exe.0.dr
                      Source: Binary string: )costura.sharpdx.direct3d11.pdb.compressed8 source: Client.exe, 00000004.00000002.3690793107.000001D838311000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.sharpdx.pdb.compressed|||SharpDX.pdb|1A7C10AA582CCEEBFFD9BC77A11353AAAE6417E9|42824 source: Imprimir_Entrada.exe, Client.exe.0.dr
                      Source: Binary string: ClientClient.exemscorlibSystem.Windows.FormsPulsar.CommonSystemSystem.DrawingSystem.CoreSystem.Runtime.SerializationNAudio.WinMMNAudio.CoreNAudio.WasapiGma.System.MouseKeyHookSystem.IO.CompressionSystem.ManagementSharpDX.Direct3D11SharpDX.DXGISharpDXAForge.Video.DirectShowAForge.VideoSystem.SecurityNAudio.WinFormsSystem.IO.Compression.FileSystemSystem.Webnetstandarduser32.dllkernel32.dlliphlpapi.dllDbgHelp.dllgdi32.dllntdll.dllrstrtmgr.dllbcrypt.dllcrypt32.dllmsvcrt.dlladvapi32.dllkernelbase.dllucrtbase.dllntdllwin32u.dllPulsar.Client.Properties.Resources.resourcescostura.aforge.dll.compressedcostura.aforge.video.dll.compressedcostura.aforge.video.directshow.dll.compressedcostura.gma.system.mousekeyhook.dll.compressedcostura.naudio.core.dll.compressedcostura.naudio.wasapi.dll.compressedcostura.naudio.winforms.dll.compressedcostura.naudio.winmm.dll.compressedcostura.protobuf-net.dll.compressedcostura.sharpdx.dll.compressedcostura.sharpdx.pdb.compressedcostura.sharpdx.direct3d11.dll.compressedcostura.sharpdx.direct3d11.pdb.compressedcostura.sharpdx.dxgi.dll.compressedcostura.sharpdx.dxgi.pdb.compressedcostura.pulsar.common.dll.compressedcostura.metadata source: Imprimir_Entrada.exe, Client.exe.0.dr
                      Source: Binary string: #costura.sharpdx.dxgi.pdb.compressed source: Imprimir_Entrada.exe, 00000000.00000002.1271263351.0000011F00001000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3690793107.000001D838311000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000D.00000002.1322310229.0000026E99CC1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.sharpdx.direct3d11.pdb.compressed|||SharpDX.Direct3D11.pdb|A2259A45EA284247B3AA65EC9C1DBEBD47FE208F|78220 source: Imprimir_Entrada.exe, Client.exe.0.dr
                      Source: Binary string: System.IO.Compression.pdbqj source: Client.exe, 00000004.00000002.3698641246.000001D850C80000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.IO.Compression.pdb source: Client.exe, 00000004.00000002.3690793107.000001D8386C3000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: Client.exe, 00000004.00000002.3700500597.000001D850EA0000.00000004.08000000.00040000.00000000.sdmp, Client.exe, 00000004.00000002.3696329902.000001D8483B5000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3696329902.000001D84832D000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.sharpdx.pdb.compressed source: Imprimir_Entrada.exe, Client.exe.0.dr
                      Source: Binary string: .pdbHJ source: Client.exe, 00000004.00000002.3689486754.000000C38DCF6000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: )costura.sharpdx.direct3d11.pdb.compressed source: Imprimir_Entrada.exe, 00000000.00000002.1271263351.0000011F00001000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000D.00000002.1322310229.0000026E99CC1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256= source: Client.exe, 00000004.00000002.3700500597.000001D850EA0000.00000004.08000000.00040000.00000000.sdmp, Client.exe, 00000004.00000002.3696329902.000001D8483B5000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3696329902.000001D84832D000.00000004.00000800.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: Imprimir_Entrada.exe, AssemblyLoader.cs.Net Code: _0002 System.Reflection.Assembly.Load(byte[])
                      Source: Imprimir_Entrada.exe, M9DHHB2aKZF5bqXz.cs.Net Code: YC96KFZk7zpvJ8
                      Source: Imprimir_Entrada.exe, M9DHHB2aKZF5bqXz.cs.Net Code: xT5WHZeaapYVz4XZ
                      Source: Imprimir_Entrada.exe, z7P4mD4S2Uhozt10gfuJVQKUlCSv3.cs.Net Code: _0002 System.Reflection.Assembly.Load(byte[])
                      Source: 4.2.Client.exe.1d848365998.4.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                      Source: 4.2.Client.exe.1d848365998.4.raw.unpack, ListDecorator.cs.Net Code: Read
                      Source: 4.2.Client.exe.1d848365998.4.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                      Source: 4.2.Client.exe.1d848365998.4.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                      Source: 4.2.Client.exe.1d848365998.4.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                      Yara detected Costura Assembly Loader
