Edit tour

Windows Analysis Report
https://r.clickwise.net/pap?k=1608105173.576&b=&a=59c203522ac2d&u=https://zapfibras.com.br/nu/dgev@oeiras.pt

Overview

General Information

Sample URL:	https://r.clickwise.net/pap?k=1608105173.576&b=&a=59c203522ac2d&u=https://zapfibras.com.br/nu/dgev@oeiras.pt
Analysis ID:	1671112
Infos:

Detection

Score:	21
Range:	0 - 100
Confidence:	80%

Signatures

Detected use of open redirect vulnerability

Detected suspicious crossdomain redirect

URL contains potential PII (phishing indication)

Classification

Process Tree

System is w10x64

chrome.exe (PID: 3704 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6132 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,14388118772384941128,232339286414297275,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2052 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6308 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://r.clickwise.net/pap?k=1608105173.576&b=&a=59c203522ac2d&u=https://zapfibras.com.br/nu/dgev@oeiras.pt" MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Phishing
• Compliance
• Networking
• System Summary

Click to jump to signature section

Show All Signature Results

Phishing

Detected use of open redirect vulnerability

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

HTTP traffic: Proxy from: r.clickwise.net/pap?k=1608105173.576&b=&a=59c203522ac2d&u=https://zapfibras.com.br/nu/dgev@oeiras.pt to https://zapfibras.com.br/nu/dgev@oeiras.pt

Source: unknown	HTTPS traffic detected: 142.250.69.4:443 -> 192.168.2.7:49686 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 206.189.245.37:443 -> 192.168.2.7:49689 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 206.189.245.37:443 -> 192.168.2.7:49688 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.203.111:443 -> 192.168.2.7:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.148.161:443 -> 192.168.2.7:49691 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.215.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.98.62
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 23.199.215.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.98.62
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /pap?k=1608105173.576&b=&a=59c203522ac2d&u=https://zapfibras.com.br/nu/dgev@oeiras.pt HTTP/1.1Host: r.clickwise.netConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /nu/dgev@oeiras.pt HTTP/1.1Host: zapfibras.com.brConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /messaging.shtml?mode=dgev@oeiras.pt HTTP/1.1Host: application.extensoin.worldConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /messaging.shtml?mode=dgev@oeiras.pt HTTP/1.1Host: application.extensoin.worldConnection: keep-aliveCache-Control: max-age=0sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=rn6sial4570uqchr98c21qp4lm
Source: global traffic	HTTP traffic detected: GET /messaging.shtml?mode=dgev@oeiras.pt HTTP/1.1Host: application.extensoin.worldConnection: keep-aliveCache-Control: max-age=0sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=rn6sial4570uqchr98c21qp4lm

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: r.clickwise.net
Source: global traffic	DNS traffic detected: DNS query: zapfibras.com.br
Source: global traffic	DNS traffic detected: DNS query: application.extensoin.world

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Apr 2025 14:47:58 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeServer: cloudflareExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheCf-Cache-Status: DYNAMICSet-Cookie: PHPSESSID=rn6sial4570uqchr98c21qp4lm; Path=/CF-RAY: 9345eb5a2cd4091e-LAXalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Apr 2025 14:48:10 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeServer: cloudflareExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheCf-Cache-Status: DYNAMICCF-RAY: 9345ebaaba4df7e5-LAXalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Apr 2025 14:49:06 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeServer: cloudflareExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheCf-Cache-Status: DYNAMICCF-RAY: 9345ed0579d6f7df-LAXalt-svc: h3=":443"; ma=86400

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,14388118772384941128,232339286414297275,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2052 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://r.clickwise.net/pap?k=1608105173.576&b=&a=59c203522ac2d&u=https://zapfibras.com.br/nu/dgev@oeiras.pt"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,14388118772384941128,232339286414297275,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2052 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Web Protocols	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	3 Ingress Tool Transfer	Scheduled Transfer	Data Encrypted for Impact

