Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PIptrFxrxR.exe

Overview

General Information

Sample Name:PIptrFxrxR.exe
Analysis ID:715160
MD5:3570cfa79638c148588f3f22a7ad58c9
SHA1:205fcd2a3a45d91ee1bdbaf820f49967539e0159
SHA256:5b82bbf81826faa8e2ff41c468af4632d3151eabec01e5535d9a7c4659528c51
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to steal Crypto Currency Wallets
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Binary contains a suspicious time stamp
Detected potential crypto function
Yara detected Credential Stealer
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • PIptrFxrxR.exe (PID: 3804 cmdline: C:\Users\user\Desktop\PIptrFxrxR.exe MD5: 3570CFA79638C148588F3F22A7AD58C9)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["65.108.247.147:37767"], "Authorization Header": "6a82f1fb90afb278c299e83d46279927"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
PIptrFxrxR.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1c68:$pat14: , CommandLine:
  • 0x39a2b:$v2_1: ListOfProcesses
  • 0x397b4:$v4_3: base64str
  • 0x3a8c2:$v4_4: stringKey
  • 0x3729f:$v4_5: BytesToStringConverted
  • 0x362e6:$v4_6: FromBase64
  • 0x37a9b:$v4_8: procName
  • 0x37e38:$v5_1: DownloadAndExecuteUpdate
  • 0x396c4:$v5_2: ITaskProcessor
  • 0x37e26:$v5_3: CommandLineUpdate
  • 0x37e17:$v5_4: DownloadUpdate
  • 0x3853f:$v5_5: FileScanning
  • 0x3761e:$v5_7: RecordHeaderField
  • 0x3700c:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: PIptrFxrxR.exe PID: 3804JoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Process Memory Space: PIptrFxrxR.exe PID: 3804JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.PIptrFxrxR.exe.990000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
              • 0x1c68:$pat14: , CommandLine:
              • 0x39a2b:$v2_1: ListOfProcesses
              • 0x397b4:$v4_3: base64str
              • 0x3a8c2:$v4_4: stringKey
              • 0x3729f:$v4_5: BytesToStringConverted
              • 0x362e6:$v4_6: FromBase64
              • 0x37a9b:$v4_8: procName
              • 0x37e38:$v5_1: DownloadAndExecuteUpdate
              • 0x396c4:$v5_2: ITaskProcessor
              • 0x37e26:$v5_3: CommandLineUpdate
              • 0x37e17:$v5_4: DownloadUpdate
              • 0x3853f:$v5_5: FileScanning
              • 0x3761e:$v5_7: RecordHeaderField
              • 0x3700c:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:192.168.2.565.108.247.14749698377672850027 10/03/22-17:33:23.343299
              SID:2850027
              Source Port:49698
              Destination Port:37767
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.565.108.247.14749698377672850286 10/03/22-17:33:45.506493
              SID:2850286
              Source Port:49698
              Destination Port:37767
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:65.108.247.147192.168.2.537767496982850353 10/03/22-17:33:24.983524
              SID:2850353
              Source Port:37767
              Destination Port:49698
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: PIptrFxrxR.exeReversingLabs: Detection: 80%
              Source: PIptrFxrxR.exeVirustotal: Detection: 66%Perma Link
              Source: PIptrFxrxR.exeMetadefender: Detection: 61%Perma Link
              Machine Learning detection for sample
              Source: PIptrFxrxR.exeJoe Sandbox ML: detected
              Source: PIptrFxrxR.exeMalware Configuration Extractor: RedLine {"C2 url": ["65.108.247.147:37767"], "Authorization Header": "6a82f1fb90afb278c299e83d46279927"}
              Source: PIptrFxrxR.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: PIptrFxrxR.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2850027 ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.5:49698 -> 65.108.247.147:37767
              Source: TrafficSnort IDS: 2850286 ETPRO TROJAN Redline Stealer TCP CnC Activity 192.168.2.5:49698 -> 65.108.247.147:37767
              Source: TrafficSnort IDS: 2850353 ETPRO MALWARE Redline Stealer TCP CnC - Id1Response 65.108.247.147:37767 -> 192.168.2.5:49698
              Source: global trafficTCP traffic: 192.168.2.5:49698 -> 65.108.247.147:37767
              Source: Joe Sandbox ViewASN Name: ALABANZA-BALTUS ALABANZA-BALTUS
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: unknownTCP traffic detected without corresponding DNS query: 65.108.247.147
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
              Source: PIptrFxrxR.exe, 00000000.00000002.396395728.000000000151E000.00000004.00000020.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000003.392866445.000000000151C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/g
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faulth
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
              Source: PIptrFxrxR.exe, 00000000.00000002.397506308.0000000002F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.397506308.0000000002F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
              Source: PIptrFxrxR.exe, 00000000.00000002.401721951.00000000034CC000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.397506308.0000000002F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.397506308.0000000002F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.397506308.0000000002F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Responsed