                      Source: Yara matchFile source: Process Memory Space: Imprimir_Entrada.exe PID: 6604, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeCode function: 0_2_00007FF88B4E00BD pushad ; iretd 0_2_00007FF88B4E00C1
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeCode function: 0_2_00007FF88B4E7558 push ebx; iretd 0_2_00007FF88B4E756A
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B39D2A5 pushad ; iretd 4_2_00007FF88B39D2A6
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4E3316 pushfd ; retn FFFFh4_2_00007FF88B4E3929
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4E6140 push cs; retn 5F4Ch4_2_00007FF88B4E631F
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4B00BD pushad ; iretd 4_2_00007FF88B4B00C1
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B4B8169 push ebx; ret 4_2_00007FF88B4B816A
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 4_2_00007FF88B67714B push ds; retf 4_2_00007FF88B67715F
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeCode function: 13_2_00007FF88B4C00BD pushad ; iretd 13_2_00007FF88B4C00C1
                      Source: Imprimir_Entrada.exeStatic PE information: section name: .text entropy: 7.803532123820447
                      Source: Client.exe.0.drStatic PE information: section name: .text entropy: 7.803532123820447
                      Source: Imprimir_Entrada.exe, M9DHHB2aKZF5bqXz.csHigh entropy of concatenated method names: '_0002', '_0002', '_0002', '_0002', '_0002', '_0002', '_0002', '_0002', 'HAbiE0kzYK', '_0002'
                      Source: Imprimir_Entrada.exe, g66CQ6NBiVEUzYy.csHigh entropy of concatenated method names: 'PortConnectionAntiVM', 'EmulationTimingCheck', 'AVXInstructions', 'RDRANDInstruction', 'FlagsManipulationInstructions', '_0002', '_0002', '_0002', '_0002', '_0002'
                      Source: Imprimir_Entrada.exe, U6JDMvgrpZL.csHigh entropy of concatenated method names: '_7lI3JV3PvKL', 't7ErJESoE6mkyUHu', 'bbnLO7pU14XEPUK', 'xTPrzikHg9A8hEzNI7UtiKf9Y', '_0002', '_7rwxFK5S9bMnxQ', 'dRaN6LXgsDyUFfb2', 'fRBrjdFtog', 'BnXNmu9maSrCkLEuQzzxhi', 'HgOl3xUdSpteE'
                      Source: Imprimir_Entrada.exe, 59zCccc6RkaNHcedZArKTD8i7iMA.csHigh entropy of concatenated method names: '_0002', '_0003', '_0002', '_0002', '_0002', 'oKdCbrosEpTYFQEe5HEP', '_2jSt5ch5I4v2LLQgHarJSrnYJDKn', 'ZEGflwkKTg', 'Gx5uig4Fx7yqWG', 'K54k2R42szoWjZpWy4cDfv'
                      Source: Imprimir_Entrada.exe, 9lE4Ze0NsN.csHigh entropy of concatenated method names: '_0002', '_0002', '_0002', '_0003', 'uLE9OxVEraxuwVBQpytv1Xd', 'lrp5xQaCMot7tD', 'fGervoyBn04MFWdwWs1YhHZQa9vhI', 'Dhl1NpXpriwqBF3EUqs2WP', 'Dispose', 'pZYqNRv3Q2BxWkOIyYqASl0GUXV'
                      Source: Imprimir_Entrada.exe, VyGGhq7pUKxy5imdbM9RBG.csHigh entropy of concatenated method names: '_1qkP2ha6P8jpgOGDTYrS0IRM05', 'LNoTmPzsBRAVOsZlBPkeoZT', 'PwH7sZXY72Ptlp6ZrgE', 'TDcjbgP7QaBv3KD0H19m4lXWd', 'AVTKxHUiJMTigLJaHg0d0al', 'Szhc1rqGFvg', 'oGn3bVA1gjVxcde0fAzjuN17k2qc', 'NcupQwB37CfZtjtdtAXN', 'kF66JbOpSioiWTHkIMrc7i8UKA', 'Id11SOpmXytGUwNod01XQm'
                      Source: Imprimir_Entrada.exe, 8QdkSJ9LIchOq51wd.csHigh entropy of concatenated method names: 'Dispose', 'yRKTayrXKxVADreG', 'u2tDjojVWlUAJBvWSHqLo0', '_249L0IYztkTG3tQOnl7DMWW', 'wkovjy574O', 'IkctN8wla041mC3Cjrwbgh8ZPdn', '_4oVMo3HnK2tFau6', '_2sCspvVQHxUkm', 'duUgqverNt'
                      Source: Imprimir_Entrada.exe, KilG6AXpVy3dBSwGcdCN.csHigh entropy of concatenated method names: '_0002', 'cLKlscv7w7hC1AqVyxix9SF2', 'eXDAFp3DyrXbeNhmrj', 'WaKRFvopeatKFSLOEr7qRn8CST4', 'jAKRsOfAUF7Ob9Zn', 'hSJT9d5u3js', 'H8w1UGdQbb0wL39usOS', 'V6vBuAjhPhzowi', 'GLXG35WoGbWIGd', 'BoRdGLNuGUg6B'
                      Source: Imprimir_Entrada.exe, d1z8iwg2u7.csHigh entropy of concatenated method names: '_0002', 'nRmiJCYnHj3ymQJ3zQs9L', 'xW4FF7oEPzNrrBxmOCzwac', 'CNsY2qlB8YAdQoE7a9CTD', '_5iIFNCqJYLVw11WivYnyPS', 'hh8KEYxXJgbSKQwdjVyAzIe', 'Mk2OopPWn1kiO2lvlyLPajMS8', 'EcaS1YDM7dgitdRFpTqOOrtDYA6O', '_0002'
                      Source: Imprimir_Entrada.exe, zw7EnVIGFQPuk0Ue1ILxCybAC.csHigh entropy of concatenated method names: 'x65Q2ZDIroTXnOQAE4RPMP', 'jJ6KqtBV7C8hMKyX0rbIpLd', '_7hCugswbiPVG5OWZpTV', 'oqDzPgbiuGAXpbMI', 'RyOPh96ysclUCdW0JzReNfA'