Source	Detection	Scanner	Label	Link
https://zapfibras.com.br/nu/dgev@oeiras.pt	0%	Avira URL Cloud	safe
https://application.extensoin.world/messaging.shtml?mode=dgev@oeiras.pt	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Reputation
r.clickwise.net	206.189.245.37	true	true	unknown
application.extensoin.world	172.67.148.161	true	false	unknown
www.google.com	142.250.69.4	true	false	high
zapfibras.com.br	162.241.203.111	true	true	unknown

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.69.4	www.google.com	United States	15169	GOOGLEUS	false
206.189.245.37	r.clickwise.net	United States	14061	DIGITALOCEAN-ASNUS	true
162.241.203.111	zapfibras.com.br	United States	26337	OIS1US	true
172.67.148.161	application.extensoin.world	United States	13335	CLOUDFLARENETUS	false

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1671112
Start date and time:	2025-04-22 16:46:53 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://r.clickwise.net/pap?k=1608105173.576&b=&a=59c203522ac2d&u=https://zapfibras.com.br/nu/dgev@oeiras.pt
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus21.phis.win@25/0@8/5

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 22, 2025 16:47:48.315372944 CEST	53	62681	1.1.1.1	192.168.2.7
Apr 22, 2025 16:47:48.318790913 CEST	53	65109	1.1.1.1	192.168.2.7
Apr 22, 2025 16:47:49.319874048 CEST	53	61141	1.1.1.1	192.168.2.7
Apr 22, 2025 16:47:49.532541037 CEST	53	51356	1.1.1.1	192.168.2.7
Apr 22, 2025 16:47:52.802442074 CEST	57949	53	192.168.2.7	1.1.1.1
Apr 22, 2025 16:47:52.802587986 CEST	50375	53	192.168.2.7	1.1.1.1
Apr 22, 2025 16:47:52.942624092 CEST	53	57949	1.1.1.1	192.168.2.7
Apr 22, 2025 16:47:52.942879915 CEST	53	50375	1.1.1.1	192.168.2.7
Apr 22, 2025 16:47:53.984385967 CEST	61131	53	192.168.2.7	1.1.1.1
Apr 22, 2025 16:47:53.993047953 CEST	55655	53	192.168.2.7	1.1.1.1
Apr 22, 2025 16:47:54.316054106 CEST	53	55655	1.1.1.1	192.168.2.7
Apr 22, 2025 16:47:54.318051100 CEST	53	61131	1.1.1.1	192.168.2.7
Apr 22, 2025 16:47:55.396028996 CEST	62098	53	192.168.2.7	1.1.1.1
Apr 22, 2025 16:47:55.396215916 CEST	52777	53	192.168.2.7	1.1.1.1
Apr 22, 2025 16:47:55.671868086 CEST	53	52777	1.1.1.1	192.168.2.7
Apr 22, 2025 16:47:55.677145004 CEST	53	62098	1.1.1.1	192.168.2.7
Apr 22, 2025 16:47:57.023595095 CEST	51368	53	192.168.2.7	1.1.1.1
Apr 22, 2025 16:47:57.023745060 CEST	53229	53	192.168.2.7	1.1.1.1
Apr 22, 2025 16:47:57.187045097 CEST	53	51368	1.1.1.1	192.168.2.7
Apr 22, 2025 16:47:57.209220886 CEST	53	53229	1.1.1.1	192.168.2.7
Apr 22, 2025 16:48:06.443005085 CEST	53	60613	1.1.1.1	192.168.2.7
Apr 22, 2025 16:48:25.537352085 CEST	53	63050	1.1.1.1	192.168.2.7
Apr 22, 2025 16:48:48.149935007 CEST	53	54506	1.1.1.1	192.168.2.7
Apr 22, 2025 16:48:48.524121046 CEST	53	61975	1.1.1.1	192.168.2.7
Apr 22, 2025 16:48:51.552392960 CEST	53	58942	1.1.1.1	192.168.2.7