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.397506308.0000000002F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
              Source: PIptrFxrxR.exe, 00000000.00000002.397506308.0000000002F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Responsed
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.397506308.0000000002F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
              Source: PIptrFxrxR.exe, 00000000.00000002.397506308.0000000002F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
              Source: PIptrFxrxR.exe, 00000000.00000002.401721951.00000000034CC000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.397506308.0000000002F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.397506308.0000000002F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
              Source: PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
              Source: PIptrFxrxR.exe, 00000000.00000002.402706969.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.401620836.00000000034BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
              Source: PIptrFxrxR.exe, 00000000.00000002.402706969.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.401620836.00000000034BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: PIptrFxrxR.exe, 00000000.00000002.402706969.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.401620836.00000000034BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: PIptrFxrxR.exe, 00000000.00000002.398595426.0000000003124000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.399235681.000000000321E000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.399542263.000000000328F000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.400059135.000000000332B000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.402706969.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.401620836.00000000034BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: PIptrFxrxR.exe, 00000000.00000002.402706969.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.401620836.00000000034BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: PIptrFxrxR.exe, 00000000.00000002.398595426.0000000003124000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.399235681.000000000321E000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.399542263.000000000328F000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.400059135.000000000332B000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.402706969.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.401620836.00000000034BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
              Source: PIptrFxrxR.exe, 00000000.00000002.398595426.0000000003124000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.399235681.000000000321E000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.399542263.000000000328F000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.400059135.000000000332B000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.402706969.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.401620836.00000000034BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
              Source: PIptrFxrxR.exe, 00000000.00000002.402706969.0000000003EF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
              Source: PIptrFxrxR.exe, 00000000.00000002.398595426.0000000003124000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.399235681.000000000321E000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.399542263.000000000328F000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.400059135.000000000332B000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.402706969.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.401620836.00000000034BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
              Source: PIptrFxrxR.exe, 00000000.00000002.398595426.0000000003124000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.399235681.000000000321E000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.399542263.000000000328F000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.400059135.000000000332B000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.402706969.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.401620836.00000000034BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: PIptrFxrxR.exe, 00000000.00000002.394385561.0000000001149000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: PIptrFxrxR.exe, type: SAMPLEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.0.PIptrFxrxR.exe.990000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: PIptrFxrxR.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: PIptrFxrxR.exe, type: SAMPLEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.0.PIptrFxrxR.exe.990000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: PIptrFxrxR.exe, 00000000.00000000.295610288.0000000000992000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameThanatoid.exe4 vs PIptrFxrxR.exe
              Source: PIptrFxrxR.exe, 00000000.00000002.394385561.0000000001149000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PIptrFxrxR.exe
              Source: PIptrFxrxR.exe, 00000000.00000002.397506308.0000000002F99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs PIptrFxrxR.exe
              Source: PIptrFxrxR.exeBinary or memory string: OriginalFilenameThanatoid.exe4 vs PIptrFxrxR.exe
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_010441A0
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_01042859
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_01043298
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_010412DE
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_0104A570
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_01040448
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_01041F60
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_01047F7B
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_0104416B
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_01045029
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_01045038
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_0104B210
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_010462B0
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_010462C0
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_0104A520
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_0104041F
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_01045C20
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_01045C30
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_01047440
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_010474A8
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_010464B8
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_010464C8
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_0104A4E3
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_01041F03
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_01049F41
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_01049F80
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_01046E28
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_014BF140
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_014B4990
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_014B71B8
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_014BFA10
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_014B7678
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_014B5688
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_014B4981
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_014B71A9
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_014BEDF8
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_014B5762
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_014B5777
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_014B5738
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_014B7667
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_014B5679
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_014B76FD
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_0150E950
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_0150AE40
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_0150EE88
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_0150CEA8
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_0150A108
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_0150F1C8
              Source: PIptrFxrxR.exeReversingLabs: Detection: 80%
              Source: PIptrFxrxR.exeVirustotal: Detection: 66%
              Source: PIptrFxrxR.exeMetadefender: Detection: 61%
              Source: PIptrFxrxR.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: PIptrFxrxR.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@0/1
              Source: PIptrFxrxR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: PIptrFxrxR.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_01048B08 pushad ; iretd
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_01048B12 pushad ; iretd
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_01042DFB push ds; ret
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeCode function: 0_2_014B1B5B push esp; retf 0575h
              Source: PIptrFxrxR.exeStatic PE information: 0xF5E7E28F [Sun Sep 26 04:05:35 2100 UTC]
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
              Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeWindow / User API: threadDelayed 4764
              Source: C:\Users\user\Desktop\PIptrFxrxR.exe TID: 3316Thread sleep time: -5534023222112862s >= -30000s
              Source: C:\Users\user\Desktop\PIptrFxrxR.exe TID: 5960Thread sleep count: 4764 > 30
              Source: C:\Users\user\Desktop\PIptrFxrxR.exe TID: 4848Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeThread delayed: delay time: 922337203685477
              Source: PIptrFxrxR.exe, 00000000.00000002.409854122.0000000006254000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
              Source: PIptrFxrxR.exe, 00000000.00000002.409854122.0000000006254000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware18TMEWF6Win32_VideoControllerGLR9OPV8VideoController120060621000000.000000-00038816352display.infMSBDAGB3BOPF9PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsOLNVTUVA
              Source: PIptrFxrxR.exe, 00000000.00000002.394727901.000000000117F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeMemory allocated: page read and write | page guard
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeQueries volume information: C:\Users\user\Desktop\PIptrFxrxR.exe VolumeInformation
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: PIptrFxrxR.exe, 00000000.00000002.409854122.0000000006254000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.394727901.000000000117F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

              Stealing of Sensitive Information

              barindex
              Yara detected RedLine Stealer
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Source: Yara matchFile source: 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PIptrFxrxR.exe PID: 3804, type: MEMORYSTR
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
              Source: C:\Users\user\Desktop\PIptrFxrxR.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: Yara matchFile source: 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PIptrFxrxR.exe PID: 3804, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected RedLine Stealer
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Source: Yara matchFile source: 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PIptrFxrxR.exe PID: 3804, type: MEMORYSTR

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts221
              Windows Management Instrumentation              		Path InterceptionPath Interception1
              Masquerading              		1
              OS Credential Dumping              		231
              Security Software Discovery              		Remote Services1
              Input Capture              		Exfiltration Over Other Network Medium1
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Disable or Modify Tools              		1
              Input Capture              		11
              Process Discovery              		Remote Desktop Protocol1
              Archive Collected Data              		Exfiltration Over Bluetooth1
              Non-Standard Port              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)231
              Virtualization/Sandbox Evasion              		Security Account Manager231
              Virtualization/Sandbox Evasion              		SMB/Windows Admin Shares2
              Data from Local System              		Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Timestomp              		LSA Secrets123
              System Information Discovery              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              PIptrFxrxR.exe81%ReversingLabsByteCode-MSIL.Infostealer.RedLine
              PIptrFxrxR.exe66%VirustotalBrowse
              PIptrFxrxR.exe61%MetadefenderBrowse
              PIptrFxrxR.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
              http://tempuri.org/0%URL Reputationsafe
              http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
              http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
              http://ns.adobe.c/g0%URL Reputationsafe
              http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
              http://tempuri.org/Entity/Id90%URL Reputationsafe
              http://tempuri.org/Entity/Id80%URL Reputationsafe
              http://tempuri.org/Entity/Id50%URL Reputationsafe
              http://tempuri.org/Entity/Id40%URL Reputationsafe
              http://tempuri.org/Entity/Id70%URL Reputationsafe
              http://tempuri.org/Entity/Id60%URL Reputationsafe
              http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
              http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
              http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
              http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
              https://api.ip.sb/ip0%URL Reputationsafe
              http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
              http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
              http://tempuri.org/Entity/Id200%URL Reputationsafe
              http://tempuri.org/Entity/Id210%URL Reputationsafe
              http://tempuri.org/Entity/Id220%URL Reputationsafe
              http://tempuri.org/Entity/Id230%URL Reputationsafe
              http://tempuri.org/Entity/Id240%URL Reputationsafe
              http://tempuri.org/Entity/Id240%URL Reputationsafe
              http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
              http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
              http://tempuri.org/Entity/Id100%URL Reputationsafe
              http://tempuri.org/Entity/Id110%URL Reputationsafe
              http://tempuri.org/Entity/Id120%URL Reputationsafe
              http://tempuri.org/Entity/Id120%URL Reputationsafe
              http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
              http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
              http://tempuri.org/Entity/Id130%URL Reputationsafe
              http://tempuri.org/Entity/Id140%URL Reputationsafe
              http://tempuri.org/Entity/Id150%URL Reputationsafe
              http://tempuri.org/Entity/Id160%URL Reputationsafe
              http://tempuri.org/Entity/Id170%URL Reputationsafe
              http://tempuri.org/Entity/Id180%URL Reputationsafe
              http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
              http://tempuri.org/Entity/Id190%URL Reputationsafe
              http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
              http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
              http://tempuri.org/Entity/Id8Response0%URL Reputationsafe
              http://tempuri.org/Entity/Id23Response0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/ws/2005/02/sc/sctPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://duckduckgo.com/chrome_newtabPIptrFxrxR.exe, 00000000.00000002.398595426.0000000003124000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.399235681.000000000321E000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.399542263.000000000328F000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.400059135.000000000332B000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.402706969.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.401620836.00000000034BF000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://duckduckgo.com/ac/?q=PIptrFxrxR.exe, 00000000.00000002.402706969.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.401620836.00000000034BF000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Entity/Id12ResponsePIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id2ResponsePIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://ns.adobe.c/gPIptrFxrxR.exe, 00000000.00000002.396395728.000000000151E000.00000004.00000020.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000003.392866445.000000000151C000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id21ResponsePIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id9PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2004/08/addressing/faulthPIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id8PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id5PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/PreparePIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id4PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id7PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id6PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id19ResponsePIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensePIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssuePIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencePIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/faultPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2004/10/wsatPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id15ResponsePIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePIptrFxrxR.exe, 00000000.00000002.397506308.0000000002F99000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id6ResponsePIptrFxrxR.exe, 00000000.00000002.401721951.00000000034CC000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://api.ip.sb/ipPIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2004/04/scPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id9ResponsePIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=PIptrFxrxR.exe, 00000000.00000002.402706969.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.401620836.00000000034BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id20PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://tempuri.org/Entity/Id21PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://tempuri.org/Entity/Id22PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id23PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id24PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssuePIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id24ResponsePIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://tempuri.org/Entity/Id1ResponsePIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=PIptrFxrxR.exe, 00000000.00000002.398595426.0000000003124000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.399235681.000000000321E000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.399542263.000000000328F000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.400059135.000000000332B000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.402706969.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.401620836.00000000034BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedPIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/08/addressingPIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssuePIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/04/trustPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/Entity/Id10PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id11PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id12PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id16ResponsePIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.397506308.0000000002F99000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsePIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id13PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id14PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id15PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id16PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/NoncePIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id17PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id18PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id5ResponsePIptrFxrxR.exe, 00000000.00000002.397506308.0000000002F99000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id19PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsPIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id10ResponsePIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.397506308.0000000002F99000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RenewPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id8ResponsePIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.397506308.0000000002F99000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentityPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/soap/envelope/PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://search.yahoo.com?fr=crmas_sfpfPIptrFxrxR.exe, 00000000.00000002.398595426.0000000003124000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.399235681.000000000321E000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.399542263.000000000328F000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.400059135.000000000332B000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.402706969.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.401620836.00000000034BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1PIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trustPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://tempuri.org/Entity/Id23ResponsePIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.396923501.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, PIptrFxrxR.exe, 00000000.00000002.397506308.0000000002F99000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/06/addressingexPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wscoorPIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/NoncePIptrFxrxR.exe, 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high

                                                                                                                                          World Map of Contacted IPs

                                                                                                                                          • No. of IPs < 25%
                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                          • 75% < No. of IPs

                                                                                                                                          Public IPs

                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                          65.108.247.147
                                                                                                                                          		unknownUnited States
                                                                                                                                          		11022ALABANZA-BALTUStrue

                                                                                                                                          General Information

                                                                                                                                          Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                                                                                          Analysis ID:715160
                                                                                                                                          Start date and time:2022-10-03 17:32:07 +02:00
                                                                                                                                          Joe Sandbox Product:CloudBasic
                                                                                                                                          Overall analysis duration:0h 6m 8s
                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                          Report type:light
                                                                                                                                          Sample file name:PIptrFxrxR.exe
                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                          Number of analysed new started processes analysed:3
                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                          Technologies:
                                                                                                                                          • HCA enabled
                                                                                                                                          • EGA enabled
                                                                                                                                          • HDC enabled
                                                                                                                                          • AMSI enabled
                                                                                                                                          Analysis Mode:default
                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                          Detection:MAL
                                                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@1/1@0/1
                                                                                                                                          EGA Information:
                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                          HDC Information:Failed
                                                                                                                                          HCA Information:
                                                                                                                                          • Successful, ratio: 92%
                                                                                                                                          • Number of executed functions: 0
                                                                                                                                          • Number of non-executed functions: 0
                                                                                                                                          Cookbook Comments:
                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                          • Stop behavior analysis, all processes terminated

                                                                                                                                          Warnings

                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, conhost.exe
                                                                                                                                          • TCP Packets have been reduced to 100
                                                                                                                                          • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                          Simulations

                                                                                                                                          Behavior and APIs

                                                                                                                                          TimeTypeDescription
                                                                                                                                          17:33:42API Interceptor26x Sleep call for process: PIptrFxrxR.exe modified

                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                          IPs

                                                                                                                                          No context

                                                                                                                                          Domains

                                                                                                                                          No context

                                                                                                                                          ASNs

                                                                                                                                          No context

                                                                                                                                          JA3 Fingerprints

                                                                                                                                          No context

                                                                                                                                          Dropped Files

                                                                                                                                          No context

                                                                                                                                          Created / dropped Files

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PIptrFxrxR.exe.log

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\Desktop\PIptrFxrxR.exe
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):2843
                                                                                                                                          Entropy (8bit):5.3371553026862095
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIWUfHKhBHKdHKBfHK5AHKzvQTHmtHoxHImHK1HjHK0:iqXeqm00YqhQnouOqLqdqNq2qzcGtIxY
                                                                                                                                          MD5:9A010D404524B7E80B293AEC6FB4AF7F
                                                                                                                                          SHA1:B238A081C1D05DA6F76DA2F30C529C4275CCF5CF
                                                                                                                                          SHA-256:3FF08BA477214E6F51EC1F879A44FC02CBE69A69B072E7B317F337A786B21D63
                                                                                                                                          SHA-512:C7D0D118BFF6E2EDEF02290FC042556502D99967A37A5EDF98AF905BA66C4C2D2C159594DB3D22B5117EC5AA7DB910313A6370F650B9534D5B17E57378E02E2A
                                                                                                                                          Malicious:true
                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                                                                                                                                          Static File Info

                                                                                                                                          General

                                                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                          Entropy (8bit):6.04482516274698
                                                                                                                                          TrID:
                                                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                          File name:PIptrFxrxR.exe
                                                                                                                                          File size:369152
                                                                                                                                          MD5:3570cfa79638c148588f3f22a7ad58c9
                                                                                                                                          SHA1:205fcd2a3a45d91ee1bdbaf820f49967539e0159
                                                                                                                                          SHA256:5b82bbf81826faa8e2ff41c468af4632d3151eabec01e5535d9a7c4659528c51
                                                                                                                                          SHA512:2dba3f1abfea0fe86fbf9581953528b02e88f96f45d2a22092bbc5d3922cb7540843d61758b3ee10dd57af70b38119dbfd1868df6d910562f607ed99f328144a
                                                                                                                                          SSDEEP:6144:tJhbp5Iy4wUHkjT/eASp1+7lvoe/YuasdHQO33JnTyIuHOn4ssEFZIQ3uSwsZ5jY:vhf+DMTmASP+uewuasdHQO33JnTyIuHZ
                                                                                                                                          TLSH:6074619D766072EFC857C976CAA81C64FA7074BB930BD203A06316ED9A4D59BCF140F2
                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............>.... ........@.. ....................................@................................

                                                                                                                                          File Icon

                                                                                                                                          Icon Hash:5161454747646c1b

                                                                                                                                          Static PE Info

                                                                                                                                          General

                                                                                                                                          Entrypoint:0x45b13e
                                                                                                                                          Entrypoint Section:.text
                                                                                                                                          Digitally signed:false
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          Subsystem:windows gui
                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                          Time Stamp:0xF5E7E28F [Sun Sep 26 04:05:35 2100 UTC]
                                                                                                                                          TLS Callbacks:
                                                                                                                                          CLR (.Net) Version:
                                                                                                                                          OS Version Major:4
                                                                                                                                          OS Version Minor:0
                                                                                                                                          File Version Major:4
                                                                                                                                          File Version Minor:0
                                                                                                                                          Subsystem Version Major:4
                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                          Entrypoint Preview

                                                                                                                                          Instruction
                                                                                                                                          jmp dword ptr [00402000h]
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al
                                                                                                                                          add byte ptr [eax], al

                                                                                                                                          Data Directories

                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x5b0f00x4b.text
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x5c0000xab2.rsrc
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x5e0000xc.reloc
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                          Sections

                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                          .text0x20000x591440x59200False0.45041308730715285data6.051994541490018IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                          .rsrc0x5c0000xab20xc00False0.5511067708333334data5.137865378285585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                          .reloc0x5e0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                          Resources

                                                                                                                                          NameRVASizeTypeLanguageCountry
                                                                                                                                          RT_ICON0x5c1300x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m
                                                                                                                                          RT_GROUP_ICON0x5c5980x14data
                                                                                                                                          RT_VERSION0x5c5ac0x31cdata
                                                                                                                                          RT_MANIFEST0x5c8c80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                                                                                          Imports

                                                                                                                                          DLLImport
                                                                                                                                          mscoree.dll_CorExeMain

                                                                                                                                          Network Behavior

                                                                                                                                          Snort IDS Alerts

                                                                                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                          192.168.2.565.108.247.14749698377672850027 10/03/22-17:33:23.343299TCP2850027ETPRO TROJAN RedLine Stealer TCP CnC net.tcp Init4969837767192.168.2.565.108.247.147
                                                                                                                                          192.168.2.565.108.247.14749698377672850286 10/03/22-17:33:45.506493TCP2850286ETPRO TROJAN Redline Stealer TCP CnC Activity4969837767192.168.2.565.108.247.147
                                                                                                                                          65.108.247.147192.168.2.537767496982850353 10/03/22-17:33:24.983524TCP2850353ETPRO MALWARE Redline Stealer TCP CnC - Id1Response377674969865.108.247.147192.168.2.5

                                                                                                                                          Network Port Distribution

                                                                                                                                          TCP Packets

                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                          Oct 3, 2022 17:33:22.906542063 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:22.944623947 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:22.947901964 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:23.343298912 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:23.382127047 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:23.605457067 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:24.941049099 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:24.983524084 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:25.105386972 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:32.487346888 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:32.535263062 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:32.535300970 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:32.535320044 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:32.535408974 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:34.352969885 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:34.395081997 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:34.449945927 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:35.018985987 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:35.075258970 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:35.086642027 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:35.168145895 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:35.311141014 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:35.356277943 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:35.398336887 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:35.437460899 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:35.481300116 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:35.570745945 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:35.609148026 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:35.635761023 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:35.674354076 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:35.686705112 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:35.725313902 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:35.778151989 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:36.019516945 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:36.057555914 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:36.058671951 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:36.106349945 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:36.236470938 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:36.274313927 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:36.274352074 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:36.274367094 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:36.275789022 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:36.295092106 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:36.333673954 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:36.387658119 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:37.009210110 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:37.051856041 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:37.106440067 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:37.606472969 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:37.644608021 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:37.645085096 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:37.700344086 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:37.736826897 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:37.775484085 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:37.825210094 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:44.185143948 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:44.226258993 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.278942108 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:44.489326000 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:44.527784109 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.669680119 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:44.873816967 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:44.911992073 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.912024975 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.912050009 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.912126064 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.912170887 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.912221909 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:44.912324905 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:44.912358046 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:44.951165915 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.951196909 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.951209068 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.951220989 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.951235056 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.951248884 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.951263905 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.951276064 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.951431036 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:44.951517105 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:44.951766968 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:44.989597082 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.989684105 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.989763975 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.989778996 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:44.989813089 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.989828110 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.989897013 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.989980936 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.990366936 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.990389109 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.990406036 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.990422964 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.990441084 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.990453959 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.990524054 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:44.990648031 CEST4969837767192.168.2.565.108.247.147
                                                                                                                                          Oct 3, 2022 17:33:44.990686893 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.990700006 CEST377674969865.108.247.147192.168.2.5
                                                                                                                                          Oct 3, 2022 17:33:44.990734100 CEST377674969865.108.247.147192.168.2.5

                                                                                                                                          Statistics

                                                                                                                                          No statistics

                                                                                                                                          System Behavior

                                                                                                                                          General

                                                                                                                                          Target ID:0
                                                                                                                                          Start time:17:33:01
                                                                                                                                          Start date:03/10/2022
                                                                                                                                          Path:C:\Users\user\Desktop\PIptrFxrxR.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:C:\Users\user\Desktop\PIptrFxrxR.exe
                                                                                                                                          Imagebase:0x990000
                                                                                                                                          File size:369152 bytes
                                                                                                                                          MD5 hash:3570CFA79638C148588F3F22A7AD58C9
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.397297996.0000000002F54000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          Reputation:low

                                                                                                                                          Disassembly

                                                                                                                                          No disassembly