                      Source: Imprimir_Entrada.exe, 7Fo6xojWB9.csHigh entropy of concatenated method names: 'OxRBXXOqDH', 'EGBiGrMdUAwVhrgvK', 'gzjpnUjt74FIRcCdsRtR21n4yAcbu', '_0lErgRxZcr9WtRYM', 'UTD9PC2GpMo1n2I9oDdDj5uq', 'yBSfIVgmQHIqUljL', '_1FIizy1XEN4IKYiXqbAkkh', 'IPWu9SUc427Ephu8MbIDHldGsk'
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeFile created: C:\Users\user\AppData\Local\Temp\LM6C8EYHXFcK.exeJump to dropped file
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeFile created: C:\Users\user\AppData\Roaming\SubDir\Client.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Photoshop Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeFile opened: C:\Users\user\Desktop\Imprimir_Entrada.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeMemory allocated: 11F6C5E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeMemory allocated: 11F6E050000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: 1D838140000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: 1D850310000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: 26E98350000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeMemory allocated: 26EB1CC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWindow / User API: threadDelayed 4531Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWindow / User API: threadDelayed 4757Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\LM6C8EYHXFcK.exeJump to dropped file
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exe TID: 6640Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 7212Thread sleep count: 86 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 7264Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 7268Thread sleep count: 4531 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 7268Thread sleep count: 4757 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 6608Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 7236Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Client.exe, 00000004.00000002.3698641246.000001D850C80000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3699365094.000001D850D72000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: netsh.exe, 0000000E.00000003.1350893174.000002B809565000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Photoshop Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /fJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Photoshop Client Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /fJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\System32\netsh.exe "netsh" wlan show profilesJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeQueries volume information: C:\Users\user\Desktop\Imprimir_Entrada.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformationJump to behavior
                      Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Imprimir_Entrada.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings

                      barindex
                      Uses netsh to modify the Windows network and firewall settings
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\System32\netsh.exe "netsh" wlan show profiles

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Quasar RAT
                      Source: Yara matchFile source: Imprimir_Entrada.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.Imprimir_Entrada.exe.11f6c7d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Imprimir_Entrada.exe.11f6c7d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.Imprimir_Entrada.exe.11f6c190000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1277368267.0000011F6EA82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1276901567.0000011F6C7D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1275681330.0000011F6C3D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.1320232290.0000026E98206000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1231929670.0000011F6C192000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Imprimir_Entrada.exe PID: 6604, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 4212, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7188, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
                      Yara detected StormKitty Stealer
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 4212, type: MEMORYSTR
                      Tries to harvest and steal WLAN passwords
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\System32\netsh.exe "netsh" wlan show profiles
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeProcess created: C:\Windows\System32\netsh.exe "netsh" wlan show profilesJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                      Source: C:\Users\user\AppData\Roaming\SubDir\Client.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior

                      Remote Access Functionality

                      barindex
                      Yara detected Quasar RAT
                      Source: Yara matchFile source: Imprimir_Entrada.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.Imprimir_Entrada.exe.11f6c7d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Imprimir_Entrada.exe.11f6c7d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.Imprimir_Entrada.exe.11f6c190000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1277368267.0000011F6EA82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1276901567.0000011F6C7D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1275681330.0000011F6C3D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.1320232290.0000026E98206000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1231929670.0000011F6C192000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Imprimir_Entrada.exe PID: 6604, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 4212, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 7188, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
                      Yara detected StormKitty Stealer
                      Source: Yara matchFile source: Process Memory Space: Client.exe PID: 4212, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		23
                      System Information Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		1
                      Create Account                      		11
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		11
                      Input Capture                      		1
                      Query Registry                      		Remote Desktop Protocol1
                      Data from Local System                      		21
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		2
                      Obfuscated Files or Information                      		Security Account Manager111
                      Security Software Discovery                      		SMB/Windows Admin Shares11
                      Input Capture                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                      Software Packing                      		NTDS1
                      Process Discovery                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets41
                      Virtualization/Sandbox Evasion                      		SSHKeylogging13
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items41
                      Virtualization/Sandbox Evasion                      		DCSync1
                      System Network Configuration Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                      Process Injection                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Hidden Files and Directories                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1664024 Sample: Imprimir_Entrada.exe Startdate: 13/04/2025 Architecture: WINDOWS Score: 100 38 ipwho.is 2->38 52 Antivirus detection for dropped file 2->52 54 Sigma detected: Capture Wi-Fi password 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 5 other signatures 2->58 9 Imprimir_Entrada.exe 5 2->9         started        13 Client.exe 3 2->13         started        signatures3 process4 file5 34 C:\Users\user\AppData\Roaming\...\Client.exe, PE32 9->34 dropped 36 C:\Users\user\...\Imprimir_Entrada.exe.log, CSV 9->36 dropped 60 Uses schtasks.exe or at.exe to add and modify task schedules 9->60 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->62 15 Client.exe 14 3 9->15         started        20 schtasks.exe 1 9->20         started        signatures6 process7 dnsIp8 40 176.65.141.202, 4782, 49687 WEBTRAFFICDE Germany 15->40 42 ipwho.is 15.204.213.5, 443, 49689 HP-INTERNET-ASUS United States 15->42 32 C:\Users\user\AppData\...\LM6C8EYHXFcK.exe, PE32 15->32 dropped 44 Multi AV Scanner detection for dropped file 15->44 46 Uses netsh to modify the Windows network and firewall settings 15->46 48 Tries to harvest and steal browser information (history, passwords, etc) 15->48 50 3 other signatures 15->50 22 netsh.exe 2 15->22         started        24 schtasks.exe 1 15->24         started        26 conhost.exe 20->26         started        file9 signatures10 process11 process12 28 conhost.exe 22->28         started        30 conhost.exe 24->30         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.