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 22, 2025 16:47:52.802442074 CEST	192.168.2.7	1.1.1.1	0xd16b	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:47:52.802587986 CEST	192.168.2.7	1.1.1.1	0xa9b9	Standard query (0)	www.google.com	65	IN (0x0001)	false
Apr 22, 2025 16:47:53.984385967 CEST	192.168.2.7	1.1.1.1	0x454b	Standard query (0)	r.clickwise.net	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:47:53.993047953 CEST	192.168.2.7	1.1.1.1	0x42c5	Standard query (0)	r.clickwise.net	65	IN (0x0001)	false
Apr 22, 2025 16:47:55.396028996 CEST	192.168.2.7	1.1.1.1	0x5410	Standard query (0)	zapfibras.com.br	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:47:55.396215916 CEST	192.168.2.7	1.1.1.1	0xd259	Standard query (0)	zapfibras.com.br	65	IN (0x0001)	false
Apr 22, 2025 16:47:57.023595095 CEST	192.168.2.7	1.1.1.1	0x4c4b	Standard query (0)	application.extensoin.world	A (IP address)	IN (0x0001)	false
Apr 22, 2025 16:47:57.023745060 CEST	192.168.2.7	1.1.1.1	0x79cf	Standard query (0)	application.extensoin.world	65	IN (0x0001)	false

Name	Malicious	Antivirus Detection	Reputation
https://zapfibras.com.br/nu/dgev@oeiras.pt	true	Avira URL Cloud: safe	unknown
https://r.clickwise.net/pap?k=1608105173.576&b=&a=59c203522ac2d&u=https://zapfibras.com.br/nu/dgev@oeiras.pt	false		unknown
https://application.extensoin.world/messaging.shtml?mode=dgev@oeiras.pt	false	Avira URL Cloud: safe	unknown

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 22, 2025 16:47:43.878945112 CEST	49676	80	192.168.2.7	23.199.215.203
Apr 22, 2025 16:47:43.878962040 CEST	49677	443	192.168.2.7	2.18.98.62
Apr 22, 2025 16:47:45.972656965 CEST	49674	443	192.168.2.7	2.23.227.208
Apr 22, 2025 16:47:52.943763018 CEST	49686	443	192.168.2.7	142.250.69.4
Apr 22, 2025 16:47:52.943806887 CEST	443	49686	142.250.69.4	192.168.2.7
Apr 22, 2025 16:47:52.943873882 CEST	49686	443	192.168.2.7	142.250.69.4
Apr 22, 2025 16:47:52.944032907 CEST	49686	443	192.168.2.7	142.250.69.4
Apr 22, 2025 16:47:52.944055080 CEST	443	49686	142.250.69.4	192.168.2.7
Apr 22, 2025 16:47:53.263242960 CEST	443	49686	142.250.69.4	192.168.2.7
Apr 22, 2025 16:47:53.263312101 CEST	49686	443	192.168.2.7	142.250.69.4
Apr 22, 2025 16:47:53.264633894 CEST	49686	443	192.168.2.7	142.250.69.4
Apr 22, 2025 16:47:53.264643908 CEST	443	49686	142.250.69.4	192.168.2.7
Apr 22, 2025 16:47:53.264889956 CEST	443	49686	142.250.69.4	192.168.2.7
Apr 22, 2025 16:47:53.316499949 CEST	49686	443	192.168.2.7	142.250.69.4
Apr 22, 2025 16:47:53.481945992 CEST	49676	80	192.168.2.7	23.199.215.203
Apr 22, 2025 16:47:53.481959105 CEST	49677	443	192.168.2.7	2.18.98.62
Apr 22, 2025 16:47:54.319519043 CEST	49688	443	192.168.2.7	206.189.245.37
Apr 22, 2025 16:47:54.319574118 CEST	443	49688	206.189.245.37	192.168.2.7
Apr 22, 2025 16:47:54.319972038 CEST	49689	443	192.168.2.7	206.189.245.37
Apr 22, 2025 16:47:54.320022106 CEST	443	49689	206.189.245.37	192.168.2.7
Apr 22, 2025 16:47:54.320059061 CEST	49688	443	192.168.2.7	206.189.245.37
Apr 22, 2025 16:47:54.320132017 CEST	49689	443	192.168.2.7	206.189.245.37
Apr 22, 2025 16:47:54.320678949 CEST	49688	443	192.168.2.7	206.189.245.37
Apr 22, 2025 16:47:54.320693970 CEST	443	49688	206.189.245.37	192.168.2.7
Apr 22, 2025 16:47:54.320698023 CEST	49689	443	192.168.2.7	206.189.245.37
Apr 22, 2025 16:47:54.320714951 CEST	443	49689	206.189.245.37	192.168.2.7
Apr 22, 2025 16:47:55.124953032 CEST	443	49689	206.189.245.37	192.168.2.7
Apr 22, 2025 16:47:55.125035048 CEST	49689	443	192.168.2.7	206.189.245.37
Apr 22, 2025 16:47:55.126111984 CEST	49689	443	192.168.2.7	206.189.245.37
Apr 22, 2025 16:47:55.126121044 CEST	443	49689	206.189.245.37	192.168.2.7
Apr 22, 2025 16:47:55.126360893 CEST	443	49689	206.189.245.37	192.168.2.7
Apr 22, 2025 16:47:55.126656055 CEST	49689	443	192.168.2.7	206.189.245.37
Apr 22, 2025 16:47:55.132858038 CEST	443	49688	206.189.245.37	192.168.2.7
Apr 22, 2025 16:47:55.132956982 CEST	49688	443	192.168.2.7	206.189.245.37
Apr 22, 2025 16:47:55.133832932 CEST	49688	443	192.168.2.7	206.189.245.37
Apr 22, 2025 16:47:55.133841991 CEST	443	49688	206.189.245.37	192.168.2.7
Apr 22, 2025 16:47:55.134094954 CEST	443	49688	206.189.245.37	192.168.2.7
Apr 22, 2025 16:47:55.172264099 CEST	443	49689	206.189.245.37	192.168.2.7
Apr 22, 2025 16:47:55.184545994 CEST	49688	443	192.168.2.7	206.189.245.37
Apr 22, 2025 16:47:55.393098116 CEST	443	49689	206.189.245.37	192.168.2.7
Apr 22, 2025 16:47:55.393521070 CEST	49689	443	192.168.2.7	206.189.245.37
Apr 22, 2025 16:47:55.393558979 CEST	443	49689	206.189.245.37	192.168.2.7
Apr 22, 2025 16:47:55.393635035 CEST	49689	443	192.168.2.7	206.189.245.37
Apr 22, 2025 16:47:55.586385012 CEST	49674	443	192.168.2.7	2.23.227.208
Apr 22, 2025 16:47:55.677624941 CEST	49690	443	192.168.2.7	162.241.203.111
Apr 22, 2025 16:47:55.677678108 CEST	443	49690	162.241.203.111	192.168.2.7
Apr 22, 2025 16:47:55.677747011 CEST	49690	443	192.168.2.7	162.241.203.111
Apr 22, 2025 16:47:55.678035975 CEST	49690	443	192.168.2.7	162.241.203.111
Apr 22, 2025 16:47:55.678047895 CEST	443	49690	162.241.203.111	192.168.2.7
Apr 22, 2025 16:47:56.043548107 CEST	443	49690	162.241.203.111	192.168.2.7
Apr 22, 2025 16:47:56.043677092 CEST	49690	443	192.168.2.7	162.241.203.111
Apr 22, 2025 16:47:56.164539099 CEST	49690	443	192.168.2.7	162.241.203.111
Apr 22, 2025 16:47:56.164576054 CEST	443	49690	162.241.203.111	192.168.2.7
Apr 22, 2025 16:47:56.164894104 CEST	443	49690	162.241.203.111	192.168.2.7
Apr 22, 2025 16:47:56.167685986 CEST	49690	443	192.168.2.7	162.241.203.111
Apr 22, 2025 16:47:56.208276033 CEST	443	49690	162.241.203.111	192.168.2.7
Apr 22, 2025 16:47:57.021260977 CEST	443	49690	162.241.203.111	192.168.2.7
Apr 22, 2025 16:47:57.021337032 CEST	443	49690	162.241.203.111	192.168.2.7
Apr 22, 2025 16:47:57.021703005 CEST	49690	443	192.168.2.7	162.241.203.111
Apr 22, 2025 16:47:57.021742105 CEST	443	49690	162.241.203.111	192.168.2.7
Apr 22, 2025 16:47:57.021750927 CEST	49690	443	192.168.2.7	162.241.203.111
Apr 22, 2025 16:47:57.023098946 CEST	49690	443	192.168.2.7	162.241.203.111
Apr 22, 2025 16:47:57.209865093 CEST	49691	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:47:57.209913969 CEST	443	49691	172.67.148.161	192.168.2.7
Apr 22, 2025 16:47:57.210074902 CEST	49691	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:47:57.210268974 CEST	49691	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:47:57.210279942 CEST	443	49691	172.67.148.161	192.168.2.7
Apr 22, 2025 16:47:57.522897959 CEST	443	49691	172.67.148.161	192.168.2.7
Apr 22, 2025 16:47:57.523032904 CEST	49691	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:47:57.524101019 CEST	49691	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:47:57.524111986 CEST	443	49691	172.67.148.161	192.168.2.7
Apr 22, 2025 16:47:57.524353027 CEST	443	49691	172.67.148.161	192.168.2.7
Apr 22, 2025 16:47:57.524646997 CEST	49691	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:47:57.572267056 CEST	443	49691	172.67.148.161	192.168.2.7
Apr 22, 2025 16:47:58.119343042 CEST	443	49691	172.67.148.161	192.168.2.7
Apr 22, 2025 16:47:58.119396925 CEST	443	49691	172.67.148.161	192.168.2.7
Apr 22, 2025 16:47:58.119549990 CEST	49691	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:47:58.120174885 CEST	49691	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:47:58.120191097 CEST	443	49691	172.67.148.161	192.168.2.7
Apr 22, 2025 16:48:03.295016050 CEST	443	49686	142.250.69.4	192.168.2.7
Apr 22, 2025 16:48:03.295083046 CEST	443	49686	142.250.69.4	192.168.2.7
Apr 22, 2025 16:48:03.295145035 CEST	49686	443	192.168.2.7	142.250.69.4
Apr 22, 2025 16:48:03.459373951 CEST	49686	443	192.168.2.7	142.250.69.4
Apr 22, 2025 16:48:03.459400892 CEST	443	49686	142.250.69.4	192.168.2.7
Apr 22, 2025 16:48:06.824197054 CEST	49672	443	192.168.2.7	2.23.227.208
Apr 22, 2025 16:48:06.824244022 CEST	443	49672	2.23.227.208	192.168.2.7
Apr 22, 2025 16:48:10.104072094 CEST	49701	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:48:10.104137897 CEST	443	49701	172.67.148.161	192.168.2.7
Apr 22, 2025 16:48:10.104228020 CEST	49701	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:48:10.104273081 CEST	49702	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:48:10.104310036 CEST	443	49702	172.67.148.161	192.168.2.7
Apr 22, 2025 16:48:10.104404926 CEST	49702	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:48:10.104614019 CEST	49701	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:48:10.104626894 CEST	443	49701	172.67.148.161	192.168.2.7
Apr 22, 2025 16:48:10.105187893 CEST	49702	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:48:10.105200052 CEST	443	49702	172.67.148.161	192.168.2.7
Apr 22, 2025 16:48:10.410340071 CEST	443	49701	172.67.148.161	192.168.2.7
Apr 22, 2025 16:48:10.410604000 CEST	49701	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:48:10.410641909 CEST	443	49701	172.67.148.161	192.168.2.7
Apr 22, 2025 16:48:10.411187887 CEST	49701	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:48:10.411207914 CEST	443	49701	172.67.148.161	192.168.2.7
Apr 22, 2025 16:48:10.411675930 CEST	443	49702	172.67.148.161	192.168.2.7
Apr 22, 2025 16:48:10.412117958 CEST	49702	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:48:10.412147045 CEST	443	49702	172.67.148.161	192.168.2.7
Apr 22, 2025 16:48:10.812779903 CEST	443	49701	172.67.148.161	192.168.2.7
Apr 22, 2025 16:48:10.812841892 CEST	443	49701	172.67.148.161	192.168.2.7
Apr 22, 2025 16:48:10.812927008 CEST	49701	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:48:10.813436985 CEST	49701	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:48:10.813462973 CEST	443	49701	172.67.148.161	192.168.2.7
Apr 22, 2025 16:48:20.708548069 CEST	49671	443	192.168.2.7	204.79.197.203
Apr 22, 2025 16:48:21.020570993 CEST	49671	443	192.168.2.7	204.79.197.203
Apr 22, 2025 16:48:21.629221916 CEST	49671	443	192.168.2.7	204.79.197.203
Apr 22, 2025 16:48:22.832320929 CEST	49671	443	192.168.2.7	204.79.197.203
Apr 22, 2025 16:48:25.239401102 CEST	49671	443	192.168.2.7	204.79.197.203
Apr 22, 2025 16:48:25.405215025 CEST	443	49702	172.67.148.161	192.168.2.7
Apr 22, 2025 16:48:25.405298948 CEST	443	49702	172.67.148.161	192.168.2.7
Apr 22, 2025 16:48:25.405448914 CEST	49702	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:48:25.481282949 CEST	49702	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:48:25.481311083 CEST	443	49702	172.67.148.161	192.168.2.7
Apr 22, 2025 16:48:29.286127090 CEST	49678	443	192.168.2.7	20.189.173.15
Apr 22, 2025 16:48:29.591653109 CEST	49678	443	192.168.2.7	20.189.173.15
Apr 22, 2025 16:48:30.050975084 CEST	49671	443	192.168.2.7	204.79.197.203
Apr 22, 2025 16:48:30.207257986 CEST	49678	443	192.168.2.7	20.189.173.15
Apr 22, 2025 16:48:31.410914898 CEST	49678	443	192.168.2.7	20.189.173.15
Apr 22, 2025 16:48:33.817218065 CEST	49678	443	192.168.2.7	20.189.173.15
Apr 22, 2025 16:48:38.618907928 CEST	49678	443	192.168.2.7	20.189.173.15
Apr 22, 2025 16:48:39.660914898 CEST	49671	443	192.168.2.7	204.79.197.203
Apr 22, 2025 16:48:40.160739899 CEST	49688	443	192.168.2.7	206.189.245.37
Apr 22, 2025 16:48:40.160763979 CEST	443	49688	206.189.245.37	192.168.2.7
Apr 22, 2025 16:48:48.223903894 CEST	49678	443	192.168.2.7	20.189.173.15
Apr 22, 2025 16:48:52.865439892 CEST	49712	443	192.168.2.7	142.250.69.4
Apr 22, 2025 16:48:52.865498066 CEST	443	49712	142.250.69.4	192.168.2.7
Apr 22, 2025 16:48:52.865561008 CEST	49712	443	192.168.2.7	142.250.69.4
Apr 22, 2025 16:48:52.865808964 CEST	49712	443	192.168.2.7	142.250.69.4
Apr 22, 2025 16:48:52.865822077 CEST	443	49712	142.250.69.4	192.168.2.7
Apr 22, 2025 16:48:53.180365086 CEST	443	49712	142.250.69.4	192.168.2.7
Apr 22, 2025 16:48:53.180692911 CEST	49712	443	192.168.2.7	142.250.69.4
Apr 22, 2025 16:48:53.180726051 CEST	443	49712	142.250.69.4	192.168.2.7
Apr 22, 2025 16:48:54.853374004 CEST	443	49688	206.189.245.37	192.168.2.7
Apr 22, 2025 16:48:54.853463888 CEST	443	49688	206.189.245.37	192.168.2.7
Apr 22, 2025 16:48:54.853519917 CEST	49688	443	192.168.2.7	206.189.245.37
Apr 22, 2025 16:48:55.459405899 CEST	49688	443	192.168.2.7	206.189.245.37
Apr 22, 2025 16:48:55.459436893 CEST	443	49688	206.189.245.37	192.168.2.7
Apr 22, 2025 16:49:03.165816069 CEST	443	49712	142.250.69.4	192.168.2.7
Apr 22, 2025 16:49:03.165870905 CEST	443	49712	142.250.69.4	192.168.2.7
Apr 22, 2025 16:49:03.165939093 CEST	49712	443	192.168.2.7	142.250.69.4
Apr 22, 2025 16:49:03.459323883 CEST	49712	443	192.168.2.7	142.250.69.4
Apr 22, 2025 16:49:03.459356070 CEST	443	49712	142.250.69.4	192.168.2.7
Apr 22, 2025 16:49:05.585005045 CEST	49716	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:49:05.585095882 CEST	443	49716	172.67.148.161	192.168.2.7
Apr 22, 2025 16:49:05.585153103 CEST	49717	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:49:05.585197926 CEST	443	49717	172.67.148.161	192.168.2.7
Apr 22, 2025 16:49:05.585197926 CEST	49716	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:49:05.585262060 CEST	49717	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:49:05.585592031 CEST	49717	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:49:05.585604906 CEST	443	49717	172.67.148.161	192.168.2.7
Apr 22, 2025 16:49:05.585678101 CEST	49716	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:49:05.585714102 CEST	443	49716	172.67.148.161	192.168.2.7
Apr 22, 2025 16:49:05.891463041 CEST	443	49717	172.67.148.161	192.168.2.7
Apr 22, 2025 16:49:05.891798019 CEST	49717	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:49:05.891833067 CEST	443	49717	172.67.148.161	192.168.2.7
Apr 22, 2025 16:49:05.892038107 CEST	49717	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:49:05.892045021 CEST	443	49717	172.67.148.161	192.168.2.7
Apr 22, 2025 16:49:05.894655943 CEST	443	49716	172.67.148.161	192.168.2.7
Apr 22, 2025 16:49:05.894876003 CEST	49716	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:49:05.894906044 CEST	443	49716	172.67.148.161	192.168.2.7
Apr 22, 2025 16:49:06.299046993 CEST	443	49717	172.67.148.161	192.168.2.7
Apr 22, 2025 16:49:06.299109936 CEST	443	49717	172.67.148.161	192.168.2.7
Apr 22, 2025 16:49:06.299190044 CEST	49717	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:49:06.299627066 CEST	49717	443	192.168.2.7	172.67.148.161
Apr 22, 2025 16:49:06.299640894 CEST	443	49717	172.67.148.161	192.168.2.7

Timestamp	Bytes transferred	Direction	Data
2025-04-22 14:47:55 UTC	749	OUT	GET /pap?k=1608105173.576&b=&a=59c203522ac2d&u=https://zapfibras.com.br/nu/dgev@oeiras.pt HTTP/1.1 Host: r.clickwise.net Connection: keep-alive sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-04-22 14:47:55 UTC	237	IN	HTTP/1.1 302 Found Server: openresty/1.17.8.2 Date: Tue, 22 Apr 2025 14:47:55 GMT Content-Type: text/html; charset=utf-8 Content-Length: 65 Connection: close Location: https://zapfibras.com.br/nu/dgev@oeiras.pt X-Err: off time
2025-04-22 14:47:55 UTC	65	IN	Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 7a 61 70 66 69 62 72 61 73 2e 63 6f 6d 2e 62 72 2f 6e 75 2f 64 67 65 76 40 6f 65 69 72 61 73 2e 70 74 22 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href="https://zapfibras.com.br/nu/dgev@oeiras.pt">Found</a>.

Timestamp	Bytes transferred	Direction	Data
2025-04-22 14:47:56 UTC	683	OUT	GET /nu/dgev@oeiras.pt HTTP/1.1 Host: zapfibras.com.br Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-04-22 14:47:57 UTC	274	IN	HTTP/1.1 302 Moved Temporarily Date: Tue, 22 Apr 2025 14:47:56 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Location: https://application.extensoin.world/messaging.shtml?mode=dgev@oeiras.pt Content-Length: 0 Content-Type: text/html; charset=UTF-8

Timestamp	Bytes transferred	Direction	Data
2025-04-22 14:47:57 UTC	712	OUT	GET /messaging.shtml?mode=dgev@oeiras.pt HTTP/1.1 Host: application.extensoin.world Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-04-22 14:47:58 UTC	424	IN	HTTP/1.1 404 Not Found Date: Tue, 22 Apr 2025 14:47:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Server: cloudflare Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Cf-Cache-Status: DYNAMIC Set-Cookie: PHPSESSID=rn6sial4570uqchr98c21qp4lm; Path=/ CF-RAY: 9345eb5a2cd4091e-LAX alt-svc: h3=":443"; ma=86400
2025-04-22 14:47:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2025-04-22 14:48:10 UTC	790	OUT	GET /messaging.shtml?mode=dgev@oeiras.pt HTTP/1.1 Host: application.extensoin.world Connection: keep-alive Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=rn6sial4570uqchr98c21qp4lm
2025-04-22 14:48:10 UTC	366	IN	HTTP/1.1 404 Not Found Date: Tue, 22 Apr 2025 14:48:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Server: cloudflare Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Cf-Cache-Status: DYNAMIC CF-RAY: 9345ebaaba4df7e5-LAX alt-svc: h3=":443"; ma=86400
2025-04-22 14:48:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2025-04-22 14:49:05 UTC	790	OUT	GET /messaging.shtml?mode=dgev@oeiras.pt HTTP/1.1 Host: application.extensoin.world Connection: keep-alive Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=rn6sial4570uqchr98c21qp4lm
2025-04-22 14:49:06 UTC	366	IN	HTTP/1.1 404 Not Found Date: Tue, 22 Apr 2025 14:49:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Server: cloudflare Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Cf-Cache-Status: DYNAMIC CF-RAY: 9345ed0579d6f7df-LAX alt-svc: h3=":443"; ma=86400
2025-04-22 14:49:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	10:47:46
Start date:	22/04/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff778810000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	5
Start time:	10:47:53
Start date:	22/04/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://r.clickwise.net/pap?k=1608105173.576&b=&a=59c203522ac2d&u=https://zapfibras.com.br/nu/dgev@oeiras.pt"
Imagebase:	0x7ff778810000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://r.clickwise.net/pap?k=1608105173.576&b=&a=59c203522ac2d&u=https://zapfibras.com.br/nu/dgev@oeiras.pt

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 3704, Parent PID: 4144

General

File Activities

File Opened

File Created

File Deleted

File Moved

Other File Operations

Registry Activities

Key Deleted

Key Value Deleted

COM Activities

WMI Operations

Process Activities

Process Created

Process Terminated

Windows Analysis Report
https://r.clickwise.net/pap?k=1608105173.576&b=&a=59c203522ac2d&u=https://zapfibras.com.br/nu/dgev@oeiras.pt

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre