Edit tour

Windows Analysis Report
MFA.png

Overview

General Information

Sample Name:	MFA.png
Analysis ID:	1297427
MD5:	af8f9a21b423aa84a456d75bdcaf5c7e
SHA1:	8ee182c96de7e89e037da752ee0addd2ad80c97e
SHA256:	2e2bf46a0b5e6fb48e46c60711d2fc4ad90418d47999f8d2c5944aeae1b5e388
Infos:

Detection

HTMLPhisher

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Phishing site detected (based on favicon image match)

Yara detected HtmlPhish54

Phishing site detected (based on logo match)

Phishing site detected (based on image similarity)

Queries the volume information (name, serial number etc) of a device

Found iframes

Creates files inside the system directory

HTML body contains low number of good links

HTML title does not match URL

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

mspaint.exe (PID: 7068 cmdline: mspaint.exe "C:\Users\user\Desktop\MFA.png" MD5: B59CF145BBAE39672321768B33A01CFA)

chrome.exe (PID: 5992 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://0ffice-authentication.com/?mfknxooz MD5: 8D1C4713ACB7CC2AAAEE4477C58A80BA)

chrome.exe (PID: 5640 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1888,i,2116380640700791652,7274111503676162324,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 8D1C4713ACB7CC2AAAEE4477C58A80BA)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author
0.0.pages.csv	JoeSecurity_HtmlPhish_54	Yara detected HtmlPhish_54	Joe Security
1.2.pages.csv	JoeSecurity_HtmlPhish_54	Yara detected HtmlPhish_54	Joe Security
1.4.pages.csv	JoeSecurity_HtmlPhish_54	Yara detected HtmlPhish_54	Joe Security
1.1.pages.csv	JoeSecurity_HtmlPhish_54	Yara detected HtmlPhish_54	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

Phishing site detected (based on favicon image match)

Source: https://0ffice-authentication.com	Matcher: Template: microsoft matched with high similarity
Source: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=true	Matcher: Template: microsoft matched with high similarity

Yara detected HtmlPhish54

Source: Yara match	File source: 0.0.pages.csv, type: HTML
Source: Yara match	File source: 1.2.pages.csv, type: HTML
Source: Yara match	File source: 1.4.pages.csv, type: HTML
Source: Yara match	File source: 1.1.pages.csv, type: HTML

Phishing site detected (based on logo match)

Source: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=true	Matcher: Template: microsoft matched
Source: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=true	Matcher: Template: microsoft matched

Phishing site detected (based on image similarity)

Source: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=true

Matcher: Found strong image similarity, brand: MICROSOFT

HTTP Parser: Iframe src: https://login.live.com/Me.htm?v=3

HTTP Parser: Number of links: 0

HTTP Parser: Title: Sign in to your account does not match URL

HTTP Parser: <input type="password" .../> found

Source: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=true	HTTP Parser: No <meta name="author".. found
Source: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=true	HTTP Parser: No <meta name="author".. found
Source: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=true	HTTP Parser: No <meta name="author".. found

HTTP Parser: No favicon

Source: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=true	HTTP Parser: No <meta name="copyright".. found
Source: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=true	HTTP Parser: No <meta name="copyright".. found
Source: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=true	HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_5992_2019779022	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_pnacl_sz_nexe	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_libpnacl_irt_shim_a	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_libpnacl_irt_shim_dummy_a	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_crtbegin_for_eh_o	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_crtbegin_o	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_pnacl_json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_libgcc_a	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_pnacl_llc_nexe	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_libcrt_platform_a	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_crtend_o	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_ld_nexe	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\manifest.fingerprint	Jump to behavior

Source: Joe Sandbox View

IP Address: 13.107.246.60 13.107.246.60

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateSet-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponlyStrict-Transport-Security: max-age=31536000; includeSubDomainsP3P: CP="DSP CUR OTPi IND OTRi ONL FIN"x-ms-request-id: 5ed61a02-7dde-4f57-9556-b7a1937a8a00x-ms-ests-server: 2.1.16150.3 - WEULR1 ProdSlicesreport-to: {"group":"network-errors","max_age":86400,"endpoints":[{"url":"https://identity.nel.measure.office.net/api/report?catId=GW+estsfd+SEC"}]}nel: {"report_to":"network-errors","max_age":86400,"success_fraction":0.001,"failure_fraction":1.0}Referrer-Policy: strict-origin-when-cross-originDate: Fri, 25 Aug 2023 13:28:24 GMTConnection: closeContent-Length: 0Content-Security-Policy: default-src * data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval'; form-action * data: blob: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: filesystem: ; frame-ancestors 'self' * http://* https://* file://* about: javascript: data: blob: filesystem: ; object-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline';

Source: chromecache_228.4.dr	String found in binary or memory: http://knockoutjs.com/
Source: pnacl_public_x86_64_pnacl_llc_nexe.3.dr, pnacl_public_x86_64_pnacl_sz_nexe.3.dr	String found in binary or memory: http://llvm.org/):
Source: chromecache_228.4.dr	String found in binary or memory: http://www.json.org/json2.js
Source: chromecache_228.4.dr	String found in binary or memory: http://www.opensource.org/licenses/mit-license.php)
Source: pnacl_public_x86_64_crtend_o.3.dr, pnacl_public_x86_64_pnacl_sz_nexe.3.dr	String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-clang.git
Source: pnacl_public_x86_64_crtend_o.3.dr, pnacl_public_x86_64_pnacl_sz_nexe.3.dr	String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-llvm.git
Source: manifest.json.3.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: pnacl_public_x86_64_ld_nexe.3.dr	String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry
Source: pnacl_public_x86_64_ld_nexe.3.dr	String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry%s:
Source: chromecache_228.4.dr	String found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.analytics-web-2.min.js
Source: chromecache_220.4.dr, chromecache_222.4.dr	String found in binary or memory: https://login.microsoftonline.com
Source: chromecache_220.4.dr, chromecache_222.4.dr	String found in binary or memory: https://login.windows-ppe.net

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=Dvrtrktau_uydMvoGc1_xfN2ULJBRPHxz6q2oM2aufczSxk8Cchv3g2jlLVO-eHXlJ_BwPi1P-zYcjdR9AuTyG10jrJ2AzQ7yL8SBUliEafdzZn70Pmm-r8GrPXaz7LFgctn_yZRHpJXI09tbP_WroWCmYwT_a7Fwj8gHnQ5nbY; AEC=Ad49MVGGktvnyMQBXjxfVM4VyQMgBORLkDWV_5bpQs3oS50vEqIAFgkFMBQ; CONSENT=PENDING+008; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDMtMF9SQzIaAmRlIAEaBgiA0dCmBg; __Secure-ENID=14.SE=ASWfeSSVBcK3LyggZgGhgI5yIs3Z2wYpfR6yuK81LiYU6I0bFs937AKcakQoHnJkxVLloWnpVW_r8Ar2dupLdGHUm260SY6_u_8bKbtIVuC2UT3_Sjp3_6n5MjyjVSOfngggQke4VZle0rxsEtTK1UwAzXaROx3bb_2_jH9Xta1jpoaREw

Source: unknown

DNS traffic detected: queries for: 0ffice-authentication.com

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=115.0.5790.171&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-115.0.5790.171Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /?mfknxooz HTTP/1.1Host: 0ffice-authentication.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0 HTTP/1.1Host: 0ffice-authentication.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I
Source: global traffic	HTTP traffic detected: GET /aadcdn.msauth.net/~/shared/1.0/content/js/BssoInterrupt_Core_nun_Nob0yT2WjCUfgBCTog2.js HTTP/1.1Host: 0ffice-authentication.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; fpc=Avk-wbVDnvdIr9avJqHlFZI; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd
Source: global traffic	HTTP traffic detected: GET /__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=true HTTP/1.1Host: 0ffice-authentication.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; fpc=Avk-wbVDnvdIr9avJqHlFZI; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: 0ffice-authentication.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; fpc=Avk-wbVDnvdIr9avJqHlFZI; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1
Source: global traffic	HTTP traffic detected: GET /aadcdn.msauth.net/~/ests/2.1/content/cdnbundles/converged.v2.login.min_xs4q-enqjizb-pd0ha63sw2.css HTTP/1.1Host: 0ffice-authentication.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=trueAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA
Source: global traffic	HTTP traffic detected: GET /aadcdn.msauth.net/~/shared/1.0/content/js/ConvergedLogin_PCore_2W3IEdsiCwViwvv0RWyRLg2.js HTTP/1.1Host: 0ffice-authentication.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=trueAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA
Source: global traffic	HTTP traffic detected: GET /aadcdn.msauth.net/~/ests/2.1/content/cdnbundles/ux.converged.login.strings-en.min_vts8ra1it9l0lgwizaxzhg2.js HTTP/1.1Host: 0ffice-authentication.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=trueAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA
Source: global traffic	HTTP traffic detected: GET /aadcdn.msauth.net/~/shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico HTTP/1.1Host: 0ffice-authentication.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=trueAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA; brcap=0
Source: global traffic	HTTP traffic detected: GET /aadcdn.msauth.net/~/shared/1.0/content/js/asyncchunk/convergedlogin_pcustomizationloader_80e93b9a4cb13643afca.js HTTP/1.1Host: 0ffice-authentication.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=trueAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA
Source: global traffic	HTTP traffic detected: GET /aadcdn.msauth.net/~/shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico HTTP/1.1Host: 0ffice-authentication.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA; brcap=0
Source: global traffic	HTTP traffic detected: GET /aadcdn.msauth.net/~/shared/1.0/content/js/asyncchunk/convergedlogin_pfetchsessionsprogress_ae573f441ee1cf781ec7.js HTTP/1.1Host: 0ffice-authentication.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=trueAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA; brcap=0
Source: global traffic	HTTP traffic detected: GET /aadcdn.msauth.net/~/shared/1.0/content/images/marching_ants_white_166de53471265253ab3a456defe6da23.gif HTTP/1.1Host: 0ffice-authentication.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=trueAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA; brcap=0
Source: global traffic	HTTP traffic detected: GET /aadcdn.msauth.net/~/shared/1.0/content/images/marching_ants_b540a8e518037192e32c4fe58bf2dbab.gif HTTP/1.1Host: 0ffice-authentication.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=trueAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA; brcap=0
Source: global traffic	HTTP traffic detected: GET /aadcdn.msauth.net/~/shared/1.0/content/images/marching_ants_white_166de53471265253ab3a456defe6da23.gif HTTP/1.1Host: 0ffice-authentication.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA; brcap=0
Source: global traffic	HTTP traffic detected: GET /aadcdn.msauth.net/~/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d.svg HTTP/1.1Host: 0ffice-authentication.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=trueAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA; brcap=0
Source: global traffic	HTTP traffic detected: GET /aadcdn.msauth.net/~/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg HTTP/1.1Host: 0ffice-authentication.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=trueAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA; brcap=0
Source: global traffic	HTTP traffic detected: GET /aadcdn.msauth.net/~/shared/1.0/content/images/marching_ants_b540a8e518037192e32c4fe58bf2dbab.gif HTTP/1.1Host: 0ffice-authentication.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA; brcap=0
Source: global traffic	HTTP traffic detected: GET /aadcdn.msauth.net/~/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg HTTP/1.1Host: 0ffice-authentication.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA; brcap=0
Source: global traffic	HTTP traffic detected: GET /aadcdn.msauth.net/~/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d.svg HTTP/1.1Host: 0ffice-authentication.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA; brcap=0
Source: global traffic	HTTP traffic detected: GET /aadcdn.msauth.net/~/shared/1.0/content/js/asyncchunk/convergedlogin_pstringcustomizationhelper_76bb127b5869a5c6b8b3.js HTTP/1.1Host: 0ffice-authentication.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=trueAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA; brcap=0
Source: global traffic	HTTP traffic detected: GET /aadcdn.msauth.net/~/shared/1.0/content/images/signin-options_4e48046ce74f4b89d45037c90576bfac.svg HTTP/1.1Host: 0ffice-authentication.comConnection: keep-alivesec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=trueAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA; brcap=0
Source: global traffic	HTTP traffic detected: GET /aadcdn.msauth.net/~/shared/1.0/content/images/signin-options_4e48046ce74f4b89d45037c90576bfac.svg HTTP/1.1Host: 0ffice-authentication.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA; brcap=0

Source: C:\Windows\SysWOW64\mspaint.exe

File created: C:\Windows\Debug\WIA

Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe "C:\Users\user\Desktop\MFA.png"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://0ffice-authentication.com/?mfknxooz
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1888,i,2116380640700791652,7274111503676162324,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1888,i,2116380640700791652,7274111503676162324,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{926749fa-2615-4987-8845-c33e65f2b957}\InProcServer32

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\chrome_BITS_5992_2019779022

Jump to behavior

Source: classification engine

Classification label: mal64.phis.winPNG@24/32@16/8

Source: C:\Windows\SysWOW64\mspaint.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_5992_2019779022	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_pnacl_sz_nexe	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_libpnacl_irt_shim_a	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_libpnacl_irt_shim_dummy_a	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_crtbegin_for_eh_o	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_crtbegin_o	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_pnacl_json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_libgcc_a	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_pnacl_llc_nexe	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_libcrt_platform_a	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_crtend_o	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_ld_nexe	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\manifest.fingerprint	Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mspaint.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\mspaint.exe

Queries volume information: C:\Users\user\Desktop\MFA.png VolumeInformation

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Drive-by Compromise	Windows Management Instrumentation	Path Interception	1 Process Injection	12 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	4 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	5 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MFA.png	0%	ReversingLabs
MFA.png	0%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_ld_nexe	0%	ReversingLabs
C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_pnacl_llc_nexe	0%	ReversingLabs
C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_pnacl_sz_nexe	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
cs1100.wpc.omegacdn.net	0%	Virustotal	Browse
0ffice-authentication.com	0%	Virustotal	Browse
part-0032.t-0009.t-msedge.net	0%	Virustotal	Browse
aadcdn.msftauth.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://0ffice-authentication.com/?mfknxooz	0%	Avira URL Cloud	safe
https://0ffice-authentication.com/favicon.ico	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cs1100.wpc.omegacdn.net	152.199.23.37	true	false	0%, Virustotal, Browse	unknown
accounts.google.com	172.217.168.77	true	false		high
0ffice-authentication.com	46.243.183.6	true	false	0%, Virustotal, Browse	unknown
part-0032.t-0009.t-msedge.net	13.107.246.60	true	false	0%, Virustotal, Browse	unknown
www.google.com	172.217.168.68	true	false		high
clients.l.google.com	142.250.203.110	true	false		high
clients2.google.com	unknown	unknown	false		high
identity.nel.measure.office.net	unknown	unknown	false		high
aadcdn.msftauth.net	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=115.0.5790.171&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high
https://0ffice-authentication.com/?mfknxooz	false	Avira URL Cloud: safe	unknown
https://0ffice-authentication.com/favicon.ico	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://login.microsoftonline.com	chromecache_220.4.dr, chromecache_222.4.dr	false	high
http://www.opensource.org/licenses/mit-license.php)	chromecache_228.4.dr	false	high
https://code.google.com/p/nativeclient/issues/entry%s:	pnacl_public_x86_64_ld_nexe.3.dr	false	high
https://code.google.com/p/nativeclient/issues/entry	pnacl_public_x86_64_ld_nexe.3.dr	false	high
https://chromium.googlesource.com/a/native_client/pnacl-llvm.git	pnacl_public_x86_64_crtend_o.3.dr, pnacl_public_x86_64_pnacl_sz_nexe.3.dr	false	high
http://knockoutjs.com/	chromecache_228.4.dr	false	high
https://login.windows-ppe.net	chromecache_220.4.dr, chromecache_222.4.dr	false	high
https://js.monitor.azure.com/scripts/c/ms.analytics-web-2.min.js	chromecache_228.4.dr	false	high
http://www.json.org/json2.js	chromecache_228.4.dr	false	high
https://chromium.googlesource.com/a/native_client/pnacl-clang.git	pnacl_public_x86_64_crtend_o.3.dr, pnacl_public_x86_64_pnacl_sz_nexe.3.dr	false	high
http://llvm.org/):	pnacl_public_x86_64_pnacl_llc_nexe.3.dr, pnacl_public_x86_64_pnacl_sz_nexe.3.dr	false	high
https://clients2.google.com/service/update2/crx	manifest.json.3.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
46.243.183.6	0ffice-authentication.com	Russian Federation	209283	ITGLOBAL-BY	false
142.250.203.110	clients.l.google.com	United States	15169	GOOGLEUS	false
13.107.246.60	part-0032.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.217.168.68	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.217.168.77	accounts.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1
192.168.2.6

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1297427
Start date and time:	2023-08-25 15:27:18 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	MFA.png
Detection:	MAL
Classification:	mal64.phis.winPNG@24/32@16/8
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 172.217.168.67, 34.104.35.123, 23.0.174.11, 23.10.249.144, 20.190.181.3, 40.126.53.19, 20.190.181.6, 20.190.181.2, 20.190.181.23, 40.126.53.21, 20.190.181.0, 40.126.53.16, 20.190.181.5, 40.126.53.18, 23.36.225.122, 216.58.215.234, 172.217.168.10, 172.217.168.42, 172.217.168.74, 142.250.203.106, 20.190.181.4
Excluded domains from analysis (whitelisted): eudb.ris.api.iris.microsoft.com, e13678.dscb.akamaiedge.net, clientservices.googleapis.com, a1894.dscb.akamai.net, arc.msn.com, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net, www.microsoft.com-c-3.edgekey.net, login.live.com, update.googleapis.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prdv4a.aadg.msidentity.com, content-autofill.googleapis.com, aadcdnoriginwus2.azureedge.net, www.tm.v4.a.prd.aadg.akadns.net, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, aadcdn.msauth.net, firstparty-azurefd-prod.trafficmanager.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, edgedl.me.gvt1.com, nel.measure.office.net.edgesuite.net, aadcdnoriginwus2.afd.azureedge.net, www.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
46.243.183.6	https://0ffice-authentication.com/?mfknxooz	Get hash	malicious	HTMLPhisher	Browse
46.243.183.6	https://0tp-0ffice365.com/?mfknxooz	Get hash	malicious	HTMLPhisher	Browse
13.107.246.60	https://www.linkedin.com/slink/?code=d3cYepAb#Z2F2aW4ubm90dEBzd2VkYXZpYS5zZQ==	Get hash	malicious	HTMLPhisher	Browse
	https://www.linkedin.com/slink/?code=d3cYepAb#Z2VvcmdlbW9ycmlzQHBheWUubmV0	Get hash	malicious	HTMLPhisher	Browse
	https://www.dropbox.com/scl/fi/30u77kvec5bhsskq02e3s/IGIW-Sales-and-Education-Trade-Consultants-LLC.docx?rlkey=r5iovpoisn3m3y6lafsrulr6m&dl=0	Get hash	malicious	HTMLPhisher	Browse
	https://indd.adobe.com/view/0575cfc9-7516-4992-a67d-6d987b87d8f9	Get hash	malicious	HTMLPhisher	Browse
	https://xml-v4.discoveryplugs-1.live/click?i=l6bmrwamzne_0	Get hash	malicious	Unknown	Browse
	https://www.linkedin.com/slink/?code=d3cYepAb#c3VwcG9ydEBhcm1pdHdpbmVzLmNvLnVr%3E	Get hash	malicious	HTMLPhisher	Browse
	https://www.linkedin.com/slink/?code=d3cYepAb#c3VwcG9ydEBhcm1pdHdpbmVzLmNvLnVr%3E	Get hash	malicious	HTMLPhisher	Browse
	https://indd.adobe.com/view/e5f5a5b6-c3f6-44af-8ee6-3f30bc42dbb9	Get hash	malicious	HTMLPhisher	Browse
	https://ppehosted.hassannetworkllc-proofpoint.info/?vdogrdby	Get hash	malicious	HTMLPhisher	Browse
	PAYMENT ADVICE.html	Get hash	malicious	HTMLPhisher	Browse
	http://candidodeoliveira.pt/	Get hash	malicious	Unknown	Browse
	https://linkedin.com/slink?code=gGeK-G4Y#2636c6169726540656c736172656379636c652e636f2e756b	Get hash	malicious	HTMLPhisher	Browse
	202398025022MessageEastwesttea_.html	Get hash	malicious	HTMLPhisher	Browse
	Pago_Banco_Estado__Swift_copy.bat.exe	Get hash	malicious	Remcos	Browse
	Statement 825 Paid mt.com .htm	Get hash	malicious	HTMLPhisher	Browse
	2023_eSignature_Cbh_052474466_872203448824739pdf_(2).htm	Get hash	malicious	HTMLPhisher	Browse
	https://schuceo.com/viloorel/hgfijhA/?userid=AhmedS.AlShamsi@cpc.gov.ae	Get hash	malicious	Unknown	Browse
	https://schuceo.com/viloorel/hgfijhA/?userid=AhmedS.AlShamsi@cpc.gov.ae	Get hash	malicious	Unknown	Browse
	https://schuceo.com/viloorel/hgfijhA/?userid=AhmedS.AlShamsi@cpc.gov.ae	Get hash	malicious	Unknown	Browse
	https://linkedin.com/slink?code=eYWGeWp2#YW5kcmVhLmNvc3RhQHlvZ2lwcm9kdWN0cy5jb20=&2441	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
0ffice-authentication.com	https://0ffice-authentication.com/?mfknxooz	Get hash	malicious	HTMLPhisher	Browse	46.243.183.6
cs1100.wpc.omegacdn.net	https://account.groupeseb.com/Redirect?map=53465346-Niamh-15353-Ranahan-461&cm=1531146-153-August-1853&sf=1Ranahan-53z46a-12023-Niamh-Ranahan5346&retUrl=http%3A%2F%2Fna3dd2o23.web.app/nranahan07xaQ3brR3wa2vTd0TR3wH05nZ1&m=534611-Ranahan8&c=8Niamh8&p=53146-Friday25August	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	https://dependantfilshari.xyz/host22/admin/js/mf.php?id=nsz07u9	Get hash	malicious	Unknown	Browse	152.199.23.37
	http://www.baidu.com/link?url=Ug1DfpMfkCwmhBZsR0gT7SitNUkLLkNReZbdZ59ahSJ3k1aW569ArGHHShNLPHQz&wd=&c=E,1,BGeKlw3W1Kwf_wB19Xe3d1oUdDDKsubXU82uAxClO98Ji5f_x3-kuk3pdQNPiSvCK1cQ8Y3MjYJYyKAT3iBo9wRMJ5QCQVnpwz96MjmUXoQ4A53jDmYHU4FEX6g,&typo=1	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	https://www.dropbox.com/scl/fi/30u77kvec5bhsskq02e3s/IGIW-Sales-and-Education-Trade-Consultants-LLC.docx?rlkey=r5iovpoisn3m3y6lafsrulr6m&dl=0	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	ACH payment confirmation support@healthesystems.com .HTML	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	https://0ffice-authentication.com/?mfknxooz	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	https://0tp-0ffice365.com/?mfknxooz	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	ACCOUNTSTATEMENTCOPY.html	Get hash	malicious	Unknown	Browse	152.199.23.37
	ACCOUNTSTATEMENTCOPY.html	Get hash	malicious	Unknown	Browse	152.199.23.37
	ACCOUNTSTATEMENTCOPY.html	Get hash	malicious	Unknown	Browse	152.199.23.37
	ACH payment confirmation rdownes@farbestfoods.com .HTML	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	ACH payment confirmation rdownes@farbestfoods.com .HTML	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	https://ppehosted.hassannetworkllc-proofpoint.info/?vdogrdby	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	https://ppehosted.hassannetworkllc-proofpoint.info/?vdogrdby	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	https://linkedin.com/slink?code=gGeK-G4Y#2636c6169726540656c736172656379636c652e636f2e756b	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	https://linkedin.com/slink?code=gGeK-G4Y#96f6c6976696140696e2d6163636f756e74616e63792e636f2e756b	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	202398025022MessageEastwesttea_.html	Get hash	malicious	HTMLPhisher	Browse	152.199.23.37
	Incoming ACH Confirmation.HTM	Get hash	malicious	Unknown	Browse	152.199.23.37
	https://www.baidu.com/link?url=ou4XHApstHkj9DoANHyTZRHTQge3MuRe4WD6RoRNwOt0Ywy0bCjt0tqv7zwMjhUR#c2VsaW5hLmhvdWdoQHNiYWZsYS5jb20=	Get hash	malicious	Unknown	Browse	152.199.23.37
	jasonReed-phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	152.199.23.37
part-0032.t-0009.t-msedge.net	https://account.groupeseb.com/Redirect?map=53465346-Niamh-15353-Ranahan-461&cm=1531146-153-August-1853&sf=1Ranahan-53z46a-12023-Niamh-Ranahan5346&retUrl=http%3A%2F%2Fna3dd2o23.web.app/nranahan07xaQ3brR3wa2vTd0TR3wH05nZ1&m=534611-Ranahan8&c=8Niamh8&p=53146-Friday25August	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://www.linkedin.com/slink/?code=d3cYepAb#Z2F2aW4ubm90dEBzd2VkYXZpYS5zZQ==	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://www.linkedin.com/slink/?code=d3cYepAb#Z2VvcmdlbW9ycmlzQHBheWUubmV0	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://www.dropbox.com/scl/fi/30u77kvec5bhsskq02e3s/IGIW-Sales-and-Education-Trade-Consultants-LLC.docx?rlkey=r5iovpoisn3m3y6lafsrulr6m&dl=0	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://indd.adobe.com/view/0575cfc9-7516-4992-a67d-6d987b87d8f9	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://xml-v4.discoveryplugs-1.live/click?i=l6bmrwamzne_0	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://0ffice-authentication.com/?mfknxooz	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://0tp-0ffice365.com/?mfknxooz	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://www.linkedin.com/slink/?code=d3cYepAb#c3VwcG9ydEBhcm1pdHdpbmVzLmNvLnVr%3E	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://www.linkedin.com/slink/?code=d3cYepAb#c3VwcG9ydEBhcm1pdHdpbmVzLmNvLnVr%3E	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://indd.adobe.com/view/e5f5a5b6-c3f6-44af-8ee6-3f30bc42dbb9	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://ppehosted.hassannetworkllc-proofpoint.info/?vdogrdby	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	PAYMENT ADVICE.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://ppehosted.hassannetworkllc-proofpoint.info/?vdogrdby	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	http://candidodeoliveira.pt/	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://linkedin.com/slink?code=gGeK-G4Y#2636c6169726540656c736172656379636c652e636f2e756b	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://linkedin.com/slink?code=gGeK-G4Y#96f6c6976696140696e2d6163636f756e74616e63792e636f2e756b	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	202398025022MessageEastwesttea_.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	Statement 825 Paid mt.com .htm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	2023_eSignature_Cbh_052474466_872203448824739pdf_(2).htm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	Kristen Puckett shared _knoxdermplastics#Remittance_Notice_pdf_ with you.msg	Get hash	malicious	HTMLPhisher	Browse	52.109.76.141
	BOQ-Al Gurg Automation Project.exe	Get hash	malicious	DBatLoader, Remcos	Browse	13.107.136.8
	BOQ-Al Gurg Automation Project.exe	Get hash	malicious	DBatLoader, Remcos	Browse	13.107.136.8
	gucciarm7.elf	Get hash	malicious	Mirai	Browse	20.91.208.152
	gucciarm.elf	Get hash	malicious	Mirai	Browse	22.56.89.90
	guccix86.elf	Get hash	malicious	Mirai	Browse	20.14.171.59
	https://www.linkedin.com/slink/?code=d3cYepAb#Z2F2aW4ubm90dEBzd2VkYXZpYS5zZQ==	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://www.linkedin.com/slink/?code=d3cYepAb#Z2F2aW4ubm90dEBzd2VkYXZpYS5zZQ==	Get hash	malicious	HTMLPhisher	Browse	13.107.213.45
	PO.230364.xlam.xlsx	Get hash	malicious	Unknown	Browse	13.107.219.60
	Upaid_Overdue_Invoice.jar	Get hash	malicious	Dynamic Stealer	Browse	20.226.251.200
	Upaid_Overdue_Invoice.jar	Get hash	malicious	Dynamic Stealer	Browse	20.226.251.200
	https://www.linkedin.com/slink/?code=d3cYepAb#Z2VvcmdlbW9ycmlzQHBheWUubmV0	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	http://www.baidu.com/link?url=Ug1DfpMfkCwmhBZsR0gT7SitNUkLLkNReZbdZ59ahSJ3k1aW569ArGHHShNLPHQz&wd=&c=E,1,BGeKlw3W1Kwf_wB19Xe3d1oUdDDKsubXU82uAxClO98Ji5f_x3-kuk3pdQNPiSvCK1cQ8Y3MjYJYyKAT3iBo9wRMJ5QCQVnpwz96MjmUXoQ4A53jDmYHU4FEX6g,&typo=1	Get hash	malicious	HTMLPhisher	Browse	40.126.32.138
	https://bitmovin.com/demos/drm	Get hash	malicious	Unknown	Browse	13.107.213.44
	https://www.dropbox.com/scl/fi/30u77kvec5bhsskq02e3s/IGIW-Sales-and-Education-Trade-Consultants-LLC.docx?rlkey=r5iovpoisn3m3y6lafsrulr6m&dl=0	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	6K20nZhV6g.elf	Get hash	malicious	Mirai	Browse	191.237.178.81
	sora.arm7.elf	Get hash	malicious	Mirai	Browse	20.231.62.45
	sora.x86.elf	Get hash	malicious	Mirai	Browse	20.230.213.32
	https://indd.adobe.com/view/0575cfc9-7516-4992-a67d-6d987b87d8f9	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	3DzABAZWMB.elf	Get hash	malicious	Mirai	Browse	20.104.11.91
ITGLOBAL-BY	https://0ffice-authentication.com/?mfknxooz	Get hash	malicious	HTMLPhisher	Browse	46.243.183.6
	https://0tp-0ffice365.com/?mfknxooz	Get hash	malicious	HTMLPhisher	Browse	46.243.183.6
	SecuriteInfo.com.Variant.MSILHeracles.17744.21016.exe	Get hash	malicious	RedLine	Browse	46.243.186.8

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_ld_nexe	http://tracking.confprofs.com/tracking/click?d=LFgQUYmdfOBdGwpFhuN-ElS1D8dMxdYsRnAUL1q-2ozlekJtb1w4dDUmmbJhf5UB1eFE1aSvGoBe0ELHRe6twScgicVoa6HLIVsL8zj6ssYMiyChEf8hpD1M5cmldGExxOjxufUJBY641t7g35UVVw4n0SdMpqkK8XW1TPVTTGYPALg1x85ad96FNV0eOI2ieev1LNttfZxx5AXXf5tm6m81	Get hash	malicious	Unknown	Browse
	http://xml-v4.qksrv1.com/click?i=7yjoashki6q_0	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.23042.9340.exe	Get hash	malicious	Unknown	Browse
	Bcbcpa remittance89783839.html	Get hash	malicious	Unknown	Browse
	https://app.capacities.io/home/2672e14d-4b0c-4e96-a793-aa4fb8d739f4	Get hash	malicious	Unknown	Browse
	https://pub-5e34bcda437b499399d6abc116886480.r2.dev/indexR.html	Get hash	malicious	HTMLPhisher	Browse
	https://www.diamondglass.in/	Get hash	malicious	Unknown	Browse
	ATT26328.html	Get hash	malicious	Unknown	Browse
	https://github.com/mRemoteNG/mRemoteNG/releases/download/v1.76.20/mRemoteNG-Portable-1.76.20.24669.zip	Get hash	malicious	Unknown	Browse
	ACCOUNTSTATEMENTCOPY.html	Get hash	malicious	Unknown	Browse
	http://gpt9.com/api/cpx?q=6cb51c39d189cc673d43b0e080498febc6e6304d1d2154f684abd19673ad75137104f828338656b7690cf46e0e09f1031ee81f68311c1cc165a5b2b142d72a2ae31a0a2562b0c5fda094173142ddda69266325e16144d0654c07a5323086a2688d5b69d0efe3cd930ed8423cdc51ea4c734ff7ab398edbbe84650ffa40a93964cc41e41597e2dc35d545cccc328ee7a37390ebf6fdba970c9406f56e5694782a282cc13809d2db790904c48116185ae8cbb0c1848cc80786a47499cacb274f88dbc1cb208ccf528b7c9675c5e3a07dd464a029497122935f304de607d6d3cabdbb740490836a0076fcc16f899385a9a609976ec08da9125a3b36db3506f7871e	Get hash	malicious	Unknown	Browse
	http://masterplacelove.cfd	Get hash	malicious	Unknown	Browse
	ACCOUNTSTATEMENTCOPY.html	Get hash	malicious	Unknown	Browse
	ACH payment confirmation rdownes@farbestfoods.com .HTML	Get hash	malicious	HTMLPhisher	Browse
	ACH payment confirmation rdownes@farbestfoods.com .HTML	Get hash	malicious	HTMLPhisher	Browse
	https://usps.pp-lose.com/	Get hash	malicious	Unknown	Browse
	https://protect-za.mimecast.com/s/kmIMCxGjjnHDXJAASmqvmI?domain=clt1554948.benchurl.com	Get hash	malicious	Unknown	Browse
	AgshealthWire-receipt.html	Get hash	malicious	Unknown	Browse
	https://www.menti.com/alo8b9w49k13	Get hash	malicious	Unknown	Browse
	ACH Payment.xlsx	Get hash	malicious	HTMLPhisher	Browse

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3034
Entropy (8bit):	5.876664552417901
Encrypted:	false
SSDEEP:	48:p/hEc9q0S+UTKYM43z8nqMsfWRUWEADM/W9n7lqFkakzcVTGkcYTPi6zM:RGcg5z/jjjHgUnV278+aWLy4
MD5:	8B6C3E16DFBF5FD1C9AC2267801DB38E
SHA1:	F5CADC5914DF858C96C189B092BC89C29407BBAA
SHA-256:	FD986A547D9585E98F451B87CA85DEB4B61EE540C6FAC678D7BEDABF04653095
SHA-512:	37048EF8FADF62A26CAEC6EE90AC192429AB1E99424E5C68FACA90C0DAD68642C761FDCAC03FC38FA930841F91FA145A6943EC7F168D4F2FA426F1F092C2F502
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJfcGxhdGZvcm1fc3BlY2lmaWMveDg2XzY0L3BuYWNsX3B1YmxpY19wbmFjbF9qc29uIiwicm9vdF9oYXNoIjoiVkNUSHNJVHNUSXVncWNhV2ctWHVpTU1sdWloV1FSTE1sQnpTTGprdGhETSJ9LHsicGF0aCI6Il9wbGF0Zm9ybV9zcGVjaWZpYy94ODZfNjQvcG5hY2xfcHVibGljX3g4Nl82NF9jcnRiZWdpbl9mb3JfZWhfbyIsInJvb3RfaGFzaCI6ImxINWt2a1BvSVZZczZKVHhyOHc5Q2MxXzloVEJCX3lVSlF6VDZseVVNd0kifSx7InBhdGgiOiJfcGxhdGZvcm1fc3BlY2lmaWMveDg2XzY0L3BuYWNsX3B1YmxpY194ODZfNjRfY3J0YmVnaW5fbyIsInJvb3RfaGFzaCI6IkVuLVFQTW1HUm1xbG9Ud1gzOTAzckpsMkw0R25sQmdET1FhZlNKaHJ4Nk0ifSx7InBhdGgiOiJfcGxhdGZvcm1fc3BlY2lmaWMveDg2XzY0L3BuYWNsX3B1YmxpY194ODZfNjRfY3J0ZW5kX28iLCJyb290X2hhc2giOiJkT2lJVzRmdEdGNW9FY0k1UXYyYjBmdXNrUlYyaUVtdmxhbmV6MlpFc3VvIn0seyJwYXRoIjoiX3BsYXRmb3JtX3NwZWNpZmljL3g4Nl82NC9wbmFjbF9wdWJsaWNfeDg2XzY0X2xkX25leGUiLCJyb290X2hhc2giOiIzNEU5QU9EMmpqLWNoMzZQZ0NVV0YtMUpYWVhVdlNGY1I4bks1aWppcWNjIn0seyJwYXRoIjoiX3B

Process:	C:\Windows\SysWOW64\mspaint.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	1526
Entropy (8bit):	5.2768677337661485
Encrypted:	false
SSDEEP:	24:0ucyUWF02k9YXCuUWF0q7URUWF0kuqbUWF0w3OoUWF0HXd/bXE34/U/Xd/Tz/Ul+:0uc5WSmX0WSBSWSkulWSw3eWS3RzE34k
MD5:	BDACDEA0553C16D25EA680F15B095B39
SHA1:	484A9D3DF68BAED7124E9E8CAF1CE68C935FAB26
SHA-256:	50196190F68C64485B0F3EF73E7295B18903B97D728D56B239282CED946935C8
SHA-512:	120991FDAF1A9F577B27DAA9270E5525EA84BA4705FB77C3DF1E83B55CBBA032E7BB87720965E6C689001759D0B119B7485DA3142209BD95F3C58FB3FA92645F
Malicious:	false
Preview:	..************** Started trace for Module: [sti.dll] in Executable [mspaint.exe] ProcessID: [7068] at 2023/08/25 15:28:15:767 **************..WIA: 7068.7064 16 0 0 [sti.dll] AsyncRPCEventTransport::OpenConnectionToServer, AsyncRPC Connection established to server..WIA: 7068.7064 16 0 0 [sti.dll] AsyncRPCEventTransport::OpenConnectionToServer, Got my context 02DA7FE0 from server...WIA: 7068.7064 16 0 0 [sti.dll] WiaEventReceiver::Start, WiaEventReceiver Started.....WIA: 7068.2228 16 0 0 [sti.dll] AsyncRPCEventTransport::CloseNotificationChannel, Closing the async notification channel.....WIA: 7068.2228 16 0 0 [sti.dll] AsyncRPCEventTransport::OpenNotificationChannel, Opening the async notification channel.....WIA: 7068.7064 16 0 0 [sti.dll] AsyncRPCEventTransport::SendRegisterUnregisterInfo, Sent RPC Register/Unregister information...WIA: 7068.7064 16 0 0 [sti.dll] WiaEventReceiver::SendRegisterUnregisterInfo, Added new registration:..WIA: 7068.7064 16 0 0 [sti.dll] EventRegistratio

File type:	PNG image data, 340 x 338, 8-bit/color RGBA, non-interlaced
Entropy (8bit):	7.988507609338744
TrID:	Portable Network Graphics (16016/1) 100.00%
File name:	MFA.png
File size:	176'475 bytes
MD5:	af8f9a21b423aa84a456d75bdcaf5c7e
SHA1:	8ee182c96de7e89e037da752ee0addd2ad80c97e
SHA256:	2e2bf46a0b5e6fb48e46c60711d2fc4ad90418d47999f8d2c5944aeae1b5e388
SHA512:	dfe511bbbcab66b18ac55d828b87379df9821af246d611ff393198c492924c63ff0e7daf9109fe62e1948d8c42345de0c4639029195e2a7dccc1840395cbae5e
SSDEEP:	3072:xOA97aBbe+l6NZwPpTItVuN8GJaduD71PQUsuLdBH8WHuvVqqZiNRdixgM1PDSDC:xO6ov6NZwPpTItcuGJad8WU9pBH8WoII
TLSH:	DD042353B7F6092156EC1CA7EA2A84E409229DC2C5176F1FB84EF8ED23370505E8EDB4
File Content Preview:	.PNG........IHDR...T...R.......'....miCCPICC Profile..H..W.XS...[.....@@J.M.......H/.....J..A.^..\....].Ql+ v.....bAEY.u...&$......}s..3g.S.L.=.h}.I.y.6....YBx0stZ:...`.. @..y\|............n@K(W..\.....+.... c!...........Ke....z...R%........*%.V..J.....m..

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 25, 2023 15:28:22.769032001 CEST	65212	53	192.168.2.5	8.8.8.8
Aug 25, 2023 15:28:22.769383907 CEST	50088	53	192.168.2.5	8.8.8.8
Aug 25, 2023 15:28:22.770180941 CEST	54988	53	192.168.2.5	8.8.8.8
Aug 25, 2023 15:28:22.770554066 CEST	53183	53	192.168.2.5	8.8.8.8
Aug 25, 2023 15:28:22.770934105 CEST	60422	53	192.168.2.5	8.8.8.8
Aug 25, 2023 15:28:22.771276951 CEST	64219	53	192.168.2.5	8.8.8.8
Aug 25, 2023 15:28:22.785320997 CEST	53	53183	8.8.8.8	192.168.2.5
Aug 25, 2023 15:28:22.789494991 CEST	53	54988	8.8.8.8	192.168.2.5
Aug 25, 2023 15:28:22.799032927 CEST	53	65212	8.8.8.8	192.168.2.5
Aug 25, 2023 15:28:22.803404093 CEST	53	64219	8.8.8.8	192.168.2.5
Aug 25, 2023 15:28:22.804579020 CEST	53	60422	8.8.8.8	192.168.2.5
Aug 25, 2023 15:28:22.808648109 CEST	53	50088	8.8.8.8	192.168.2.5
Aug 25, 2023 15:28:22.826730013 CEST	53	64997	8.8.8.8	192.168.2.5
Aug 25, 2023 15:28:23.062840939 CEST	53	51019	8.8.8.8	192.168.2.5
Aug 25, 2023 15:28:24.780328035 CEST	57619	53	192.168.2.5	8.8.8.8
Aug 25, 2023 15:28:24.781080961 CEST	56046	53	192.168.2.5	8.8.8.8
Aug 25, 2023 15:28:25.407326937 CEST	56852	53	192.168.2.5	8.8.8.8
Aug 25, 2023 15:28:25.407679081 CEST	54947	53	192.168.2.5	8.8.8.8
Aug 25, 2023 15:28:25.427634954 CEST	53	54947	8.8.8.8	192.168.2.5
Aug 25, 2023 15:28:25.436326027 CEST	53	56852	8.8.8.8	192.168.2.5
Aug 25, 2023 15:28:26.640844107 CEST	53460	53	192.168.2.5	8.8.8.8
Aug 25, 2023 15:28:26.641246080 CEST	63275	53	192.168.2.5	8.8.8.8
Aug 25, 2023 15:28:26.661397934 CEST	53	63275	8.8.8.8	192.168.2.5
Aug 25, 2023 15:28:26.670108080 CEST	53	53460	8.8.8.8	192.168.2.5
Aug 25, 2023 15:28:26.798877001 CEST	57156	53	192.168.2.5	8.8.8.8
Aug 25, 2023 15:28:26.799386978 CEST	59551	53	192.168.2.5	8.8.8.8
Aug 25, 2023 15:28:26.830024004 CEST	53	59551	8.8.8.8	192.168.2.5
Aug 25, 2023 15:28:26.843677998 CEST	53	57156	8.8.8.8	192.168.2.5
Aug 25, 2023 15:28:39.381781101 CEST	53	52943	8.8.8.8	192.168.2.5
Aug 25, 2023 15:29:22.051229954 CEST	53	62986	8.8.8.8	192.168.2.5
Aug 25, 2023 15:29:24.872462034 CEST	59094	53	192.168.2.5	8.8.8.8
Aug 25, 2023 15:29:24.872967005 CEST	65259	53	192.168.2.5	8.8.8.8

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 25, 2023 15:28:22.826988935 CEST	192.168.2.5	8.8.8.8	d03b	(Port unreachable)	Destination Unreachable
Aug 25, 2023 15:29:41.846081018 CEST	192.168.2.5	8.8.8.8	d0c3	(Port unreachable)	Destination Unreachable

Timestamp	kBytes transferred	Direction	Data
2023-08-25 13:28:22 UTC	0	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=Dvrtrktau_uydMvoGc1_xfN2ULJBRPHxz6q2oM2aufczSxk8Cchv3g2jlLVO-eHXlJ_BwPi1P-zYcjdR9AuTyG10jrJ2AzQ7yL8SBUliEafdzZn70Pmm-r8GrPXaz7LFgctn_yZRHpJXI09tbP_WroWCmYwT_a7Fwj8gHnQ5nbY; AEC=Ad49MVGGktvnyMQBXjxfVM4VyQMgBORLkDWV_5bpQs3oS50vEqIAFgkFMBQ; CONSENT=PENDING+008; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDMtMF9SQzIaAmRlIAEaBgiA0dCmBg; __Secure-ENID=14.SE=ASWfeSSVBcK3LyggZgGhgI5yIs3Z2wYpfR6yuK81LiYU6I0bFs937AKcakQoHnJkxVLloWnpVW_r8Ar2dupLdGHUm260SY6_u_8bKbtIVuC2UT3_Sjp3_6n5MjyjVSOfngggQke4VZle0rxsEtTK1UwAzXaROx3bb_2_jH9Xta1jpoaREw
2023-08-25 13:28:22 UTC	1	OUT	Data Raw: 20 Data Ascii:
2023-08-25 13:28:22 UTC	3	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 25 Aug 2023 13:28:22 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'report-sample' 'nonce-lQPVu-nyogNGR7b3bDWlTA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Cross-Origin-Opener-Policy: same-origin Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-08-25 13:28:22 UTC	4	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-08-25 13:28:22 UTC	4	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-08-25 13:28:22 UTC	1	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=115.0.5790.171&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-115.0.5790.171 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-08-25 13:28:22 UTC	1	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-daLPtkAgijsf1-XVyCU_KQ' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 25 Aug 2023 13:28:22 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 6080 X-Daystart: 23302 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-08-25 13:28:22 UTC	2	IN	Data Raw: 32 63 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 36 30 38 30 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 32 33 33 30 32 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 2c9<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="6080" elapsed_seconds="23302"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2023-08-25 13:28:22 UTC	2	IN	Data Raw: 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2023-08-25 13:28:22 UTC	3	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-08-25 13:28:26 UTC	846	OUT	GET /aadcdn.msauth.net/~/shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico HTTP/1.1 Host: 0ffice-authentication.com Connection: keep-alive sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=true Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA; brcap=0
2023-08-25 13:28:26 UTC	850	IN	HTTP/1.1 200 OK Date: Fri, 25 Aug 2023 13:28:26 GMT Content-Type: image/x-icon Content-Length: 17174 Connection: close Cache-Control: public, max-age=31536000 Last-Modified: Sun, 18 Oct 2020 03:02:03 GMT ETag: 0x8D8731230C851A6 x-ms-request-id: 0c4fb9c2-c01e-000f-56b3-d4be6c000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20230825T132826Z-gvh4egp9k52kdd667ytenycgp800000002wg000000007ad9 X-Cache: TCP_HIT Accept-Ranges: bytes
2023-08-25 13:28:26 UTC	851	IN	Data Raw: 00 00 01 00 06 00 80 80 10 00 00 00 00 00 68 28 00 00 66 00 00 00 48 48 10 00 00 00 00 00 e8 0d 00 00 ce 28 00 00 30 30 10 00 00 00 00 00 68 06 00 00 b6 36 00 00 20 20 10 00 00 00 00 00 e8 02 00 00 1e 3d 00 00 18 18 10 00 00 00 00 00 e8 01 00 00 06 40 00 00 10 10 10 00 00 00 00 00 28 01 00 00 ee 41 00 00 28 00 00 00 80 00 00 00 00 01 00 00 01 00 04 00 00 00 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 00 ef a4 00 00 00 b9 ff 00 00 ba 7f 00 22 50 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 20 00 00 03 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 Data Ascii: h(fHH(00h6 =@(A(("P"""""""""""""""""""""""""""""" 333333333333333
2023-08-25 13:28:26 UTC	866	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 00 ef a4 00 00 00 b9 ff 00 00 bc 7b 00 1f 4c f9 00 22 50 f2 00 f7 a6 00 00 00 ba 7f 00 f3 a6 00 00 1e 4e f6 00 23 4e f4 00 f3 a4 00 00 00 bc 7d 00 00 ba 7d 00 00 00 00 00 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 22 22 22 22 22 22 c0 03 33 33 33 33 33 33 33 22 Data Ascii: {L"PN#N}}"""""""3333333"""""""3333333"""""""3333333"""""""3333333"""""""3333333"""""""3333333"""""""3333333"""""""3333333"""""""3333333"""""""3333333"""""""3333333"

Timestamp	kBytes transferred	Direction	Data
2023-08-25 13:28:26 UTC	848	OUT	GET /aadcdn.msauth.net/~/shared/1.0/content/js/asyncchunk/convergedlogin_pcustomizationloader_80e93b9a4cb13643afca.js HTTP/1.1 Host: 0ffice-authentication.com Connection: keep-alive sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=true Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA
2023-08-25 13:28:27 UTC	869	IN	HTTP/1.1 200 OK Date: Fri, 25 Aug 2023 13:28:27 GMT Content-Type: application/x-javascript content-length: 109863 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Thu, 26 Jan 2023 00:32:54 GMT ETag: 0x8DAFF34DD9DC630 x-ms-request-id: 4918f058-a01e-0009-5258-d74460000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20230825T132826Z-9qpxpsnq3p5hx45fff464wuq5n00000002mg00000001pfsk X-Cache: TCP_MISS Accept-Ranges: bytes Content-Security-Policy: default-src * data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval'; form-action * data: blob: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: filesystem: ; frame-ancestors 'self' * http://* https://* file://* about: javascript: data: blob: filesystem: ; object-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline';
2023-08-25 13:28:27 UTC	870	IN	Data Raw: 1f 8b 08 00 00 00 00 00 00 03 e4 bd 6b 7b db c8 91 30 fa 7d 7f 05 c5 93 68 00 13 a4 48 ea 6a 92 10 d7 e3 f1 64 bd c7 63 fb b5 3d d9 37 af cc f8 81 c8 a6 84 31 04 30 b8 d8 56 44 ee 6f 3f 55 d5 77 a0 49 c9 1e 27 9b 73 4e 9e 8c 45 34 1a 7d a9 ae ae ae aa ae cb c1 a3 bd 7f 6b 3d 6a 75 1f fe bf d6 db 77 4f de bc 6b bd fa b9 f5 ee 3f 9e bf f9 a9 f5 1a 9e fe d2 7a f9 ea dd f3 a7 cf 1e de 0e 76 8a ff bd bb 8e 8b d6 32 4e 58 0b fe 5e 46 05 5b b4 b2 b4 95 e5 ad 38 9d 67 f9 2a cb a3 92 15 ad 1b f8 37 8f a3 a4 b5 cc b3 9b 56 79 cd 5a ab 3c fb 8d cd cb a2 95 c4 45 09 1f 5d b2 24 fb dc f2 a0 b9 7c d1 7a 1d e5 e5 6d eb f9 6b bf 07 ed 33 68 2d be 8a 53 f8 7a 9e ad 6e e1 f7 75 d9 4a b3 32 9e b3 56 94 2e a8 b5 04 1e d2 82 b5 aa 74 c1 f2 d6 e7 eb 78 7e dd fa 25 9e e7 59 91 Data Ascii: k{0}hHjdc=710VDo?UwI'sNE4}k=juwOk?zv2NX^F[8g*7VyZ<E]$\|zmk3h-SznuJ2V.tx~%Y
2023-08-25 13:28:27 UTC	885	IN	Data Raw: a3 b5 83 5d cd d6 d3 73 7a 32 c0 26 c8 e3 9b 29 ff e3 f9 e4 9e 2b 72 16 fc f5 7d d1 59 c3 7f 7f e0 69 0b 36 68 6a 2f 5f fe 44 99 1d ea 3e c1 22 b6 c1 58 6e 0e 32 31 06 09 af 13 b6 c3 b6 19 8a c7 74 f8 fb bb 3e 7d 8c 8b 6d 20 fc 48 83 3d 38 ff ce 43 1d e0 26 33 1c dc e9 ac 2c e9 84 24 af 02 6d 4b b1 f1 8d e4 b3 a9 07 6b ee 63 10 b7 c3 46 10 b7 b2 c7 13 2c fe 12 ad fe c4 83 02 66 3c ae fe 91 ef 78 13 18 d5 9f 66 69 81 a1 ab 29 9e da 99 df 7c a1 2a bf c4 ac a2 18 77 7b e0 1b 25 38 9e a3 2d a9 8c 71 00 c7 3c 68 db 71 5f 04 6d 3b 3e 39 f1 7b b4 ae 6f 59 09 84 06 bb 3d f5 7b d0 e1 0a 08 d8 8b b8 28 6b 61 bc 39 29 c7 a0 ce 44 e6 3f 50 4a dd 0c d3 fd 3e c9 31 50 46 1b 0b da 94 4d 41 56 e1 dc d4 1b cc 40 68 56 d4 c5 b5 ea 1f e3 d5 9f 11 d3 23 ec d5 fe c4 7a d5 e6 Data Ascii: ]sz2&)+r}Yi6hj/_D>"Xn21t>}m H=8C&3,$mKkcF,f<xfi)\|*w{%8-q<hq_m;>9{oY={(ka9)D?PJ>1PFMAV@hV#z
2023-08-25 13:28:27 UTC	886	IN	Data Raw: 23 30 22 75 c1 a1 5b a0 67 5c a3 58 32 27 9a 62 c7 a1 cd 04 4a 6f 34 45 70 03 b3 9f b8 bb 44 67 b9 38 b0 3b 37 09 72 77 d0 9d 93 c7 5d ad 74 cb 27 62 b8 95 4f e1 cc ec 52 35 5a 41 ba 85 ae 58 30 9c 7a a4 44 c9 ad f6 53 1e c9 0b d9 b1 eb 4e c8 a4 8e e4 ba 86 5b 12 3a 6f 2d f6 c5 6d f2 c4 30 68 7d 23 11 e4 9e 9b 3f 92 16 d1 30 7e c9 4a 72 85 b5 29 df 30 5f 1a eb d9 6c 18 53 82 a5 60 c4 f4 88 e1 a4 79 f5 39 95 31 36 4c f7 9f da 08 80 a3 9a ba 59 be 74 46 4c b3 9b cc 37 3d 92 b8 1f ee 9d 10 a3 05 97 29 9e c4 3e 2e 6c de d3 d8 56 b4 50 23 73 d1 f4 3b b9 0b e5 c7 f5 6d ee f9 9b b1 01 46 c9 8c 23 77 85 a0 24 36 cb 28 53 7c 77 93 65 37 c5 fa c6 fb 2d 3c b6 f1 99 42 0b 5e d1 8d 33 ba 76 60 76 87 62 70 1d c2 5b b3 43 d5 28 26 75 c7 17 04 33 de 04 4e c5 54 84 4a a3 Data Ascii: #0"u[g\X2'bJo4EpDg8;7rw]t'bOR5ZAX0zDSN[:o-m0h}#?0~Jr)0_lS`y916LYtFL7=)>.lVP#s;mF#w$6(S\|we7-<B^3v`vbp[C(&u3NTJ
2023-08-25 13:28:27 UTC	895	IN	Data Raw: cd 3d fb 73 db 36 d2 bf 7f 7f 85 cd 7a 1c 22 82 9f 79 34 21 c3 ea 1c 57 ed b4 13 c7 19 ab b9 cc 8d ac 78 68 99 b2 d9 c8 62 4a 52 76 12 4b f7 b7 df 3e 00 10 20 29 c5 c9 f5 66 be 1f 6c 52 20 9e 8b c5 02 fb c0 2e 05 2d d7 3f 0a ce 04 a9 97 98 f7 e2 02 bd 76 20 51 a7 df 80 eb 09 bf 8c c7 f4 64 d7 ed 4e 1e 4e 3a 98 4c 74 6a 41 c9 c9 75 5a d2 8b 62 c3 9c 32 2a ed 18 aa 77 d2 27 a6 8a a6 1a 75 30 c4 8e aa d8 64 91 cb 00 d7 48 ac 0a 8a a2 33 6b 9d a4 b9 b1 4f 56 31 db a3 db 8b a6 08 cb 43 4f cb f0 ed ea 22 cd ef d7 08 65 5d d2 c4 ec 3a 2e 3e b4 c8 c9 76 49 58 f9 55 a7 91 2b 02 7d d4 d7 fb 20 19 aa f5 1a e2 3b e6 6f f3 9f 87 2a a6 6c 02 67 2d f5 02 db 6e 3e 75 7f 99 e8 27 39 ee 85 4b e3 9d 3c 7f fc 37 45 45 82 dd 97 82 df 3c 7d fe e4 6b e1 3c ed 9d b9 4d 0b de a6 Data Ascii: =s6z"y4!WxhbJRvK> )flR .-?v QdNN:LtjAuZb2w'u0dH3kOV1CO"e]:.>vIXU+} ;olg-n>u'9K<7EE<}k<M

Timestamp	kBytes transferred	Direction	Data
2023-08-25 13:28:27 UTC	919	OUT	GET /aadcdn.msauth.net/~/shared/1.0/content/js/asyncchunk/convergedlogin_pfetchsessionsprogress_ae573f441ee1cf781ec7.js HTTP/1.1 Host: 0ffice-authentication.com Connection: keep-alive sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=true Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA; brcap=0
2023-08-25 13:28:28 UTC	929	IN	HTTP/1.1 200 OK Date: Fri, 25 Aug 2023 13:28:28 GMT Content-Type: application/x-javascript content-length: 15748 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Thu, 26 Jan 2023 00:32:55 GMT ETag: 0x8DAFF34DE08B462 x-ms-request-id: 06559fa5-a01e-0035-4b58-d79168000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20230825T132827Z-een70huwm95fd4218txaekp7a000000002n000000000w04y X-Cache: TCP_MISS Accept-Ranges: bytes Content-Security-Policy: default-src * data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval'; form-action * data: blob: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: filesystem: ; frame-ancestors 'self' * http://* https://* file://* about: javascript: data: blob: filesystem: ; object-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline';
2023-08-25 13:28:28 UTC	930	IN	Data Raw: 1f 8b 08 00 00 00 00 00 00 03 Data Ascii:
2023-08-25 13:28:28 UTC	934	IN	Data Raw: ad 5b 7d 77 da c6 d2 ff ff 7e 0a a1 db 43 a4 9b b5 6c da a4 ed c5 55 7d 1c 5e 12 5a 3b 76 0d ee 5b 92 c3 11 68 01 c5 42 52 b5 c2 98 1a be fb f3 9b 5d 09 09 10 d8 e9 73 73 1c 83 76 67 67 67 67 e7 7d e4 e3 ff 54 fe a5 fd 47 3b 7a fe 3f ad db 3b bf e9 69 57 6d ad f7 ae 73 d3 d4 ae f1 f4 87 f6 fe aa d7 69 b4 9e 8f 87 36 a5 ff bd 89 27 b4 91 e7 73 0d 9f 03 47 70 57 0b 03 2d 8c 35 2f 18 86 71 14 c6 4e c2 85 36 c5 ef d8 73 7c 6d 14 87 53 2d 99 70 2d 8a c3 cf 7c 98 08 cd f7 44 82 45 03 ee 87 73 cd 00 ba d8 d5 ae 9d 38 59 68 9d 6b d3 02 7e 0e 6c de d8 0b b0 7a 18 46 0b 7c 9f 24 5a 10 26 de 90 6b 4e e0 4a 6c 3e 1e 02 c1 b5 59 e0 f2 58 9b 4f bc e1 44 bb f4 86 71 28 c2 51 a2 c5 7c c8 bd 7b 6c 22 66 18 df dc 82 69 4e cc 35 c1 13 6d 14 c6 c9 44 d1 61 69 5d 82 4c b1 0a Data Ascii: [}w~ClU}^Z;v[hBR]ssvgggg}TG;z?;iWmsi6'sGpW-5/qN6s\|mS-p-\|DEs8Yhk~lzF\|$Z&kNJl>YXODq(Q\|{l"fiN5mDai]L

Timestamp	kBytes transferred	Direction	Data
2023-08-25 13:28:28 UTC	940	OUT	GET /aadcdn.msauth.net/~/shared/1.0/content/images/marching_ants_white_166de53471265253ab3a456defe6da23.gif HTTP/1.1 Host: 0ffice-authentication.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA; brcap=0
2023-08-25 13:28:29 UTC	946	IN	HTTP/1.1 200 OK Date: Fri, 25 Aug 2023 13:28:28 GMT Content-Type: image/gif Content-Length: 2672 Connection: close Cache-Control: public, max-age=31536000 Last-Modified: Fri, 17 Jan 2020 19:28:37 GMT ETag: 0x8D79B83739984DD x-ms-request-id: dc2d3869-901e-0012-0758-d7d155000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20230825T132828Z-6y76xdx52t5zff9dcafv559wkw00000002cg00000000ugs5 X-Cache: TCP_REMOTE_HIT Accept-Ranges: bytes
2023-08-25 13:28:29 UTC	947	IN	Data Raw: 47 49 46 38 39 61 60 01 03 00 f0 00 00 ff ff ff 96 96 96 21 ff 0b 4e 45 54 53 43 41 50 45 32 2e 30 03 01 00 00 00 21 f9 04 09 05 00 00 00 2c 00 00 00 00 60 01 03 00 00 02 36 84 1d a9 b7 07 ed 50 8a 6c d2 8b b3 de bc fb 0f 86 e2 48 96 e6 89 a2 0a 04 49 01 d6 3a 71 4a d7 f6 8d e7 fa ce 6b ab f5 00 ba 60 42 59 b1 87 4c 2a 97 cc 26 af 00 00 21 f9 04 09 05 00 00 00 2c 06 00 00 00 30 00 03 00 00 02 1a 8c 01 16 88 ca ec 1e 3c f2 a9 18 1b b5 5b e6 9a 5c 4b 38 6a e5 74 72 a9 67 14 00 21 f9 04 09 03 00 00 00 2c 07 00 00 00 33 00 03 00 00 02 1a 8c 81 16 c8 ca ef 5e 3b 12 2a 0a e2 5c 55 4b df 5d 5c 86 25 e5 56 99 63 aa 14 00 21 f9 04 09 05 00 00 00 2c 0a 00 00 00 37 00 03 00 00 02 1a 8c 81 60 91 b9 ed 0e 6c 6f c6 c5 ee ac 90 5b bf 61 19 02 2a 52 77 7e 69 18 14 00 21 Data Ascii: GIF89a`!NETSCAPE2.0!,`6PlHI:qJk`BYL&!,0<[\K8jtrg!,3^;\UK]\%Vc!,7`lo[a*Rw~i!

Timestamp	kBytes transferred	Direction	Data
2023-08-25 13:28:22 UTC	4	OUT	GET /?mfknxooz HTTP/1.1 Host: 0ffice-authentication.com Connection: keep-alive sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-08-25 13:28:23 UTC	5	IN	HTTP/1.1 302 Found Set-Cookie: qPdM=3LLuUALVcdxm; path=/; samesite=none; secure; httponly Set-Cookie: qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; path=/; samesite=none; secure; httponly location: /__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0 Date: Fri, 25 Aug 2023 13:28:22 GMT Connection: close Transfer-Encoding: chunked
2023-08-25 13:28:23 UTC	6	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-08-25 13:28:31 UTC	957	OUT	GET /aadcdn.msauth.net/~/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg HTTP/1.1 Host: 0ffice-authentication.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA; brcap=0
2023-08-25 13:28:31 UTC	958	IN	HTTP/1.1 200 OK Date: Fri, 25 Aug 2023 13:28:31 GMT Content-Type: image/svg+xml Content-Length: 1435 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Fri, 17 Jan 2020 19:28:38 GMT ETag: 0x8D79B8373CB2849 x-ms-request-id: 65733c1b-901e-0012-7249-d7d155000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20230825T132831Z-b6hgxyhcch3mb75xnmu97w8gxs00000004wg000000016vxb X-Cache: TCP_REMOTE_HIT Accept-Ranges: bytes
2023-08-25 13:28:31 UTC	959	IN	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 bd 57 4d 6f 1c 37 0c fd 2b 8b ed 75 56 96 48 4a a2 0a db 80 7b f2 c1 be fa 90 db b6 b1 b3 06 ec 26 88 17 76 fa ef fb 28 51 b3 46 91 a2 c9 a5 b0 f7 61 57 1c 51 fc 7c e2 9c bf bc 7e da 7c 7b 7e fa f3 e5 62 7b 38 1e bf fc 7a 76 f6 f6 f6 16 de 38 7c fe fa e9 8c 62 8c 67 78 62 bb 79 7b fc 78 3c 5c 6c 53 d4 ed e6 70 ff f8 e9 70 bc d8 92 6c 37 af 8f f7 6f bf 7d fe 76 b1 8d 9b b8 81 74 83 c5 cb f3 e3 e3 f1 e9 fe 72 ff f2 72 7f 7c 39 3f 1b bf ce bf ec 8f 87 cd c7 8b ed ad 48 50 2e 8b 84 72 97 34 c8 61 47 41 ee 6a c8 ca d7 82 af 37 ac 21 a5 b6 98 ec 9a 4b c8 9c 6e 98 42 12 5a fa 43 87 5d 88 d4 fa d6 6b 6a a1 dd 41 d1 81 83 70 b9 e1 1a 78 49 a6 fe 10 62 d6 1b 49 21 4b b6 93 3e 3c d3 92 42 94 b6 4f 81 8a 2e 03 23 fe d2 12 24 b5 5d 68 a5 Data Ascii: WMo7+uVHJ{&v(QFaWQ\|~\|{~b{8zv8\|bgxby{x<\lSppl7o}vtrr\|9?HP.r4aGAj7!KnBZC]kjApxIbI!K><BO.#$]h

Timestamp	kBytes transferred	Direction	Data
2023-08-25 13:28:32 UTC	960	OUT	GET /aadcdn.msauth.net/~/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d.svg HTTP/1.1 Host: 0ffice-authentication.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA; brcap=0
2023-08-25 13:28:33 UTC	961	IN	HTTP/1.1 200 OK Date: Fri, 25 Aug 2023 13:28:33 GMT Content-Type: image/svg+xml Content-Length: 673 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Wed, 12 Feb 2020 22:01:30 GMT ETag: 0x8D7B0071D86E386 x-ms-request-id: 2a42fe93-501e-0066-23b3-d48f5d000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20230825T132833Z-5xm45gb8010t77ez01bnb7awc400000002k000000000p5r2 X-Cache: TCP_HIT Accept-Ranges: bytes
2023-08-25 13:28:33 UTC	962	IN	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 b5 55 db 6e db 30 0c fd 15 c1 7d 69 1e ac 50 b2 ae 43 1c a0 37 6c 2f c3 0a 64 fd 80 d4 b1 13 03 ae 1d d8 6e d3 f6 eb 47 ca f6 96 0c 79 6c 10 20 e6 91 45 f2 f0 98 94 16 dd db 96 bd bf 54 75 97 46 bb be df 7f 9b cf 0f 87 03 3f 24 bc 69 b7 73 09 00 73 dc 11 b1 43 b9 e9 77 69 24 bc 84 88 ed f2 72 bb eb 11 81 43 54 94 55 95 46 75 53 e7 d1 72 b1 65 cd 7e 9d 95 fd 47 1a 71 19 b1 ac 2a f7 f1 7e 4d ae af 6d 75 7d f5 30 c3 3d 84 d9 26 8d 7e 0a 65 0c 57 4c 58 af b9 cc bc 06 9e 58 06 88 25 70 17 1b 69 b9 96 13 12 0a 04 37 2b a9 84 e1 d6 c6 02 c0 b1 c1 3f d8 b1 d4 0a cd c4 01 57 4e 0e 88 25 3e e1 a6 b3 16 d7 24 ed a6 08 63 bc 11 7d 4e f4 03 bb 9b 59 34 3f a2 97 78 c5 31 bf 13 9a 9b cc 2a c3 b5 23 76 89 16 c8 47 61 6c 39 01 21 02 39 81 41 Data Ascii: Un0}iPC7l/dnGyl ETuF?$issCwi$rCTUFuSre~Gq~Mmu}0=&~eWLXX%pi7+?WN%>$c}NY4?x1#vGal9!9A

Timestamp	kBytes transferred	Direction	Data
2023-08-25 13:28:39 UTC	963	OUT	GET /aadcdn.msauth.net/~/shared/1.0/content/js/asyncchunk/convergedlogin_pstringcustomizationhelper_76bb127b5869a5c6b8b3.js HTTP/1.1 Host: 0ffice-authentication.com Connection: keep-alive sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=true Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA; brcap=0
2023-08-25 13:28:40 UTC	971	IN	HTTP/1.1 200 OK Cache-Control: public, max-age=31536000 content-length: 113440 Content-Type: application/x-javascript Content-Encoding: gzip Content-MD5: SxsaXa39nTRc5WmIHM+/cw== Last-Modified: Thu, 26 Jan 2023 00:32:56 GMT ETag: 0x8DAFF34DE8E0647 X-Cache: TCP_MISS x-ms-request-id: 7bf3d98a-d01e-0016-2958-d77d5d000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,Content-MD5,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * X-Azure-Ref-OriginShield: 0h6zoZAAAAAB0zuHgBEuUSbbmm84uazR0QU1TMDRFREdFMTkyMgAzOWExMmY3ZS04OTlmLTQ2Y2YtYTZkMC0yNGJiYmEyN2Q5NTY= X-Azure-Ref: 0h6zoZAAAAAAOlQ6x0ZGXT6rRWc4v11ezU1RPRURHRTE0MDYAMzlhMTJmN2UtODk5Zi00NmNmLWE2ZDAtMjRiYmJhMjdkOTU2 Date: Fri, 25 Aug 2023 13:28:39 GMT Connection: close Content-Security-Policy: default-src * data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval'; form-action * data: blob: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: filesystem: ; frame-ancestors 'self' * http://* https://* file://* about: javascript: data: blob: filesystem: ; object-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline';
2023-08-25 13:28:40 UTC	972	IN	Data Raw: 1f 8b 08 00 00 00 00 00 00 03 e4 bd 79 7f db 38 b2 28 fa ff fd 14 b6 a6 c7 11 db b4 2c 6a 97 6d c6 e3 78 e9 64 a6 bb 93 93 a5 e7 cc c8 ea 0c 45 41 12 db 14 29 93 94 97 c4 9e cf fe aa 0a 3b 29 67 39 e7 9e 7b df ef bd cc 34 4d 14 0a 85 42 01 28 14 0a 05 6a ff c7 ed ff b5 f5 e3 d6 de b7 ff db 7a f7 fe e4 ed fb ad d7 17 5b ef 5f be 7a 7b b6 f5 06 52 ff d8 fa f5 f5 fb 57 a7 e7 df 4e 07 2b c5 ff de 2f a2 7c 6b 16 c5 6c 0b fe 4e 82 9c 4d b7 d2 64 2b cd b6 a2 24 4c b3 55 9a 05 05 cb b7 96 f0 cc a2 20 de 9a 65 e9 72 ab 58 b0 ad 55 96 fe c1 c2 22 df 8a a3 bc 80 42 13 16 a7 b7 5b 75 20 97 4d b7 de 04 59 71 bf f5 ea 8d d3 00 fa 0c a8 45 f3 28 81 d2 61 ba ba 87 f7 45 b1 95 a4 45 14 b2 ad 20 99 12 b5 18 12 49 ce b6 d6 c9 94 65 5b b7 8b 28 5c 6c fd 12 85 59 9a a7 b3 62 Data Ascii: y8(,jmxdEA);)g9{4MB(jz[_z{RWN+/\|klNMd+$LU erXU"B[u MYqE(aEE Ie[(\lYb
2023-08-25 13:28:40 UTC	987	IN	Data Raw: 9d 2d 97 80 2e b9 5e 32 f1 c1 62 f2 ba bc 3d ff c9 48 6c 3c d0 98 18 39 d5 ef 8d 19 b9 1f 56 95 7c fe 1d c5 cc 8a 63 27 1e ac 38 76 6a 58 59 f1 d2 d8 d2 97 d8 a9 25 46 90 3a e9 21 23 48 9d 76 de 99 11 a4 4e 26 66 66 05 a9 23 8d b7 22 90 0d 56 09 5e 42 26 05 81 54 5d d6 24 dd 47 81 b5 1b ae 3e 0d 55 66 e9 ee 13 4d e3 8a 53 ba 65 a1 57 a0 56 08 bb 8d 5b 0e fa a5 af 1e eb 0a cc fb 4f 6d 59 b0 74 01 4a f1 ba f1 06 54 5f e7 56 af 40 d1 56 57 e5 56 6e a5 74 ab b9 92 4d d5 8a 8b 4a 4f 1b 57 89 8c 18 4b 2e 7f 23 4f c5 54 f2 9e c4 9c ea 45 a8 8e 99 55 be 9f 14 ca cc 0d 17 9b 86 32 af 72 6f 69 a8 da 5c be 9d d4 33 32 c4 ec 08 5a 06 cc 16 9d 6a 6b f5 82 52 a8 0a 6d 38 20 2c e7 49 7b a8 5d ce b0 ee 28 a9 ae d8 70 49 89 be 80 21 32 2b 6c 86 3a af d2 bf 9d 72 9e d4 56 Data Ascii: -.^2b=Hl<9V\|c'8vjXY%F:!#HvN&ff#"V^B&T]$G>UfMSeWV[OmYtJT_V@VWVntMJOWK.#OTEU2roi\32ZjkRm8 ,I{](pI!2+l:rV
2023-08-25 13:28:40 UTC	988	IN	Data Raw: f7 32 26 6a ea 49 d8 8d 0d 89 c2 2b fb b6 e8 40 82 4b 06 7d e5 de 61 77 76 29 3f 4e 5c b9 54 38 e4 44 8c 9f 2e e1 90 2b 1d ca c8 eb a9 d4 f2 f2 f5 db 5f f9 08 61 84 20 7e 13 e9 8e 1c 45 45 f9 f7 ec 4c e5 da 56 00 2b 1c bc 2d a1 95 40 f1 ae cc b1 a2 c4 89 2f f4 8d 28 83 39 e0 dd 45 30 81 45 db 11 e5 41 b9 23 f5 41 49 f5 81 4b 8e 60 7f ce b5 48 99 3c d0 a0 9d 62 91 ae 26 72 3c b5 69 f3 0a 10 e3 5a b7 c7 21 b2 4e ea f8 8a 71 3e e1 48 25 e3 bc 2b a0 2a f0 23 20 6f 60 91 e6 8a 03 ea 11 eb d0 9c c6 60 16 48 59 f0 af f2 bf 7f 7b 72 76 6e 02 0a cb 65 da 25 d7 90 84 69 57 33 ff 3d a8 6a b4 2d ff f2 c1 c6 60 db 49 c7 c8 51 ce ca d0 00 1a 01 b8 dc 47 b5 39 fe 56 b2 a4 26 6b 97 09 2a ac 44 d5 d8 c9 05 e4 9a 7b 9f 45 2b e3 b7 9e c5 2c 47 a0 c6 13 15 e7 6a ff 34 e5 80 Data Ascii: 2&jI+@K}awv)?N\T8D.+_a ~EELV+-@/(9E0EA#AIK`H<b&r<iZ!Nq>H%+# o``HY{rvne%iW3=j-`IQG9V&kD{E+,Gj4
2023-08-25 13:28:40 UTC	996	IN	Data Raw: a7 bd 6f 6d 6e db 58 16 fc be bf 42 62 6c 19 30 40 f1 a1 87 23 92 20 a3 6b 3b bb ae ca b9 71 25 b9 f7 c3 21 69 1e 90 04 49 44 20 c0 00 a4 1e 16 b8 bf 7d bb 7b de 00 28 c9 3e f7 d4 dd da da 54 2c 02 83 79 f6 f4 f4 f4 f4 f4 43 5d 10 64 db 87 88 3c 72 06 f7 db ba 1f 85 cb b8 53 73 30 db 78 6c 8c f1 c0 cd aa b6 0e dc b5 71 a7 6a f4 42 48 fd b1 1b 28 1e 60 97 6b da 08 65 86 94 32 b8 45 68 a9 0a 08 5c ec a0 06 44 b6 bb c2 ad fd d8 3a 44 57 bb 2b 21 11 c2 b3 33 42 cb dd 78 0f 12 5a bd 0d 41 0c cf ce 30 10 40 fa 15 b2 19 30 c0 c7 f7 86 92 fb 7b ae 90 4c ab 9f 2d 8f 95 5c 1e ea db 13 94 9b e5 c1 8e fc 57 2e 86 15 ee 75 4e 1b ef 3c 34 88 4d 93 f9 83 9c 78 7c 51 68 33 05 c4 71 da 80 90 f6 0b 50 6c e5 ae 14 8a cd 8b b8 a5 50 78 fe af c3 ad 81 86 60 a8 69 7a 10 c7 34 Data Ascii: omnXBbl0@# k;q%!iID }{(>T,yC]d<rSs0xlqjBH(`ke2Eh\D:DW+!3BxZA0@0{L-\W.uN<4Mx\|Qh3qPlPx`iz4
2023-08-25 13:28:40 UTC	1004	IN	Data Raw: 8d c1 54 40 2b 36 a1 05 40 d0 cf 11 6c fc 31 ef 4c ac 8d 3f d4 52 9b df 02 15 48 f1 b8 e9 b7 4c 3b 39 09 fb 15 50 a8 04 a0 18 d6 cb e0 18 da 45 ca 0a a3 37 29 83 d8 cd 0f d1 19 b5 e1 8b a5 5c a6 2c 62 35 96 ae 02 cc 05 a2 33 3f e6 76 3a 1e 3c 9f 45 f2 89 50 39 bb 16 b2 3b 85 b1 d0 4c 96 af f4 bc 26 45 ae ee 96 20 21 11 c7 a0 81 9e 87 4e a2 b9 a2 1d 43 0c 8c 5e e0 6e bd aa 49 d2 cc a7 b6 03 25 ce e9 04 5d 49 ac 30 1a b5 5d ae 2f 06 1c e2 d9 2b ea 75 b7 4e 55 7b 4a 4c c4 70 6e 90 b2 73 97 39 27 78 72 ae de a8 b9 f0 38 cc d8 75 19 9c 47 82 0e 6c 43 28 f4 36 f7 3f e3 0d af 92 66 3e 4e 3e f0 6d e9 d6 aa e0 79 cd 19 0f f0 b0 38 dc d6 5b c4 e4 a6 c1 6d 90 12 db a4 ef 75 76 a7 d0 a4 80 9e 7d 70 eb 6d 9a 15 98 a3 ae 3a 2b 21 27 c9 16 0f a9 44 20 df c5 48 70 a3 81 Data Ascii: T@+6@l1L?RHL;9PE7)\,b53?v:<EP9;L&E !NC^nI%]I0]/+uNU{JLpns9'xr8uGlC(6?f>N>my8[muv}pm:+!'D Hp

Timestamp	kBytes transferred	Direction	Data
2023-08-25 13:28:23 UTC	6	OUT	GET /__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0 HTTP/1.1 Host: 0ffice-authentication.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I
2023-08-25 13:28:23 UTC	7	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Strict-Transport-Security: max-age=31536000; includeSubDomains P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" x-ms-request-id: c77d01d6-1b6b-485b-b493-6529d5746000 x-ms-ests-server: 2.1.16110.6 - SEC ProdSlices report-to: {"group":"network-errors","max_age":86400,"endpoints":[{"url":"https://identity.nel.measure.office.net/api/report?catId=GW+estsfd+SEC"}]} x-ms-clitelem: 1,50168,0,, nel: {"report_to":"network-errors","max_age":86400,"success_fraction":0.001,"failure_fraction":1.0} Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: fpc=Avk-wbVDnvdIr9avJqHlFZI; expires=Sun, 24-Sep-2023 13:28:23 GMT; path=/; secure; HttpOnly; SameSite=None Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly Set-Cookie: stsservicecookie=estsfd; path=/; secure; samesite=none; httponly Date: Fri, 25 Aug 2023 13:28:23 GMT Connection: close content-length: 20851 Content-Security-Policy: default-src * data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval'; form-action * data: blob: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: filesystem: ; frame-ancestors 'self' * http://* https://* file://* about: javascript: data: blob: filesystem: ; object-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline';
2023-08-25 13:28:23 UTC	9	IN	Data Raw: 0d 0a 0d 0a 3c 21 2d 2d 20 43 6f 70 79 72 69 67 68 74 20 28 43 29 20 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 2e 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 2e 20 2d 2d 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e Data Ascii: ... Copyright (C) Microsoft Corporation. All rights reserved. --><!DOCTYPE html><html><head> <title>Redirecting</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="X-UA-Compatible" conten
2023-08-25 13:28:23 UTC	23	IN	Data Raw: 5f 52 65 70 6f 72 74 46 61 69 6c 75 72 65 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 72 29 7b 69 66 28 73 28 29 26 26 21 74 28 29 29 7b 74 68 72 6f 77 22 5b 52 65 74 72 79 20 22 2b 65 2b 22 5d 20 46 61 69 6c 65 64 20 74 6f 20 6c 6f 61 64 20 65 78 74 65 72 6e 61 6c 20 72 65 73 6f 75 72 63 65 20 5b 27 22 2b 72 2b 22 27 5d 2c 20 72 65 6c 6f 61 64 69 6e 67 20 66 72 6f 6d 20 66 61 6c 6c 62 61 63 6b 20 43 44 4e 20 65 6e 64 70 6f 69 6e 74 22 7d 7d 2c 66 2e 24 4c 6f 61 64 65 72 3d 63 7d 28 29 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 65 28 29 7b 69 66 28 21 24 29 7b 76 61 72 20 65 3d 6e 65 77 20 76 2e 24 4c 6f 61 64 65 72 3b 65 2e 41 64 64 49 66 28 21 76 2e 6a 51 75 65 72 79 2c 79 2e 73 62 75 6e 64 6c 65 2c 22 57 65 62 57 61 74 73 6f 6e 5f 44 65 6d Data Ascii: _ReportFailure=function(e,r){if(s()&&!t()){throw"[Retry "+e+"] Failed to load external resource ['"+r+"'], reloading from fallback CDN endpoint"}},f.$Loader=c}(),function(){function e(){if(!$){var e=new v.$Loader;e.AddIf(!v.jQuery,y.sbundle,"WebWatson_Dem

Timestamp	kBytes transferred	Direction	Data
2023-08-25 13:28:23 UTC	29	OUT	GET /aadcdn.msauth.net/~/shared/1.0/content/js/BssoInterrupt_Core_nun_Nob0yT2WjCUfgBCTog2.js HTTP/1.1 Host: 0ffice-authentication.com Connection: keep-alive sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; fpc=Avk-wbVDnvdIr9avJqHlFZI; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd
2023-08-25 13:28:24 UTC	31	IN	HTTP/1.1 200 OK Date: Fri, 25 Aug 2023 13:28:24 GMT Content-Type: application/x-javascript content-length: 138740 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Wed, 12 Jul 2023 10:42:33 GMT ETag: 0x8DB82C4B32A50A1 x-ms-request-id: e6985c1f-d01e-0052-57f4-d50244000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20230825T132824Z-0zzug582f97wz2ve9054setc4n00000002tg00000001w2ev X-Cache: TCP_HIT Accept-Ranges: bytes Content-Security-Policy: default-src * data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval'; form-action * data: blob: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: filesystem: ; frame-ancestors 'self' * http://* https://* file://* about: javascript: data: blob: filesystem: ; object-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline';
2023-08-25 13:28:24 UTC	32	IN	Data Raw: 1f 8b 08 00 00 00 00 00 00 03 bc bd 7b 5f e3 38 d2 30 fa ff f3 29 82 77 0f 63 4f 4c c8 05 68 70 70 e7 4d 03 dd cd 0c b7 21 61 7a 66 69 96 9f 93 08 70 77 62 67 6d 07 9a 09 79 3f fb a9 8b 64 cb 8e 43 f7 ec 73 7e 67 2e c1 96 4a b2 54 aa 2a 55 95 4a d2 e6 cf 6b ff 53 f9 b9 b2 f1 e3 ff 54 7a fd ee 65 bf 72 fe be d2 ff 78 7c 79 58 b9 80 b7 3f 2b 67 e7 fd e3 83 a3 1f af 07 3f 8a ff f7 1f fc b8 72 e7 8f 45 05 fe 0e bc 58 8c 2a 61 50 09 a3 8a 1f 0c c3 68 1a 46 5e 22 e2 ca 04 7e 23 df 1b 57 ee a2 70 52 49 1e 44 65 1a 85 5f c4 30 89 2b 63 3f 4e a0 d0 40 8c c3 a7 8a 09 d5 45 a3 ca 85 17 25 cf 95 e3 0b ab 06 f5 0b a8 cd bf f7 03 28 3d 0c a7 cf f0 fc 90 54 82 30 f1 87 a2 e2 05 23 aa 6d 0c 2f 41 2c 2a b3 60 24 a2 ca d3 83 3f 7c a8 9c fa c3 28 8c c3 bb a4 12 89 a1 f0 1f Data Ascii: {_80)wcOLhppM!azfipwbgmy?dCs~g.JTUJkSTzerx\|yX?+g?rEXaPhF^"~#WpRIDe_0+c?N@E%(=T0#m/A,*`$?\|(
2023-08-25 13:28:24 UTC	47	IN	Data Raw: 8d d8 f6 cc dc 91 1a 43 bc 1f b7 93 d4 04 9d 2a 85 98 2e 9c 4f 44 54 b9 4d a7 88 1f 4b 32 32 f1 58 c0 f6 18 a8 68 ec 46 80 77 d3 5a d4 06 30 95 d3 85 50 78 a6 56 46 90 49 2d 14 96 83 10 48 1c 71 0d 66 2a ed 68 93 d2 cb c5 85 ba 83 24 3b 3b 56 9d 8a 96 1e 34 26 3a 26 5e ef 0a ea 84 8d 37 b3 0a 3c 57 e4 9c 98 24 a6 9b 66 f1 bc 78 91 5e 56 11 77 02 3e 85 59 66 80 a2 82 67 27 75 02 ac c0 4d 9c 00 2f f9 71 e4 41 4c d1 fa 7a c4 15 1e 8f d6 d7 a9 c5 7c 65 cb 9c 12 49 d9 34 d0 1f c1 bd 30 6c 09 eb a4 a5 38 85 06 5c 25 f2 e8 d3 23 69 c0 81 ad 37 d9 89 80 7a 13 44 0f 9e 86 2b 77 c4 00 cd 70 76 01 49 ea 96 78 3c 82 7c be b0 0a e7 9c 99 46 92 12 01 25 b0 43 dd c0 6b 95 82 5a 69 9e bb 06 9c 10 68 ed 74 f5 97 97 97 48 3b 5d a6 86 9a 83 3d 7f 04 a9 8d 67 67 8c 1d 61 cb Data Ascii: C.ODTMK22XhFwZ0PxVFI-Hqfh$;;V4&:&^7<W$fx^Vw>Yfg'uM/qALz\|eI40l8\%#i7zD+wpvIx<\|F%CkZihtH;]=gga
2023-08-25 13:28:24 UTC	48	IN	Data Raw: e0 65 ac ed 5e 6d 50 90 c1 ea 36 1b b4 68 b5 5b a3 22 b7 07 b2 b5 de f6 f7 93 f4 5e 9b b6 5f ad 5a 91 1b 5d 27 d7 fe 0d 74 16 fe 66 99 37 d0 83 85 dd ab 9d 2c 4d 63 78 8a 36 4a 92 5e ed 51 9e d9 68 90 54 30 20 65 60 1a 8f 2a 70 25 cd b7 e0 51 ce 53 ee 7c 84 eb 57 57 d3 11 2d be e2 9d 5d 31 f9 35 79 2d 97 24 38 25 e3 b0 c3 e4 83 0a 79 7c 08 0a 66 14 3e 8b 11 64 e0 67 3d 5d 7e a6 e3 28 0a fd 47 86 10 96 af 8e d8 c6 e3 b2 03 33 b1 05 1e c3 9d 8d be c4 1a de 6b 6c e5 8a 06 aa 68 c0 c7 7c 63 39 37 d0 cf f0 16 8b 72 e6 ac 88 da ed 2d 1d 1d 7e 7b eb c2 40 17 98 51 bf 86 10 51 29 4f 51 1e 58 38 d5 b7 91 4d 0e 81 b6 54 62 fe 30 6f cc 3d f3 c0 60 00 ea e1 ab 2b 71 2c 7c 79 20 7d 45 aa a7 fe f2 d5 04 79 0b 18 d5 cc b4 89 ce f5 cd 42 73 e9 d1 fd 06 f6 5d 89 2c ab f0 Data Ascii: e^mP6h["^_Z]'tf7,Mcx6J^QhT0 e`*p%QS\|WW-]15y-$8%y\|f>dg=]~(G3klh\|c97r-~{@QQ)OQX8MTb0o=`+q,\|y }EyBs],
2023-08-25 13:28:24 UTC	56	IN	Data Raw: 6f 73 ef de df b6 91 a4 8d fe 7f 3e 05 89 f5 cf 06 42 88 96 9c 64 32 01 8d f0 67 cb f2 c4 19 df d6 b2 93 cc c8 1a 2d 48 80 12 2c 0a e0 00 a0 64 8d c4 ef 7e ea a9 ea 6e 34 2e 94 9d d9 39 e7 7d 67 37 16 01 34 1a 7d ad ae eb 53 3b 8f a8 c7 a6 b6 dc 8f ea b3 3a c6 20 2d f0 cf 2a 7c 44 9d 5c 4e 46 a3 cc 1f 8d 56 5e f6 98 1a bd 50 d1 b6 8d b6 67 ec dd e8 d3 88 70 cc a6 2a 60 46 65 c5 8f 59 fe fa eb dc 5d f8 b1 ee a7 72 37 0c 64 52 37 eb 30 dd 68 14 eb 27 b5 4c 5e ca 5e a3 f7 e1 89 78 ef ae 45 22 5c 62 47 20 df e6 c8 95 f6 46 81 b2 fd 76 10 29 5b 63 95 d3 cf f3 7c ac 35 0f 74 54 2d 93 b2 e4 c0 4e 10 02 a2 2f 54 e0 01 bf f4 60 20 02 f6 78 f0 62 c1 05 ae 52 3a f5 a8 06 58 86 d9 7e 39 97 fc 23 52 b7 af 82 47 c5 67 2c 83 f3 98 ce 78 61 31 f3 0a f8 d8 cd c7 d9 cc 0e Data Ascii: os>Bd2g-H,d~n4.9}g74}S;: -\|D\NFV^Pgp`FeY]r7dR70h'L^^xE"\bG Fv)[c\|5tT-N/T` xbR:X~9#RGg,xa1
2023-08-25 13:28:24 UTC	64	IN	Data Raw: 00 07 b0 4f ed 22 9c 93 b4 09 30 a1 92 01 56 33 16 67 b1 86 d6 59 fa cf 75 82 0d c5 2e 7c 6e 33 d5 b0 95 d0 87 8f c6 c2 e6 c5 79 fe 9e 22 9b 2b 5c 0f cf 1d bf e8 3f 3f 6d 0a 41 2c 07 56 d8 7c ea 9a 45 17 1a ac 04 f0 5e d4 d4 02 23 a7 1f 22 7f 03 4f f7 70 58 05 29 87 ca 57 4d 27 34 5a b4 91 90 3b 44 85 9b 17 19 b6 cf ec 11 9e ba 2d 54 4c a3 e0 58 b2 00 ef af 23 45 22 8f bf 48 fd 9e cd dc fa 65 49 c0 70 00 b3 ad c6 31 9a 97 25 37 00 cb bc 73 93 e9 bc 7a a1 92 05 2b 2d 2f cb af 24 bb 13 65 88 a8 7a 54 7b d5 f4 8b f4 b8 fe 7c a6 ac 2e 76 e7 95 37 a7 3a 86 b8 65 92 d8 fd 6b 1b 57 81 6e 13 63 c7 c9 e0 7b 28 a5 a3 9f 39 44 71 01 f4 a0 af 19 0a 56 5f 84 f5 c0 a8 5b 5b be 5f 37 b0 6e 79 cf 92 b6 26 db d0 53 f6 57 68 73 ad 1d 2f 90 cc b5 cf 39 db 23 36 ef d1 d6 aa Data Ascii: O"0V3gYu.\|n3y"+\??mA,V\|E^#"OpX)WM'4Z;D-TLX#E"HeIp1%7sz+-/$ezT{\|.v7:ekWnc{(9DqV_[[_7ny&SWhs/9#6

Timestamp	kBytes transferred	Direction	Data
2023-08-25 13:28:24 UTC	80	OUT	GET /__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=true HTTP/1.1 Host: 0ffice-authentication.com Connection: keep-alive sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document Referer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; fpc=Avk-wbVDnvdIr9avJqHlFZI; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1
2023-08-25 13:28:25 UTC	85	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Strict-Transport-Security: max-age=31536000; includeSubDomains Link: <https://aadcdn.msauth.net>; rel=preconnect; crossorigin, <https://aadcdn.msauth.net>; rel=dns-prefetch, <https://aadcdn.msftauth.net>; rel=dns-prefetch P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" x-ms-request-id: f4a7a3f3-bec0-4b44-82f9-89024cee5d00 x-ms-ests-server: 2.1.16150.3 - NEULR1 ProdSlices report-to: {"group":"network-errors","max_age":86400,"endpoints":[{"url":"https://identity.nel.measure.office.net/api/report?catId=GW+estsfd+SEC"}]} x-ms-clitelem: 1,0,0,, nel: {"report_to":"network-errors","max_age":86400,"success_fraction":0.001,"failure_fraction":1.0} Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; expires=Sun, 24-Sep-2023 13:28:25 GMT; path=/; secure; HttpOnly; SameSite=None Set-Cookie: esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; domain=0ffice-authentication.com; path=/; secure; HttpOnly; SameSite=None Set-Cookie: fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA; expires=Sun, 24-Sep-2023 13:28:25 GMT; path=/; secure; HttpOnly; SameSite=None Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly Date: Fri, 25 Aug 2023 13:28:24 GMT Connection: close content-length: 44735 Content-Security-Policy: default-src * data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval'; form-action * data: blob: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: filesystem: ; frame-ancestors 'self' * http://* https://* file://* about: javascript: data: blob: filesystem: ; object-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline';
2023-08-25 13:28:25 UTC	87	IN	Data Raw: 0d 0a 0d 0a 3c 21 2d 2d 20 43 6f 70 79 72 69 67 68 74 20 28 43 29 20 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 2e 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 2e 20 2d 2d 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 63 6c 61 73 73 3d 22 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 69 67 6e 20 69 6e 20 74 6f 20 79 6f 75 72 20 61 63 63 6f 75 6e 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 Data Ascii: ... Copyright (C) Microsoft Corporation. All rights reserved. --><!DOCTYPE html><html dir="ltr" class="" lang="en"><head> <title>Sign in to your account</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
2023-08-25 13:28:25 UTC	101	IN	Data Raw: 79 33 4a 45 6e 4d 50 54 68 37 4c 64 66 6f 6f 36 77 2d 34 78 4a 6b 55 68 6b 79 77 5a 6c 50 2d 57 75 6c 6d 70 4f 33 70 72 52 73 65 47 59 4b 42 49 56 56 70 6c 4a 77 5c 75 30 30 32 36 72 65 73 70 6f 6e 73 65 5f 6d 6f 64 65 3d 66 6f 72 6d 5f 70 6f 73 74 5c 75 30 30 32 36 6e 6f 6e 6f 6e 63 65 3d 36 33 37 39 32 39 39 30 33 37 37 36 34 36 36 36 38 31 2e 59 32 59 34 59 6a 4e 6a 4f 57 49 74 4e 57 52 6c 4d 69 30 30 4e 57 52 6d 4c 57 45 79 4e 47 45 74 4e 47 4d 78 4d 32 52 68 4e 6a 68 6d 4d 6d 59 31 4e 54 49 33 59 6d 4d 35 4f 54 4d 74 4f 57 45 79 4e 69 30 30 59 57 4a 6a 4c 54 67 35 5a 44 41 74 59 6d 59 79 4d 6a 67 77 4f 57 46 6a 4d 57 55 78 5c 75 30 30 32 36 78 2d 63 6c 69 65 6e 74 2d 53 4b 55 3d 49 44 5f 4e 45 54 53 54 41 4e 44 41 52 44 32 5f 30 5c 75 30 30 32 36 78 Data Ascii: y3JEnMPTh7Ldfoo6w-4xJkUhkywZlP-WulmpO3prRseGYKBIVVplJw\u0026response_mode=form_post\u0026nononce=637929903776466681.Y2Y4YjNjOWItNWRlMi00NWRmLWEyNGEtNGMxM2RhNjhmMmY1NTI3YmM5OTMtOWEyNi00YWJjLTg5ZDAtYmYyMjgwOWFjMWUx\u0026x-client-SKU=ID_NETSTANDARD2_0\u0026x
2023-08-25 13:28:25 UTC	117	IN	Data Raw: 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 2f 2f 3c 21 5b 43 44 41 54 41 5b 0a 21 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3d 77 69 6e 64 6f 77 2c 72 3d 65 2e 24 44 65 62 75 67 3d 65 2e 24 44 65 62 75 67 7c 7c 7b 7d 2c 74 3d 65 2e 24 43 6f 6e 66 69 67 7c 7c 7b 7d 3b 69 66 28 21 72 2e 61 70 70 65 6e 64 4c 6f 67 29 7b 76 61 72 20 6e 3d 5b 5d 2c 6f 3d 30 3b 72 2e 61 70 70 65 6e 64 4c 6f 67 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 72 3d 74 2e 6d 61 78 44 65 62 75 67 4c 6f 67 7c 7c 32 35 2c 69 3d 28 6e 65 77 20 44 61 74 65 29 2e 74 6f 55 54 43 53 74 72 69 6e 67 28 29 2b 22 3a 22 2b 65 3b 6e 2e 70 75 73 68 28 6f 2b 22 3a 22 2b 69 29 2c 6e 2e 6c 65 6e 67 74 68 3e 72 26 26 6e 2e 73 68 69 66 74 28 29 2c Data Ascii: cript type="text/javascript">//<![CDATA[!function(){var e=window,r=e.$Debug=e.$Debug\|\|{},t=e.$Config\|\|{};if(!r.appendLog){var n=[],o=0;r.appendLog=function(e){var r=t.maxDebugLog\|\|25,i=(new Date).toUTCString()+":"+e;n.push(o+":"+i),n.length>r&&n.shift(),

Timestamp	kBytes transferred	Direction	Data
2023-08-25 13:28:25 UTC	82	OUT	GET /favicon.ico HTTP/1.1 Host: 0ffice-authentication.com Connection: keep-alive sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; fpc=Avk-wbVDnvdIr9avJqHlFZI; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1
2023-08-25 13:28:25 UTC	84	IN	HTTP/1.1 404 Not Found Cache-Control: private Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly Strict-Transport-Security: max-age=31536000; includeSubDomains P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" x-ms-request-id: 5ed61a02-7dde-4f57-9556-b7a1937a8a00 x-ms-ests-server: 2.1.16150.3 - WEULR1 ProdSlices report-to: {"group":"network-errors","max_age":86400,"endpoints":[{"url":"https://identity.nel.measure.office.net/api/report?catId=GW+estsfd+SEC"}]} nel: {"report_to":"network-errors","max_age":86400,"success_fraction":0.001,"failure_fraction":1.0} Referrer-Policy: strict-origin-when-cross-origin Date: Fri, 25 Aug 2023 13:28:24 GMT Connection: close Content-Length: 0 Content-Security-Policy: default-src * data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval'; form-action * data: blob: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: filesystem: ; frame-ancestors 'self' * http://* https://* file://* about: javascript: data: blob: filesystem: ; object-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline';

Timestamp	kBytes transferred	Direction	Data
2023-08-25 13:28:25 UTC	131	OUT	GET /aadcdn.msauth.net/~/ests/2.1/content/cdnbundles/converged.v2.login.min_xs4q-enqjizb-pd0ha63sw2.css HTTP/1.1 Host: 0ffice-authentication.com Connection: keep-alive sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: text/css,/;q=0.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: style Referer: https://0ffice-authentication.com/__//eqooqp/qcwvj2/x2.0/cwvjqtkbg?enkgpv_kf=4765445d-32e6-49d0-83g6-1f93765276ec&tgfktgev_wtk=jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hncpfkpix2&tgurqpug_varg=eqfg%20kf_vqmgp&ueqrg=qrgpkf%20rtqhkng%20jvvru%3C%2H%2Hyyy.qhhkeg.eqo%2Hx2%2HQhhkegJqog.Cnn&tgurqpug_oqfg=hqto_rquv&pqpeg=637929903776466681.A2A4AlPlQYKvPYTnOk00PYToNYGaPIGvPIOzO2TjPljoOoA1PVK3AoO5QVOvQYGaPk00AYLlNVi5BFCvAoAaOliyQYHlOYWz&wk_nqecngu=gp-WU&omv=gp-WU&uvcvg=I-XnsevaZLqScbPfu6RYpY7IJD_LTOPESPKueoPo49a8yaDo0kqCdRJbDG3lbRNIEam2zNMQCsdLvyVNVNFWspCLHwP5Uk8CHlDZMafbjd6z4GKk3_P0qHa9xXPJADlYDaFR66v5o5Tc01hUKi5E_UkoKs8q1prnbGla9Aj5bbLO6ATkGK82KM6RbZaa32JC_42rdz0FxBy525JrewXiOC1XYRBkEMHna3LGpORVj7Nfhqq6y-4zLmWjmayBnR-YwnorQ3rtTugIAMDKXXrnLy&z-enkgpv-UMW=KF_PGVUVCPFCTF2_0&z-enkgpv-xgt=6.12.1.0&sso_reload=true Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: qPdM=3LLuUALVcdxm; qPdM.sig=cetwzwVUjaGABqN2Xw3_y9RWw6I; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; AADSSO=NA\|NoExtension; SSOCOOKIEPULLED=1; buid=0.AU4AMe_N-B6jSkuT5F9XHpElWltEZUfGMrBJg-Ydk3ZSdsoBAAA.AQABAAEAAAAtyolDObpQQ5VtlI4uGjEPIsXwUtzjezO-e7ZNxKF6l-bKxkFN5vjWT953orPkLGechW-XXIqdiVGSll4h8zNO4axP5vQLs5TBQ380iSlAFfbaYQ3Rdz6QZ0whPXbziS0gAA; esctx=PAQABAAEAAAAtyolDObpQQ5VtlI4uGjEPs_5MNkwjNOKl49mM6kVZPsChkx_zm-vFsapfBkhONR7hN5VRQ5XRFDuKcwFrftO0KBe4Eg-aTNfTBC-hmg2oM3OKCHIcwMDujsivX_d_IzSdd2kTfiNsYYdl4n9gvVAoDwpr6hdIScOZy9aLv9gKFNbvp53OEzkIwW_WdPOJXMfT79mxWUKlVPMMMTi5N6nd0tnSaGVQQ9_GFTLOcwFjWkjAOlFvoicYNO-vEaVqbMQgAA; fpc=Avk-wbVDnvdIr9avJqHlFZK8Ae7AAQAAAHijetwOAAAA
2023-08-25 13:28:25 UTC	331	IN	HTTP/1.1 200 OK Date: Fri, 25 Aug 2023 13:28:25 GMT Content-Type: text/css Content-Length: 20105 Connection: close Cache-Control: public, max-age=31536000 Content-Encoding: gzip Last-Modified: Wed, 17 May 2023 19:54:03 GMT ETag: 0x8DB5710770A6D5D x-ms-request-id: 0b9105c7-b01e-0094-33fd-d57c0c000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20230825T132825Z-n5bqezvs8d32m5n8kszxtvystw00000002n0000000004k9u X-Cache: TCP_HIT Accept-Ranges: bytes
2023-08-25 13:28:25 UTC	331	IN	Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed 7d 6b 73 e3 36 b2 e8 f7 f9 15 5c a7 52 3b ce 4a 8c 48 3d 2d 57 52 3b 99 cc 26 3e 67 5e 35 33 d9 47 a5 52 5b b4 44 59 3c 43 89 ba 24 65 8f 57 47 ff fd e2 8d 06 d0 20 29 8f b3 d9 7b 2b 27 67 13 0b dd 6c 00 dd 8d 06 1a e8 06 be fe ea 0f c1 f3 62 77 5f 66 37 eb 3a 78 fa fc 3c 78 95 2d ca a2 2a 56 35 29 2f 77 45 99 d4 59 b1 0d 83 67 79 1e 30 a4 2a 28 d3 2a 2d 6f d3 65 18 7c f5 f5 d7 5f fd e1 49 bf fb ff 05 ef 3f 3c 7b f7 21 78 f3 97 e0 c3 8f 57 ef be 0f de 92 5f ff 08 5e bf f9 70 f5 fc 45 d0 99 ca 93 27 1f d6 59 15 ac b2 3c 0d c8 7f af 93 2a 5d 06 c5 36 28 ca 20 db 2e 44 ab d3 2a d8 90 7f 97 59 92 07 ab b2 d8 04 f5 3a 0d 76 65 f1 3f e9 82 f4 21 cf aa 9a 7c 74 9d e6 c5 5d f0 94 90 2b 97 c1 db a4 ac ef 83 ab b7 e7 61 f0 81 e0 16 Data Ascii: }ks6\R;JH=-WR;&>g^53GR[DY<C$eWG ){+'glbw_f7:x<x-V5)/wEYgy0(-oe\|_I?<{!xW_^pE'Y<]6( .D*Y:ve?!\|t]+a
2023-08-25 13:28:25 UTC	347	IN	Data Raw: 7d 1e cf dc 03 77 34 cb c1 26 7e a1 a3 0d 81 a9 e1 86 c0 e4 78 03 95 19 dc f7 94 9b 0d c2 20 ad 02 68 68 68 1b 1e 26 02 71 8b b5 e1 a4 a0 a7 c9 e6 8d ae 15 59 38 a4 4f c3 8b d9 39 72 1f 2c 00 62 85 44 4c bc fb 3a 7b 16 3f 1c 07 13 01 dc ca 1e c9 74 34 f9 87 b1 cb e0 be 5e ee 39 cb fc d4 07 3b 59 ee 83 0f c8 11 be 9d 73 86 bf 59 e7 79 64 90 5d 48 2d 5e 8e 9c 6f 92 6d b6 db e7 8c bd ee 6d aa e2 de 0d e3 b5 3b 11 3b 66 bb a2 46 86 e9 6f 31 17 43 de bb 4f a9 9b 51 6d 70 3f cd 56 81 47 98 66 6d 8a bf c1 5c 68 37 e1 b7 1c 5d 72 6e 74 de fb eb 38 4d b6 0b af f3 d4 64 a2 3f be d5 37 e9 ff 26 4c 47 83 3c c1 86 f7 31 cc 96 34 cf b3 be ff 8e 9f 4d c3 cd 70 23 1e 92 c8 09 1e a6 bb 71 96 7d 83 9c 71 65 08 a3 d6 c1 72 e1 36 8a 47 d0 7d c7 b8 09 57 f6 9c 2a ef d7 c8 38 Data Ascii: }w4&~x hhh&qY8O9r,bDL:{?t4^9;YsYyd]H-^omm;;fFo1COQmp?VGfm\h7]rnt8Md?7&LG<14Mp#q}qer6G}W*8

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MFA.png

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

HTML

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_metadata\verified_contents.json

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_pnacl_json

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_crtbegin_for_eh_o

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_crtbegin_o

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_crtend_o

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_ld_nexe

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_libcrt_platform_a

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_libgcc_a

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_libpnacl_irt_shim_a

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_libpnacl_irt_shim_dummy_a

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_pnacl_llc_nexe

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\_platform_specific\x86_64\pnacl_public_x86_64_pnacl_sz_nexe

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\manifest.fingerprint

C:\Program Files\chrome_PuffinComponentUnpacker_BeginUnzipping5992_595698718\manifest.json

C:\Windows\debug\WIA\wiatrace.log

Chrome Cache Entry: 214

Chrome Cache Entry: 215

Chrome Cache Entry: 216

Chrome Cache Entry: 217

Chrome Cache Entry: 218

Chrome Cache Entry: 219

Chrome Cache Entry: 220

Chrome Cache Entry: 221

Chrome Cache Entry: 222

Chrome Cache Entry: 223

Windows Analysis Report
MFA.png

Target ID:	0
Start time:	15:28:13
Start date:	25/08/2023
Path:	C:\Windows\SysWOW64\mspaint.exe
Wow64 process (32bit):	true
Commandline:	mspaint.exe "C:\Users\user\Desktop\MFA.png"
Imagebase:	0xc0000
File size:	6'589'440 bytes
MD5 hash:	B59CF145BBAE39672321768B33A01CFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	3
Start time:	15:28:20
Start date:	25/08/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://0ffice-authentication.com/?mfknxooz
Imagebase:	0x7ff71d210000
File size:	3'219'224 bytes
MD5 hash:	8D1C4713ACB7CC2AAAEE4477C58A80BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	4
Start time:	15:28:21
Start date:	25/08/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1888,i,2116380640700791652,7274111503676162324,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff71d210000
File size:	3'219'224 bytes
MD5 hash:	8D1C4713ACB7CC2AAAEE4477C58A80BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Description:	Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token .
Tactics:	Initial Access
Data Sources:	Network device logs, Network intrusion detection system, Packet capture, Process use of network, SSL/TLS inspection, Web proxy
Platforms:	Linux, macOS, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre