Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cici.exe

Overview

General Information

Sample name:cici.exe
Analysis ID:1583251
MD5:aa7e5ae710a742491d6d185ae235ada8
SHA1:b35290cc2ad30580180c4520a7ba3fd88d9e913b
SHA256:916fd267917a216fde3652623c749ea890f3530195ef8bbfad9139a37cb4a813
Tags:exeRedLineStealeruser-lontze7
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • cici.exe (PID: 7724 cmdline: "C:\Users\user\Desktop\cici.exe" MD5: AA7E5AE710A742491D6D185AE235ADA8)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
{"C2 url": ["185.81.68.147:1912"], "Bot Id": "jhhg", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
SourceRuleDescriptionAuthorStrings
cici.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    cici.exeinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
    • 0x24cc3:$gen01: ChromeGetRoamingName
    • 0x24ce8:$gen02: ChromeGetLocalName
    • 0x24d2b:$gen03: get_UserDomainName
    • 0x28bc4:$gen04: get_encrypted_key
    • 0x27943:$gen05: browserPaths
    • 0x27c19:$gen06: GetBrowsers
    • 0x27501:$gen07: get_InstalledInputLanguages
    • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
    • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
    • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
    • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
    • 0x296f8:$spe9: *wallet*
    • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
    • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
    • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
    • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
    • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
    • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
    • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
    • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1334088863.0000000000DE2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.1491940494.00000000035DF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: cici.exe PID: 7724JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Process Memory Space: cici.exe PID: 7724JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  SourceRuleDescriptionAuthorStrings
                  0.0.cici.exe.de0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.0.cici.exe.de0000.0.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
                    • 0x24cc3:$gen01: ChromeGetRoamingName
                    • 0x24ce8:$gen02: ChromeGetLocalName
                    • 0x24d2b:$gen03: get_UserDomainName
                    • 0x28bc4:$gen04: get_encrypted_key
                    • 0x27943:$gen05: browserPaths
                    • 0x27c19:$gen06: GetBrowsers
                    • 0x27501:$gen07: get_InstalledInputLanguages
                    • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
                    • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                    • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
                    • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
                    • 0x296f8:$spe9: *wallet*
                    • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
                    • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
                    • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
                    • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
                    • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
                    • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
                    • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
                    • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
                    No Sigma rule has matched
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-02T09:29:09.537702+010020432341A Network Trojan was detected185.81.68.1471912192.168.2.949731TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-02T09:29:09.319239+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:14.831547+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:15.272904+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:15.506324+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:15.734061+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:15.959384+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:16.178679+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:16.440229+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:16.724443+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:17.038818+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:17.342439+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:17.347433+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:19.276839+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:19.548551+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:20.127769+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:20.348409+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:20.743818+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:21.078009+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:21.302034+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:21.524359+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:21.791272+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:22.013433+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:22.232452+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:22.450942+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    2025-01-02T09:29:22.714673+010020432311A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-02T09:29:15.277889+010020460561A Network Trojan was detected185.81.68.1471912192.168.2.949731TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-02T09:29:09.319239+010020460451A Network Trojan was detected192.168.2.949731185.81.68.1471912TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: cici.exeMalware Configuration Extractor: RedLine {"C2 url": ["185.81.68.147:1912"], "Bot Id": "jhhg", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                    Source: cici.exeVirustotal: Detection: 80%Perma Link
                    Source: cici.exeReversingLabs: Detection: 71%
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: cici.exeJoe Sandbox ML: detected
                    Source: cici.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: cici.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.9:49731 -> 185.81.68.147:1912
                    Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.9:49731 -> 185.81.68.147:1912
                    Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 185.81.68.147:1912 -> 192.168.2.9:49731
                    Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 185.81.68.147:1912 -> 192.168.2.9:49731
                    Source: Malware configuration extractorURLs: 185.81.68.147:1912
                    Source: global trafficTCP traffic: 192.168.2.9:49731 -> 185.81.68.147:1912
                    Source: Joe Sandbox ViewIP Address: 185.81.68.147 185.81.68.147
                    Source: Joe Sandbox ViewASN Name: KLNOPT-ASFI KLNOPT-ASFI
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceModel
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceModelD
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/:hardwares.
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, cici.exe, 00000000.00000002.1491940494.00000000035DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: cici.exe, 00000000.00000002.1491940494.00000000035DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004457000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15V
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: cici.exe, 00000000.00000002.1491940494.00000000037FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003760000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16V
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: cici.exe, 00000000.00000002.1491940494.00000000037E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: cici.exe, 00000000.00000002.1491940494.00000000037FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                    Source: cici.exe, 00000000.00000002.1491940494.00000000037FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, cici.exe, 00000000.00000002.1491940494.00000000037FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: cici.exe, 00000000.00000002.1491940494.00000000037FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: cici.exe, 00000000.00000002.1491940494.00000000037E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                    Source: cici.exe, 00000000.00000002.1491940494.00000000037E0000.00000004.00000800.00020000.00000000.sdmp, cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: cici.exe, 00000000.00000002.1491940494.00000000037E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004457000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: cici.exeString found in binary or memory: https://api.ip.sb/ip
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004457000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004457000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004457000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004457000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004457000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004457000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004457000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004457000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                    System Summary

                    barindex
                    Source: cici.exe, type: SAMPLEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                    Source: 0.0.cici.exe.de0000.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                    Source: C:\Users\user\Desktop\cici.exeCode function: 0_2_0147DC740_2_0147DC74
                    Source: cici.exe, 00000000.00000002.1490662607.00000000014AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs cici.exe
                    Source: cici.exe, 00000000.00000000.1334124257.0000000000E26000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs cici.exe
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs cici.exe
                    Source: cici.exeBinary or memory string: OriginalFilenameSteanings.exe8 vs cici.exe
                    Source: cici.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: cici.exe, type: SAMPLEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                    Source: 0.0.cici.exe.de0000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@0/1
                    Source: C:\Users\user\Desktop\cici.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeMutant created: NULL
                    Source: cici.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: cici.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\cici.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\cici.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\cici.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\cici.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                    Source: C:\Users\user\Desktop\cici.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: cici.exe, 00000000.00000002.1491940494.00000000038A6000.00000004.00000800.00020000.00000000.sdmp, cici.exe, 00000000.00000002.1491940494.00000000038BD000.00000004.00000800.00020000.00000000.sdmp, cici.exe, 00000000.00000002.1491940494.00000000038CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: cici.exeVirustotal: Detection: 80%
                    Source: cici.exeReversingLabs: Detection: 71%
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: cici.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: cici.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: cici.exeStatic PE information: 0xD22848DC [Tue Sep 23 12:17:32 2081 UTC]
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Users\user\Desktop\cici.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Users\user\Desktop\cici.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\cici.exeMemory allocated: 1470000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeMemory allocated: 31D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeMemory allocated: 51D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\cici.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\cici.exeWindow / User API: threadDelayed 1486Jump to behavior
                    Source: C:\Users\user\Desktop\cici.exeWindow / User API: threadDelayed 3357Jump to behavior
                    Source: C:\Users\user\Desktop\cici.exe TID: 7932Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\cici.exe TID: 7744Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\cici.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\cici.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696497155
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696497155
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696497155s
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696497155f
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696497155x
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696497155
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696497155x
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696497155t
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696497155f
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696497155s
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696497155
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696497155j
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696497155j
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696497155o
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696497155o
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                    Source: cici.exe, 00000000.00000002.1503577016.00000000063D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696497155
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696497155t
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                    Source: cici.exe, 00000000.00000002.1491940494.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696497155
                    Source: cici.exe, 00000000.00000002.1496226732.0000000004627000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                    Source: C:\Users\user\Desktop\cici.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeQueries volume information: C:\Users\user\Desktop\cici.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: cici.exe, 00000000.00000002.1490662607.0000000001562000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\cici.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\cici.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\cici.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\cici.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\cici.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\cici.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: cici.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.cici.exe.de0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1334088863.0000000000DE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: cici.exe PID: 7724, type: MEMORYSTR
                    Source: cici.exe, 00000000.00000002.1491940494.00000000035DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\walletsLR
                    Source: cici.exe, 00000000.00000002.1491940494.00000000035DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q0C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: cici.exe, 00000000.00000002.1491940494.00000000035DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q-cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                    Source: cici.exe, 00000000.00000002.1491940494.00000000035DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR
                    Source: cici.exe, 00000000.00000002.1491940494.00000000035DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR
                    Source: cici.exe, 00000000.00000002.1491940494.00000000035DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR
                    Source: cici.exe, 00000000.00000002.1491940494.00000000035DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qdC:\Users\user\AppData\Roaming\Binance
                    Source: cici.exe, 00000000.00000002.1491940494.00000000035DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR
                    Source: cici.exe, 00000000.00000002.1491940494.00000000035DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q&%localappdata%\Coinomi\Coinomi\walletsLR
                    Source: cici.exe, 00000000.00000002.1491940494.00000000035DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q4C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                    Source: C:\Users\user\Desktop\cici.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\cici.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Users\user\Desktop\cici.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                    Source: C:\Users\user\Desktop\cici.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                    Source: C:\Users\user\Desktop\cici.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                    Source: C:\Users\user\Desktop\cici.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\cici.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\cici.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\cici.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\cici.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\cici.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\cici.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\cici.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\Desktop\cici.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Users\user\Desktop\cici.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: Yara matchFile source: 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1491940494.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: cici.exe PID: 7724, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: cici.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.cici.exe.de0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1334088863.0000000000DE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: cici.exe PID: 7724, type: MEMORYSTR
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation
                    1
                    DLL Side-Loading
                    1
                    DLL Side-Loading
                    1
                    Masquerading
                    1
                    OS Credential Dumping
                    231
                    Security Software Discovery
                    Remote Services1
                    Archive Collected Data
                    1
                    Encrypted Channel
                    Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools
                    LSASS Memory1
                    Process Discovery
                    Remote Desktop Protocol3
                    Data from Local System
                    1
                    Non-Standard Port
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                    Virtualization/Sandbox Evasion
                    Security Account Manager241
                    Virtualization/Sandbox Evasion
                    SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Timestomp
                    NTDS1
                    Application Window Discovery
                    Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading
                    LSA Secrets113
                    System Information Discovery
                    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    cici.exe81%VirustotalBrowse
                    cici.exe71%ReversingLabsByteCode-MSIL.Trojan.RedLineStealz
                    cici.exe100%Joe Sandbox ML
                    No Antivirus matches
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    http://schemas.datacontract.org/2004/07/System.ServiceModel0%Avira URL Cloudsafe
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    s-part-0017.t-0009.t-msedge.net
                    13.107.246.45
                    truefalse
                      high
                      NameMaliciousAntivirus DetectionReputation
                      185.81.68.147:1912false
                        high
                        NameSourceMaliciousAntivirus DetectionReputation
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Textcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sctcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://duckduckgo.com/chrome_newtabcici.exe, 00000000.00000002.1496226732.0000000004457000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://duckduckgo.com/ac/?q=cici.exe, 00000000.00000002.1496226732.0000000004457000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://tempuri.org/Entity/Id14ResponseDcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://tempuri.org/Entity/Id23ResponseDcici.exe, 00000000.00000002.1491940494.00000000037FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinarycici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://tempuri.org/Entity/Id12Responsecici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://tempuri.org/cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://tempuri.org/Entity/Id2Responsecici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://tempuri.org/Entity/Id15Vcici.exe, 00000000.00000002.1496226732.0000000004457000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://tempuri.org/Entity/Id21Responsecici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrapcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://tempuri.org/Entity/Id9cici.exe, 00000000.00000002.1491940494.00000000037E0000.00000004.00000800.00020000.00000000.sdmp, cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://tempuri.org/Entity/Id8cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            http://tempuri.org/Entity/Id6ResponseDcici.exe, 00000000.00000002.1491940494.00000000037FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              http://tempuri.org/Entity/Id5cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Preparecici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://tempuri.org/Entity/Id4cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://tempuri.org/Entity/Id7cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://tempuri.org/Entity/Id6cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://tempuri.org/Entity/Id19Responsecici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensecici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuecici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencecici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    http://tempuri.org/Entity/Id13ResponseDcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/faultcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsatcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeycici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            http://tempuri.org/Entity/Id15Responsecici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, cici.exe, 00000000.00000002.1491940494.00000000035DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              http://tempuri.org/Entity/Id5ResponseDcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namecici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registercici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      http://tempuri.org/Entity/Id6Responsecici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, cici.exe, 00000000.00000002.1491940494.00000000037FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeycici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          https://api.ip.sb/ipcici.exefalse
                                                                                                            high
                                                                                                            http://schemas.datacontract.org/2004/07/cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/sccici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                http://tempuri.org/Entity/Id1ResponseDcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  high
                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    high
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancelcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      high
                                                                                                                      http://tempuri.org/Entity/Id9Responsecici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        high
                                                                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=cici.exe, 00000000.00000002.1496226732.0000000004457000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          high
                                                                                                                          http://tempuri.org/Entity/Id20cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            high
                                                                                                                            http://tempuri.org/Entity/Id21cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              high
                                                                                                                              http://tempuri.org/Entity/Id22cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                high
                                                                                                                                http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  high
                                                                                                                                  http://tempuri.org/Entity/Id23cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      high
                                                                                                                                      http://tempuri.org/Entity/Id24cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issuecici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          high
                                                                                                                                          http://schemas.datacontract.org/2004/07/System.ServiceModelcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          unknown
                                                                                                                                          http://tempuri.org/Entity/Id24Responsecici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            high
                                                                                                                                            https://www.ecosia.org/newtab/cici.exe, 00000000.00000002.1496226732.0000000004457000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              high
                                                                                                                                              http://tempuri.org/Entity/Id1Responsecici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedcici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlycici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    high
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Replaycici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegocici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        high
                                                                                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binarycici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          high
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            high
                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeycici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              high
                                                                                                                                                              http://tempuri.org/Entity/Id21ResponseDcici.exe, 00000000.00000002.1491940494.00000000037E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                high
                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/08/addressingcici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  high
                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuecici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    high
                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Completioncici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      high
                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/trustcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        high
                                                                                                                                                                        http://tempuri.org/Entity/Id10cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          high
                                                                                                                                                                          http://tempuri.org/Entity/Id11cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            high
                                                                                                                                                                            http://tempuri.org/Entity/Id12cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              high
                                                                                                                                                                              http://tempuri.org/Entity/Id16Responsecici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                high
                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsecici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  high
                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancelcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    high
                                                                                                                                                                                    http://tempuri.org/Entity/Id13cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      high
                                                                                                                                                                                      http://tempuri.org/Entity/Id14cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        high
                                                                                                                                                                                        http://tempuri.org/Entity/Id15cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          high
                                                                                                                                                                                          http://tempuri.org/Entity/Id16cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            high
                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/Noncecici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              high
                                                                                                                                                                                              http://tempuri.org/Entity/Id17cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                high
                                                                                                                                                                                                http://tempuri.org/Entity/Id18cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  high
                                                                                                                                                                                                  http://tempuri.org/Entity/Id5Responsecici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    high
                                                                                                                                                                                                    http://tempuri.org/Entity/Id19cici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      high
                                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnscici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        high
                                                                                                                                                                                                        http://tempuri.org/Entity/Id15ResponseDcici.exe, 00000000.00000002.1491940494.00000000035DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          high
                                                                                                                                                                                                          http://tempuri.org/Entity/Id10Responsecici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            high
                                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/Renewcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              high
                                                                                                                                                                                                              http://tempuri.org/Entity/Id11ResponseDcici.exe, 00000000.00000002.1491940494.0000000003587000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                high
                                                                                                                                                                                                                http://tempuri.org/Entity/Id8Responsecici.exe, 00000000.00000002.1491940494.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  high
                                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeycici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    high
                                                                                                                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0cici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      high
                                                                                                                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        high
                                                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTcici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          high
                                                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2006/02/addressingidentitycici.exe, 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            high
                                                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                                                            • 75% < No. of IPs
                                                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                            185.81.68.147
                                                                                                                                                                                                                            unknownFinland
                                                                                                                                                                                                                            50108KLNOPT-ASFItrue
                                                                                                                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                            Analysis ID:1583251
                                                                                                                                                                                                                            Start date and time:2025-01-02 09:28:15 +01:00
                                                                                                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                            Overall analysis duration:0h 3m 41s
                                                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                            Report type:full
                                                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                            Number of analysed new started processes analysed:5
                                                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                                                            Technologies:
                                                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                                                            Sample name:cici.exe
                                                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@1/1@0/1
                                                                                                                                                                                                                            EGA Information:
                                                                                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                                                                                            HCA Information:
                                                                                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                                                                                            • Number of executed functions: 10
                                                                                                                                                                                                                            • Number of non-executed functions: 1
                                                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                                                                                                                            • Stop behavior analysis, all processes terminated
                                                                                                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
                                                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                                                            03:29:18API Interceptor25x Sleep call for process: cici.exe modified
                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                            185.81.68.14752kYJGCon6.exeGet hashmaliciousMicroClipBrowse
                                                                                                                                                                                                                            • 185.81.68.147/data.php
                                                                                                                                                                                                                            CwQQqCmqkY.exeGet hashmaliciousMicroClipBrowse
                                                                                                                                                                                                                            • 185.81.68.147/gg.php
                                                                                                                                                                                                                            uFVgJVXaEU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                            • 185.81.68.147/VzCAHn.php?2F409E82DCA61388941053
                                                                                                                                                                                                                            m5804Te9Uw.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                            • 185.81.68.147/VzCAHn.php?443320E440F81953448019
                                                                                                                                                                                                                            3Qv3xyyL5G.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                            • 185.81.68.147/VzCAHn.php?65D35BAB97073674480464
                                                                                                                                                                                                                            K6qneGSDSB.exeGet hashmaliciousBabadeda, RedLineBrowse
                                                                                                                                                                                                                            • 185.81.68.147/VzCAHn.php?616766F8886C145454191
                                                                                                                                                                                                                            file.exeGet hashmaliciousAmadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, StealcBrowse
                                                                                                                                                                                                                            • 185.81.68.147/tizhyf/gate.php?232B06DEE822786254513
                                                                                                                                                                                                                            mggoBrtk9t.exeGet hashmaliciousAmadey, RedLineBrowse
                                                                                                                                                                                                                            • 185.81.68.147/7vhfjke3/index.php
                                                                                                                                                                                                                            D72j5I83wU.dllGet hashmaliciousAmadeyBrowse
                                                                                                                                                                                                                            • 185.81.68.147/7vhfjke3/index.php
                                                                                                                                                                                                                            D72j5I83wU.dllGet hashmaliciousAmadeyBrowse
                                                                                                                                                                                                                            • 185.81.68.147/7vhfjke3/index.php
                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                            s-part-0017.t-0009.t-msedge.netintro.avi.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                                                            random(6).exeGet hashmaliciousStealcBrowse
                                                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                                                            1.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                                                            installer64v7.1.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                                                            hcxmivKYfL.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                                                            01012025.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                                                            http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26desusertion%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8XGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                                                            https://t.co/YjyGioQuKTGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                                                            installer64v9.3.4.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                                                            TieLoader.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 13.107.246.45
                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                            KLNOPT-ASFIuFVtW2gkkN.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                            • 185.81.68.147
                                                                                                                                                                                                                            nXkktDu3Fp.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                            • 185.81.68.147
                                                                                                                                                                                                                            52kYJGCon6.exeGet hashmaliciousMicroClipBrowse
                                                                                                                                                                                                                            • 185.81.68.147
                                                                                                                                                                                                                            CwQQqCmqkY.exeGet hashmaliciousMicroClipBrowse
                                                                                                                                                                                                                            • 185.81.68.147
                                                                                                                                                                                                                            uFVgJVXaEU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                            • 185.81.68.147
                                                                                                                                                                                                                            m5804Te9Uw.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                            • 185.81.68.147
                                                                                                                                                                                                                            3Qv3xyyL5G.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                            • 185.81.68.147
                                                                                                                                                                                                                            K6qneGSDSB.exeGet hashmaliciousBabadeda, RedLineBrowse
                                                                                                                                                                                                                            • 185.81.68.147
                                                                                                                                                                                                                            file.exeGet hashmaliciousAmadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, StealcBrowse
                                                                                                                                                                                                                            • 185.81.68.147
                                                                                                                                                                                                                            mggoBrtk9t.exeGet hashmaliciousAmadey, RedLineBrowse
                                                                                                                                                                                                                            • 185.81.68.148
                                                                                                                                                                                                                            No context
                                                                                                                                                                                                                            No context
                                                                                                                                                                                                                            Process:C:\Users\user\Desktop\cici.exe
                                                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):3293
                                                                                                                                                                                                                            Entropy (8bit):5.3364558769830905
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEsq35D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qh
                                                                                                                                                                                                                            MD5:CD2726EE4EEF3843D6673734B77A3E0A
                                                                                                                                                                                                                            SHA1:AA537CC06CEF4CC75B6FF7CDC9B38F0660158717
                                                                                                                                                                                                                            SHA-256:2C554F3CCAFF7C559620FAF795CCCE1A01CE92A914B3CDFBF12A98F8E88FAA40
                                                                                                                                                                                                                            SHA-512:0ECCAAFB069D24EBC67C53E89821ED5F7FC32A752FAAF9FB4B2A99D2A6A480FF09C3B537AF01C6DCA31AD01C4143A074FDFB846BBE74D0F111F60DAB414780D5
                                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02
                                                                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                            Entropy (8bit):5.081999894474203
                                                                                                                                                                                                                            TrID:
                                                                                                                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                            File name:cici.exe
                                                                                                                                                                                                                            File size:307'712 bytes
                                                                                                                                                                                                                            MD5:aa7e5ae710a742491d6d185ae235ada8
                                                                                                                                                                                                                            SHA1:b35290cc2ad30580180c4520a7ba3fd88d9e913b
                                                                                                                                                                                                                            SHA256:916fd267917a216fde3652623c749ea890f3530195ef8bbfad9139a37cb4a813
                                                                                                                                                                                                                            SHA512:dd72ab2ea617a04482bdf57623fc044bb2ba73f0f6632af0c3a92b1e6e84d0d5b127982586fd5719c7dbe252f4d783bb08823b268eb77c1dd2dad9f277ecc6ed
                                                                                                                                                                                                                            SSDEEP:3072:+cZqf7D341p/0+mAqky4GUQIgteeB1fA0PuTVAtkxzD3RQeqiOL2bBOA:+cZqf7DIvnWPLB1fA0GTV8kNwL
                                                                                                                                                                                                                            TLSH:9F645A5833E8C910DA7F4775D861D67093B0BCA3A556E70B4FC4ACAB3D32740EA50AB6
                                                                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H(...............0.................. ... ....@.. ....................... ............@................................
                                                                                                                                                                                                                            Icon Hash:4d8ea38d85a38e6d
                                                                                                                                                                                                                            Entrypoint:0x4302ce
                                                                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                            Time Stamp:0xD22848DC [Tue Sep 23 12:17:32 2081 UTC]
                                                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                                                            OS Version Major:4
                                                                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                                                                            File Version Major:4
                                                                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                                                                            Subsystem Version Major:4
                                                                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                                                                                                                                                            Instruction
                                                                                                                                                                                                                            jmp dword ptr [00402000h]
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x302780x53.text
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x320000x1c9c6.rsrc
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x500000xc.reloc
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                            .text0x20000x2e2d40x2e400d414f6b52a29be28cfd63b3162019867False0.47500527871621623data6.187176749691185IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                            .rsrc0x320000x1c9c60x1ca00a8cf3f8ff27a4a736ba8fb433d91107fFalse0.2380765556768559data2.615031395625776IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                            .reloc0x500000xc0x200951c0304dce84311b97d3da9b0180199False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                            RT_ICON0x322200x3d04PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9934058898847631
                                                                                                                                                                                                                            RT_ICON0x35f240x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.09013072282030049
                                                                                                                                                                                                                            RT_ICON0x4674c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.13905290505432216
                                                                                                                                                                                                                            RT_ICON0x4a9740x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.17033195020746889
                                                                                                                                                                                                                            RT_ICON0x4cf1c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.2045028142589118
                                                                                                                                                                                                                            RT_ICON0x4dfc40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.24645390070921985
                                                                                                                                                                                                                            RT_GROUP_ICON0x4e42c0x5adata0.7666666666666667
                                                                                                                                                                                                                            RT_VERSION0x4e4880x352data0.4447058823529412
                                                                                                                                                                                                                            RT_MANIFEST0x4e7dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                                                                                                                                                                                                            DLLImport
                                                                                                                                                                                                                            mscoree.dll_CorExeMain
                                                                                                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                            2025-01-02T09:29:09.319239+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:09.319239+01002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:09.537702+01002043234ET MALWARE Redline Stealer TCP CnC - Id1Response1185.81.68.1471912192.168.2.949731TCP
                                                                                                                                                                                                                            2025-01-02T09:29:14.831547+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:15.272904+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:15.277889+01002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)1185.81.68.1471912192.168.2.949731TCP
                                                                                                                                                                                                                            2025-01-02T09:29:15.506324+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:15.734061+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:15.959384+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:16.178679+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:16.440229+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:16.724443+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:17.038818+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:17.342439+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:17.347433+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:19.276839+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:19.548551+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:20.127769+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:20.348409+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:20.743818+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:21.078009+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:21.302034+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:21.524359+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:21.791272+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:22.013433+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:22.232452+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:22.450942+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            2025-01-02T09:29:22.714673+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.949731185.81.68.1471912TCP
                                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                            Jan 2, 2025 09:29:08.185311079 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:08.190258026 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:08.190377951 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:08.199968100 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:08.204827070 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:08.894671917 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:08.942020893 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:09.319238901 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:09.324044943 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:09.537702084 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:09.579715967 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:14.831547022 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:14.836421013 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:15.050790071 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:15.050810099 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:15.050829887 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:15.050839901 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:15.050851107 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:15.050863028 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:15.050873041 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:15.050980091 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:15.272903919 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:15.277889013 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:15.501133919 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:15.506324053 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:15.511205912 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:15.724201918 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:15.734061003 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:15.738961935 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:15.952218056 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:15.959383965 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:15.964200020 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:16.177521944 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:16.178678989 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:16.183532000 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:16.403156042 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:16.440228939 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:16.445179939 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:16.660201073 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:16.660217047 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:16.660238028 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:16.660299063 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:16.660435915 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:16.660449028 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:16.660461903 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:16.660480976 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:16.660511017 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:16.724442959 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:16.729264975 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:16.942253113 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:16.990479946 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.038817883 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.043631077 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.256623983 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.298540115 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.342438936 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.347340107 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.347393990 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.347413063 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.347420931 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.347433090 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.347433090 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.347472906 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.347476006 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.347491980 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.347516060 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.347517967 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.347528934 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.347557068 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.347599983 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.347609043 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.347626925 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.347657919 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.347657919 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.347671032 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.347696066 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.347727060 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.352310896 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.352323055 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.352389097 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.352400064 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.352411985 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.352440119 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.352478027 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.352632046 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.352677107 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.352688074 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.352726936 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.352771044 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.352814913 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.352821112 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.352870941 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.352945089 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.352963924 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.352993965 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.353013039 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.353017092 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.353061914 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.353075027 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.353117943 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.353184938 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.353194952 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.353234053 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.353254080 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.357320070 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.357331038 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.357356071 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.357400894 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.357434988 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.357448101 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.357487917 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.357927084 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.357938051 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.357945919 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.357954979 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.357964039 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.357971907 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.357980967 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.357989073 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.357996941 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358000994 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358006001 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358015060 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358021021 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358033895 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358042955 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358051062 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358059883 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358067036 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358076096 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358099937 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358108997 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358165979 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358174086 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358213902 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358222008 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358232021 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358267069 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358288050 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358297110 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358300924 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358308077 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358331919 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358336926 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358352900 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358376026 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358376980 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358386040 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358413935 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358436108 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358443022 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358453989 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358496904 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.358505011 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.362225056 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.362235069 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.362303019 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.362312078 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.362344980 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.362354040 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.362391949 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.362401009 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.362441063 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.362449884 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.362618923 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.362780094 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.362847090 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.362857103 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.362929106 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.362938881 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.362956047 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.362963915 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363014936 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363023043 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363059044 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363076925 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363112926 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363121033 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363204956 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363214016 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363270998 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363279104 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363305092 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363322020 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363351107 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363358974 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363374949 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363398075 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363409042 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363435984 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363491058 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363500118 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363576889 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363585949 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363596916 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363616943 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363662004 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363671064 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363708019 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363715887 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363753080 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363761902 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363810062 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363817930 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363845110 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363853931 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363945961 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363960028 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.363993883 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364002943 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364023924 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364058018 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364065886 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364121914 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364130974 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364166975 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364202023 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364283085 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364290953 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364358902 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364367008 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364377975 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364438057 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364447117 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364471912 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364506006 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364564896 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364573002 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364605904 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364614964 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364655018 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364662886 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364891052 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.364949942 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.368273973 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.368283987 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.368381023 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.368388891 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.368443966 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.368453979 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.368516922 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.368525982 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.368592978 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.368602991 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.368705988 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.368715048 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.368793011 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.368802071 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.368843079 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.368851900 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.368892908 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.368901968 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.368927956 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.368963003 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369000912 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369009018 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369026899 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369043112 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369086981 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369096041 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369126081 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369137049 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369172096 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369179964 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369215965 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369224072 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369266987 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369275093 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369313002 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369321108 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369359970 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369368076 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369407892 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369415998 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369438887 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369488955 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369497061 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369505882 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369532108 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369540930 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369575024 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369582891 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369622946 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369631052 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369642019 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369668007 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369739056 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369748116 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369805098 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369813919 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369849920 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369889021 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369978905 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369983912 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.369987011 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370017052 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370026112 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370042086 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370047092 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370064974 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370134115 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370155096 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370207071 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370215893 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370250940 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370271921 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370342016 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370352030 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370368958 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370377064 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370409012 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370417118 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370482922 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370491028 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370532036 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370542049 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370552063 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370588064 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370621920 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370630980 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370680094 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370688915 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370712042 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370719910 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370758057 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370765924 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370825052 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370832920 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370909929 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370918036 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370927095 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370935917 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370950937 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.370959997 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.371049881 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.371058941 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.371067047 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.371076107 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.371090889 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.371098995 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.371121883 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.371129990 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.374788046 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.374814034 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.374886990 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.374901056 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.374919891 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.374950886 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.374996901 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375004053 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375014067 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375062943 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375072002 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375081062 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375102997 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375161886 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375222921 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375231981 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375248909 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375277996 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375346899 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375355959 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375391960 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375420094 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375555038 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375565052 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375596046 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375605106 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375638008 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375646114 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375698090 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375705957 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375770092 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375777960 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375817060 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375824928 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375865936 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375874043 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375915051 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375922918 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375972986 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.375981092 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.376015902 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.376024008 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.376051903 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.376060009 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.376100063 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.376107931 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.376151085 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.376159906 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.376203060 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.376211882 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.376250029 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.376257896 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.376287937 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.376296043 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.376333952 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.379793882 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.379852057 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.379859924 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.379924059 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.379931927 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380001068 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380008936 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380026102 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380064964 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380074024 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380099058 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380105972 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380165100 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380173922 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380198956 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380289078 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380297899 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380366087 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380374908 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380414963 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380423069 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380465984 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380475998 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380503893 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380544901 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380587101 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380595922 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380644083 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380652905 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380696058 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380705118 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380753040 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380760908 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380801916 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380810976 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380870104 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380878925 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380909920 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380944967 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380990982 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.380999088 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.381033897 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.381042957 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.381071091 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.381129026 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.381135941 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.381145000 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.381181955 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.381190062 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.381223917 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.381232023 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.381267071 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.381274939 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.381309986 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.381318092 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.384871006 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.384880066 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.384912014 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.384951115 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.384994030 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385003090 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385026932 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385060072 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385071039 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385097980 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385124922 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385158062 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385166883 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385205984 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385210991 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385221004 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385243893 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385251999 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385330915 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385339975 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385354996 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385364056 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385423899 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385432005 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385500908 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385509014 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385555983 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385564089 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385587931 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385596991 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385644913 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385653973 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385663986 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385668039 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385725975 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385735989 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385771036 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385778904 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385814905 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.385822058 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.407857895 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.412653923 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.412942886 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.413022995 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.413248062 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.417865038 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.417876005 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.417910099 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.417953968 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.417989969 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.418036938 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.418106079 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.418114901 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.418175936 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.418184042 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.418225050 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.418234110 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.418292999 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.418368101 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.418379068 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:17.442162991 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:19.269115925 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:19.269628048 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:19.269900084 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:19.269959927 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:19.270348072 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:19.276839018 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:19.281635046 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:19.281646013 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:19.281673908 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:19.281682014 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:19.281697989 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:19.281706095 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:19.281795979 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:19.281805038 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:19.501787901 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:19.548551083 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:20.127768993 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:20.132620096 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:20.345630884 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:20.348408937 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:20.353302002 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:20.566836119 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:20.610991001 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:20.743818045 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:20.748709917 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:20.963720083 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.017246008 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.078008890 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.082973003 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.082988977 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.083020926 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.083030939 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.083076954 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.083087921 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.083138943 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.083148003 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.083208084 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.083220005 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.083267927 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.083277941 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.083327055 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.083344936 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.083385944 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.083395004 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.298330069 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.302033901 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.307482004 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.520175934 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.524358988 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.529191017 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.742425919 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.791271925 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:21.796010017 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:22.011212111 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:22.013432980 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:22.018299103 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:22.231494904 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:22.232451916 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:22.237229109 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:22.450073004 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:22.450942039 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            Jan 2, 2025 09:29:22.456166983 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:22.671720982 CET191249731185.81.68.147192.168.2.9
                                                                                                                                                                                                                            Jan 2, 2025 09:29:22.714673042 CET497311912192.168.2.9185.81.68.147
                                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                            Jan 2, 2025 09:29:03.985361099 CET1.1.1.1192.168.2.90x20b0No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                            Jan 2, 2025 09:29:03.985361099 CET1.1.1.1192.168.2.90x20b0No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                                                                            Target ID:0
                                                                                                                                                                                                                            Start time:03:29:05
                                                                                                                                                                                                                            Start date:02/01/2025
                                                                                                                                                                                                                            Path:C:\Users\user\Desktop\cici.exe
                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\cici.exe"
                                                                                                                                                                                                                            Imagebase:0xde0000
                                                                                                                                                                                                                            File size:307'712 bytes
                                                                                                                                                                                                                            MD5 hash:AA7E5AE710A742491D6D185AE235ADA8
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1334088863.0000000000DE2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1491940494.0000000003264000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1491940494.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            Reset < >

                                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                                              Execution Coverage:7.3%
                                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                              Signature Coverage:0%
                                                                                                                                                                                                                              Total number of Nodes:38
                                                                                                                                                                                                                              Total number of Limit Nodes:7
                                                                                                                                                                                                                              execution_graph 15352 147d300 DuplicateHandle 15353 147d396 15352->15353 15354 1474668 15355 1474684 15354->15355 15356 1474696 15355->15356 15358 14747a0 15355->15358 15359 14747c5 15358->15359 15363 14748a1 15359->15363 15367 14748b0 15359->15367 15365 14748d7 15363->15365 15364 14749b4 15364->15364 15365->15364 15371 1474248 15365->15371 15368 14748d7 15367->15368 15369 1474248 CreateActCtxA 15368->15369 15370 14749b4 15368->15370 15369->15370 15372 1475940 CreateActCtxA 15371->15372 15374 1475a03 15372->15374 15375 147ad38 15376 147ad47 15375->15376 15379 147ae20 15375->15379 15384 147ae30 15375->15384 15380 147ae64 15379->15380 15381 147ae41 15379->15381 15380->15376 15381->15380 15382 147b068 GetModuleHandleW 15381->15382 15383 147b095 15382->15383 15383->15376 15385 147ae64 15384->15385 15386 147ae41 15384->15386 15385->15376 15386->15385 15387 147b068 GetModuleHandleW 15386->15387 15388 147b095 15387->15388 15388->15376 15389 147d0b8 15390 147d0fe GetCurrentProcess 15389->15390 15392 147d150 GetCurrentThread 15390->15392 15393 147d149 15390->15393 15394 147d186 15392->15394 15395 147d18d GetCurrentProcess 15392->15395 15393->15392 15394->15395 15398 147d1c3 15395->15398 15396 147d1eb GetCurrentThreadId 15397 147d21c 15396->15397 15398->15396

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 0147D136
                                                                                                                                                                                                                              • GetCurrentThread.KERNEL32 ref: 0147D173
                                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 0147D1B0
                                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0147D209
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1490581714.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1470000_cici.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2063062207-0
                                                                                                                                                                                                                              • Opcode ID: fd3bc93b71a7692fa4b091693b8fb4c4f7337672c0aeb320241a943a6ce659dd
                                                                                                                                                                                                                              • Instruction ID: f60fe16569f1dd4ac569459b0c616ff89dfc46e65f9dbe1577359c9d22b8e0dc
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fd3bc93b71a7692fa4b091693b8fb4c4f7337672c0aeb320241a943a6ce659dd
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2C5167B49013498FEB14CFAAE548BDEBBF1EF88314F20845AE019A73A0D7755944CB65

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 0147D136
                                                                                                                                                                                                                              • GetCurrentThread.KERNEL32 ref: 0147D173
                                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 0147D1B0
                                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0147D209
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1490581714.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1470000_cici.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2063062207-0
                                                                                                                                                                                                                              • Opcode ID: 8dacb930b4f1fe70a8d73c74e0c0f662bc591db1968c45bf078fa66c020f405d
                                                                                                                                                                                                                              • Instruction ID: e994cb4d9b382ae3ab6290075f220f3245c04b7803a038236b2375006555c672
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8dacb930b4f1fe70a8d73c74e0c0f662bc591db1968c45bf078fa66c020f405d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 855156B49017098FDB14CFAAD948BDEBBF1FF88314F20845AE019A73A0D7759944CB65

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 45 147ae30-147ae3f 46 147ae41-147ae4e call 1479838 45->46 47 147ae6b-147ae6f 45->47 54 147ae64 46->54 55 147ae50 46->55 48 147ae83-147aec4 47->48 49 147ae71-147ae7b 47->49 56 147aec6-147aece 48->56 57 147aed1-147aedf 48->57 49->48 54->47 102 147ae56 call 147b0c8 55->102 103 147ae56 call 147b0b8 55->103 56->57 58 147af03-147af05 57->58 59 147aee1-147aee6 57->59 63 147af08-147af0f 58->63 61 147aef1 59->61 62 147aee8-147aeef call 147a814 59->62 60 147ae5c-147ae5e 60->54 64 147afa0-147afb7 60->64 66 147aef3-147af01 61->66 62->66 67 147af11-147af19 63->67 68 147af1c-147af23 63->68 78 147afb9-147b018 64->78 66->63 67->68 69 147af25-147af2d 68->69 70 147af30-147af39 call 147a824 68->70 69->70 76 147af46-147af4b 70->76 77 147af3b-147af43 70->77 79 147af4d-147af54 76->79 80 147af69-147af76 76->80 77->76 96 147b01a-147b060 78->96 79->80 81 147af56-147af66 call 147a834 call 147a844 79->81 85 147af99-147af9f 80->85 86 147af78-147af96 80->86 81->80 86->85 97 147b062-147b065 96->97 98 147b068-147b093 GetModuleHandleW 96->98 97->98 99 147b095-147b09b 98->99 100 147b09c-147b0b0 98->100 99->100 102->60 103->60
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0147B086
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1490581714.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1470000_cici.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                                                                                              • Opcode ID: 63638d37ded802a1af78708cb91c2a7128de3955eedb952023e2753755db3c74
                                                                                                                                                                                                                              • Instruction ID: 36113337bd6e1d74bd9cea5eb1a7658c7d3594ec0722a6eaa74a9efeb1a15369
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 63638d37ded802a1af78708cb91c2a7128de3955eedb952023e2753755db3c74
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9A8123B0A00B058FE724CF2AD55479BBBF1FF88214F14892ED48A97B60D775E846CB91

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 104 1475935-1475a01 CreateActCtxA 106 1475a03-1475a09 104->106 107 1475a0a-1475a64 104->107 106->107 114 1475a66-1475a69 107->114 115 1475a73-1475a77 107->115 114->115 116 1475a79-1475a85 115->116 117 1475a88 115->117 116->117 119 1475a89 117->119 119->119
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 014759F1
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1490581714.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1470000_cici.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Create
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                                                                              • Opcode ID: 6f36a6a1f6ea7f387d8f6dbb82319a476fb9f3215a6f0bfb1d0c26faa24b9ac4
                                                                                                                                                                                                                              • Instruction ID: 34cfda40eb971db032453f540cbb3e533416bcf8f3a3eea2673824cb401d1857
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6f36a6a1f6ea7f387d8f6dbb82319a476fb9f3215a6f0bfb1d0c26faa24b9ac4
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: F0418EB0C00719CFDB24DFA9C884BDEBBB5BF89704F20846AD408AB261DB756945CF50

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 120 1474248-1475a01 CreateActCtxA 123 1475a03-1475a09 120->123 124 1475a0a-1475a64 120->124 123->124 131 1475a66-1475a69 124->131 132 1475a73-1475a77 124->132 131->132 133 1475a79-1475a85 132->133 134 1475a88 132->134 133->134 136 1475a89 134->136 136->136
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 014759F1
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1490581714.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1470000_cici.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: Create
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                                                                              • Opcode ID: 6d92ee87f36d670973ed37b074d1cc6aff1a8eaf1078861208079dc441aa7725
                                                                                                                                                                                                                              • Instruction ID: 7cc5129af9e3c446589d71c9076ab4cecd887c976fbc8c3f8dd86c254eeb99d4
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6d92ee87f36d670973ed37b074d1cc6aff1a8eaf1078861208079dc441aa7725
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3D41AFB0D00719CBDB24DFAAC884BDEBBB5FF89704F20846AD408AB251DB756945CF94

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 137 147d2f9-147d2fe 138 147d300-147d394 DuplicateHandle 137->138 139 147d396-147d39c 138->139 140 147d39d-147d3ba 138->140 139->140
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0147D387
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1490581714.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1470000_cici.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                                                                                              • Opcode ID: 440ed48bd31efa81b0fb64e10f2b18390f4d8ef7d0244ecb9968a46e672a391a
                                                                                                                                                                                                                              • Instruction ID: 9ab03d0054792059899c2a760df94695bd76e3f521836f14dd9628cfaccb4771
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 440ed48bd31efa81b0fb64e10f2b18390f4d8ef7d0244ecb9968a46e672a391a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B721E3B5900349AFDB10CFAAD584ADEBBF4EB48310F14806AE958A3350D378A954CFA5

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 143 147d300-147d394 DuplicateHandle 144 147d396-147d39c 143->144 145 147d39d-147d3ba 143->145 144->145
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0147D387
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1490581714.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1470000_cici.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: DuplicateHandle
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 3793708945-0
                                                                                                                                                                                                                              • Opcode ID: 5e5e437e7bdf23af6df842a672aaf94a1f98b19729fa0aff502331cfbfcaacfe
                                                                                                                                                                                                                              • Instruction ID: 8a2960d68b6ca8c923bc1b012ee32db6b714b720d353e37b5754bf0d49e6d2b7
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5e5e437e7bdf23af6df842a672aaf94a1f98b19729fa0aff502331cfbfcaacfe
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6E21C4B5D002499FDB10CFAAD584ADEBBF4EB48310F14841AE918A3350D374A954CFA5

                                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                                              control_flow_graph 148 147b020-147b060 149 147b062-147b065 148->149 150 147b068-147b093 GetModuleHandleW 148->150 149->150 151 147b095-147b09b 150->151 152 147b09c-147b0b0 150->152 151->152
                                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0147B086
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1490581714.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1470000_cici.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID: 4139908857-0
                                                                                                                                                                                                                              • Opcode ID: 8f354484af309a16915f6dc0215ca4f285436c5cb989bee34c5cfc17313d5863
                                                                                                                                                                                                                              • Instruction ID: 2bedf66f7f4ac93cf793021252c1a36ed30270fba85c98b2d0901f7d69c4584e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8f354484af309a16915f6dc0215ca4f285436c5cb989bee34c5cfc17313d5863
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8D11DFB5C007498FDB20CF9AC444ADEFBF4EB88214F10842AD569B7610D379A545CFA5
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1490193673.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_142d000_cici.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: eaee09e322763ecf40bad49c9c9edcb7b92ce3c361be91352a99c424f92788ad
                                                                                                                                                                                                                              • Instruction ID: d4589785dc373836ff96286600117c64e6850cd09992c5d60be947b5d5c6d85a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: eaee09e322763ecf40bad49c9c9edcb7b92ce3c361be91352a99c424f92788ad
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CE2103B1904340DFDB15DF54D8C0B16BB65EB84218F64C56AD90A4B3A6C33AD487CA61
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1490193673.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_142d000_cici.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 17ff0c9aa6a8163a953526eee92a5c197d844f50aa9d434eaa526c0653e8d0dd
                                                                                                                                                                                                                              • Instruction ID: 9aa5911e5385b2617b5bb191e8baafef6111577bbcfeb1bbc8a067e2f1ab8a49
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 17ff0c9aa6a8163a953526eee92a5c197d844f50aa9d434eaa526c0653e8d0dd
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0E2180755093808FCB12CF64D590716BF71EB46218F28C5DBD8498B6A7C33A984ACB62
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1490581714.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1470000_cici.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 99860c9df5236900c7597dfb64504d4aac77e35f1198cac90982744c06233177
                                                                                                                                                                                                                              • Instruction ID: 22344d76ab32074882a35da26215dc3d420cda3cb6f528a417113b339f9b3a39
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 99860c9df5236900c7597dfb64504d4aac77e35f1198cac90982744c06233177
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A1A18E32E102068FCF15DFB9C8405DEB7B2FF94300B15456AE916AF265DB71E95ACB80